This documentation page does not apply to our software versions for Joomla! 4.0 and later versions. If you are not using Joomla 3 please consult the documentation index to find and read the correct version of the documentation.
The Exclusive Allow IP List management page
This page allows you to manage the Exclusive Allow IP List, defining the list of IPs or IP blocks which have access to your site's administrator area. An IP in this list is not granted automatic Super User privileges. You still need to log into Joomla. What this option does is that only IPs in the Exclusive Allow IP List will see the administrator login page and will be able to access pages in the backend administrator area. Any IPs outside the list will not be allowed to access any backend administrator area page, including the login page.
The management is done using the standard Joomla! toolbar buttons. Clicking on an entry, or checking its box and clicking on
will allow you to edit the entry. Clicking on the button allows you to add an IP/IP range. Checking one or several items in the list and clicking on will remove them from the list.The Edit/Add page looks like this:
The Exclusive Allow IP List editor page
Tip | |
---|---|
You current IP address is displayed right above the edit box. Make sure that is the first to include so that you do not lock yourself out of your site's administrator area! |
In the IP Address Range box you can enter an IP or IP range in one of the following ways:
A single IP, e.g. 192.168.1.1
A human readable block of IPs, e.g. 192.168.1.1-192.168.1.10
An implied IP range, e.g. 192.168.1. for all IPs between 192.168.1.1 and 192.168.1.255, or 192.168. for all IPs between 192.168.0.1 through 192.168.255.255.
A CIDR block, e.g. 192.168.1.1/8. If you don't know what this is, forget about it as you don't need it.
A Subnet Mask notation, e.g. 192.168.1.1/255.255.255.0
A dynamic IPv4 domain name prefixed by the at-sign. This
only applies if you are using a dynamic IP address domain provider
(e.g. DynDNS). For example, if you are using DynDNS and your
dynamic IP address domain name is example.dyndns.info and resolves
to an IPv4 address you can enter
@example.dyndns.info
to allow your dynamic IPv4
address. Be careful to enter the correct domain name or you may
have a delay of up to 30" processing backend login requests and
blocked requests. Please note that using the at-sign method ONLY
works with IPv4 addresses. This is a limitation of PHP
itself.
A dynamic IPv6 domain name prefixed by the hash-sign. This
only applies if you are using a dynamic IP address domain provider
(e.g. DynDNS). For example, if you are using DynDNS and your
dynamic IP address domain name is example.dyndns.info and resolves
to an IPv6 address you can enter
#example.dyndns.info
to allow your dynamic IPv6
address. Be careful to enter the correct domain name or you may
have a delay of up to 30" processing backend login requests and
blocked requests. Please note that using the hash-sign method ONLY
works with IPv6 addresses. This is a limitation of PHP
itself.
Do note that Admin Tools supports IPv4 and IPv6 (if your server supports IPv6) for any form of IP you enter yourself (single IP, human readable block, implied IP range, CIDR block and subnet mask notation).
Please pay attention to the differences between the at-sign and hash-sign notations' meanings. @something is IPv4 (e.g. 192.168.1.4) whereas #something is IPv6 (e.g. ffff::5678:90ab). Do not use the at-sign for domains resolving to an IPv6 address or the hash-sign for domains resolving to an IPv4 address. Mixing this up can lead to long delays in page loads and / or being unable to access your site. Please keep in mind that the two different methods are required due to the way PHP works. They cannot be merged into a single method because that would considerably slow down every page load of your site.
Tip | |
---|---|
You can use the Save & New to quickly add multiple entries without having to go back to the administration page and click on New all the time. |
Ideally, you should only use this feature if the IP address you are using to connect to the Internet never, ever changes. This is called a "static IP address" and it's usually an optional, extra cost, feature with most Internet service providers. Please note that having a dynamic DNS service, such as those provided by Dyn.com, is the exact opposite from having a static IP address: dynamic DNS services frequently update a domain name to point to your ever changing IP address.
While Admin Tools makes it possible to use a dynamic DNS for allowing access by IP address it may be problematic for two reasons. First, it's terrible for performance as a DNS resolution must be done for every page load of your site where the list of allowed IP addresses must be read. This is any attempt to access the administrator login page while logged out of the administrator and every time a request is blocked. If your server does not cache IP resolution locally this can slow your site down considerably.
Furthermore, all dynamic IP providers have a default timeout for the dynamic DNS entries varying from 1 minute to 1 hour. If your IP changes within that period your server might be "blind" to the change. The same thing can happen if your dynamic IP updater (typically running in your router or NAS firmware) fails to update the dynamic DNS provider with your new IP address. At best this will be an inconvenience because you cannot access your site's administration until your dynamic DNS provider is updater and your server "sees" the new IP address for that DNS entry. At worst, this can be initiated by a targeted attack to lock you out of your site while the attacker exploits a different path to gain access to your site, leaving you helpless.
Finally, bear in mind that you should never use this feature if you expect to have to access your administrator area from an Internet connection with an unpredictable IP such as a public WiFi hotspot, a satellite Internet connection (e.g. those used in ships, airplanes and remote research stations) or a mobile broadband connection (including mobile-network-assisted Internet routers, even if your ISP is assigning a static IP address to your main, wired, Internet connection). DO NOT, EVER, ALLOW THE IP ADDRESS OF A PUBLIC, SHARED CONNECTION! YOU WILL GET HACKED!
For the observant reader, we listed mobile broadband connections together with shared connections. This is not an oversight. Mobile Internet connections tend to recycle IP addresses far faster than their fixed (landline, fiber, cable, ...) counterparts. This is largely because of the ephemeral nature of the connection and the frequent hopping between areas of coverage and areas of non-coverage. Because of the fast rate of IP address recycling, using them for allowing ranges from very impractical to potentially dangerous (e.g. if an advanced attacker uses a malicious femptocell to launch a man-in-the-middle attack).