Support

Hi,

Please read this: https://www.akeebabackup.com/troubleshooter/athtaccessexceptions.html

The difference between the basic and advanced modes is that the latter adds an empty and hidden input field. Admin Tools expects this field to be present and empty when a form is submitted. Apparently, the submit button in this form performs some sort of AJAX operation which includes only select fields, but not the hidden field. In this case, yes, you should disable the CSRF protection or set it to Basic, as written in the Quick Setup (point no. 8) and WAF Configuration (under the "CSRF/Anti-spam form protection (CSRFShield)" header) documentation pages.

Hi,

This error message isn't coming from Admin Tools. The email addresses are certainly not checked for validity. I assume that an administrator dealing with security settings is infinitely more careful than a front-end user and won't enter an invalid email address by mistake or deliberately. There is no other address check of any type either. I guess this error message comes from another plugin.

Regarding being logged out, please note that you have enabled the administrator secret query string feature. This means that if your session expires, Joomla! will try to redirect you to the administrator login page without the secret URL parameter (e.g. http://www.example.com/administrator/index.php) which throws a WAF security exception. Depending on your IP auto-ban settings, if enough of those exceptions accumulate over the predefined time period, your IP will get auto-banned. For example, if you have set it up to block attackers with 3 attacks in the last day and you raise three admin query security exceptions within 24 hours, you'll get auto-banned. The auto-ban makes no discrimination (it can't know who is at the other end of the Internet). It will simply do as configured and do it very efficiently :)

I just found out where the error message comes from. It comes from PHPmailer, the library Joomla! itself is using to send out emails. It checks the email address for validity before sending out the email. Given the basic and a bit anal address check it performs, if your email contains dots, a plus sign or non-ASCII characters (e.g. accented or UTF-8 characters) then it is rejected and this error message appears.

Also, the same error message appears if any of the email fields in Admin Tools is not really empty, but contains an invisible character like a space, non-breaking space or newline. In this case you can simply triple click inside each email box and tap the Delete button on your keyboard to really clear the field.

You're welcome :)