Support

Documentation

Admin Tools' Web Application Firewall (WAF) locked you out of your site

It's easy to be overzealous and apply very strict security settings for the Web Application Firewall of Admin Tools. An overzealous configuration, a misbehaving third party extension or a misconfigured server can cause you to be accidentally locked out of your own site. Here we'll see how to fix that.

Step 1. Regain access to your site's administrator

Using FTP to regain access to your site's administrator

The failsafe way to regain access to your site's administrator backend is using an FTP application or your hosting control panel's File Manager to rename a file.

Go inside the wp-content/plugins/admintoolswp/app/plugins/waf/admintools directory on your site. You will see a file named main.php. Rename it to main-disable.php. This means that Admin Tools can no longer load its code files which implement the Web Application Firewall features. This effectively disables the Web Application Firewall from executing and you can access your site's back-end again.

After you have fixed the cause of your issue remember to rename main-disable.php back to main.php, otherwise your site will remain unprotected!

If you have used the Optimize WAF feature in Admin Tools you will also need to do two more things.

First, edit the file admintools-waf.php in the root of your site and remove all of its contents. This disables the automatic loading of Admin Tools whenever you try to access WordPress or a .php file on your server.

Second, delete the file wp-content/mu-plugins/admintoolswp.php This is another file used by WordPress to load Admin Tools' Web Application Firewall features.

At this point the Optimize WAF feature is effectively removed. After addressing your issue and making sure everything on your site works fine please remember to run the Optimize WAF again.

Finally, it is worth noting that there is the “nuclear option„, i.e. renaming the entire wp-content/plugins/admintoolswp folder. This means that WordPress can no longer load Admin Tools AT ALL (including its administration interface). We do NOT recommend doing that and it is never necessary. The only reason someone would like to do that is to convince oneself that Admin Tools is unrelated to the issue they are experiencing. Code which doesn't load does not run. Code which does not run cannot affect your site.

If you are still blocked

There are two cases where renaming the Admin Tools main.php file will not help you. These are the two cases where Admin Tools has created a server configuration file, meaning that you are blocked by your server, not Admin Tools.

The first case is the Password protect WP administrator feature. Please delete the files named .htaccess and .htpasswd from your site's wp-admin directory.

The other case is when you've used the .htaccess Maker feature of Admin Tools. In this case there's a .htaccess file in your site's root. You may want to replace its contents with the default WordPress .htaccess file content.

In both cases you should note that the files have names beginning with a dot. That makes them hidden. You will need to enable the display of hidden files to edit / delete those files. If you are unsure how to do that please ask your host and tell them that you need to edit/delete hidden files. Usually they will point out an option in their hosting control panel's file manager.

If you are still blocked your issue is unfortunately unrelated to Admin Tools. Do you have another security plugin on your site? If you do, check its settings. If not, check with your host. More often than not, hosts have their own server security systems which can block you out of your site. If you are unconvinced follow the the instructions under "Using FTP..." above. Doing that you prevent WordPress from loading Admin Tools' code at all. If you can reproduce your issue when WordPress cannot load Admin Tools' code you can be certain that your issue is completely unrelated to Admin Tools. Code which isn't loaded cannot run. Code which doesn't run cannot affect your site.

Step 2. Unblock yourself

In most cases the easiest way to unblock yourself is simply going to Components, Admin Tools and click the big Unblock My IP button. If this doesn't work, or the button is not visible, follow the instructions below.

Do remember to end the Rescue Mode or renamed back main.php after you're done unblocking yourself!

Automatically banned IP address

Go to Web Application Firewall and click the Exceptions Log button. Delete all records with your own IP address. Then, go back to Web Application Firewall and click on the Auto IP Blocking Administration button. Select the record showing your IP address and click on the Delete button to delete the block.

[Tip]Tip

Don't know what your IP address is? Just visit whatismyipaddress.com to find out!

If this problem keeps happening without you doing anything and the IP blocked is NOT the same as the one reported by whatismyipaddress.com you will have to do one more thing. Go to Components, Admin Tools, Web Application Firewall and click on the WAF Configuration button. In the first tab set Enable IP workarounds to Yes, no matter what the automatically detected recommendation is.

If that was not the case, you have two options. The first is to troubleshoot the reason of the ban. Go to Components, Admin Tools, Web Application Firewall, Security Exceptions Log and check the Reason and Target URL for the entries which have your IP address in the IP address field. Find the reason in the "List of blocking reasons" documentation page to find out why you're being blocked. If you are not sure what that means, please file a support ticket remembering to copy the information from the Security Exceptions Log. Kindly note that you need to have an active subscription to receive support.

The second option at your disposal is adding your IP address to either of the IP whitelists, as follows.

The first approach is to add your IP address to the Administrator IP Whitelist. Using this option will limit access to the administrator section of your site only to the IPs listed in the whitelist. We strongly recommend you to not use it unless you and all of your back-end users have static IP addresses. In all other cases you may get blocked out of your site. Go to Components, Admin Tools, Web Application Firewall and click the Administrator IP Whitelist button. Add your own IP address.

The second approach is to use the Safe IP List. All IPs in that list will not be automatically banned. In order to do that, go to Components, Admin Tools, Web Application Firewall and click on the WAF Configuration button. Inside the Auto-ban Repeat Offenders area find the Never block these IPs field. This is a comma-separated list. Add the IPs you want to never be automatically blocked separated by commas on that list.

Administrator IP white-listing

If you have enabled administrator IP white-listing, you have to make sure that your IP address is included in the white-list in order to be able to access your site. Go to Components, Admin Tools, Web Application Firewall and click the Administrator IP Whitelist button. Add your own IP address.

[Warning]Warning

Don't use the Administrator IP Whitelist if your ISP assigns an IP address dynamically. This is the default unless you are paying them extra for a "static IP".

IP black-listing

If you have enabled IP black-listing, you have to make sure that your IP address is not included in the blacklist in order to be able to access your site. Go to Components, Admin Tools, Web Application Firewall and click the Site IP Blacklist button. Remove your own IP address.

Administrator Secret URL parameter

If you have forgotten your Administrator Secret URL parameter go to Components, Admin Tools, Web Application Firewall, Configure WAF, click on the Basic Protection Features tab and find the Administrator secret URL parameter option. Change or remove all of the text in that box to reset or unset, respectively, this feature.