Support

You should try visiting a URL like http://www.example.com/administrator/index.php?test where www.example.com is the domain name to your site.

Technical explanation: The ?test part of the URL is called the query. In fact, this defined a URL variable called "test" with no value. This is what Admin Tools tries to find. If it doesn't, it redirects you back to the home page. But why can't it find it?

Apache, when confronted with the http://www.example.com/administrator URL (the query part is inconsequential for now) tries to figure out what it means, as there is no file called "administrator" in the site's root. It figures out it is a directory, therefore it performs a redirection to http://www.example.com/administrator/ (note the slash) which tells it that it should find the default document in the administrator directory, or show the directory listing. Finding the default document, Joomla's index.php, it passes it to PHP for processing. Normally, the aforementioned redirection is internal and keeps the query parameters (the "?test" part of your URL) intact. On some servers, however, this is not the case and the URL parameter is lost. This means that PHP and by extension Joomla! and Admin Tools do not see your variable. This makes Admin Tools think that you have not specified the secret URL parameter and redirects you to the site's home page. By using the full http://www.example.com/administrator/index.php?test URL you circumvent any need for internal redirection and successfully pass the URL query parameter to Joomla!, which gives this information to Admin Tools and which now recognises you as a user who knows the secret query parameter.

Corollary: since the secret URL key is a URL query parameter it should ideally consist only of lowercase letters and numbers. Other characters may be necessary to be URL-encoded before placed in the URL, making the query string very unusable. For instance, a secret work of "m@$$=Ge" has to be used as http://www.example.com/administrator?m%40%24%24%3DGe (the funky percent character followed by two hex digits is the URL encoding of the "special" characters in the URL). That's why our documentation urges you to use only lowercase letters without accents/diacretics and numbers.

I hope that explains adequately this issue. I remain for any further questions you may have.

Please do this:
- Using FTP, rename plugins/system/admintools.php to .php.bak This disables the plugin.
- Log in to the back-end of your site
- Go to Components, Admin Tools, Web Application Firewall, Configure WAF
- Delete the secret key. IMPORTANT: In order to make sure everything is deleted, click inside the box, press CTRL-A, press delete.
- Click on Save
- Go to Configure WAF again
- Reenter your secret key. Please type it in. Do not copy it. Copy & pasting it may result in invisible characters (such as a space or a newline character) being inadvertently pasted, causing such a problem.
- Click on Save again
- Using FTP, renamed the plugins/system/admintools.php.bak file back to .php