Support

Without further evidence I have to speculate:

• Old PHP version. If you have PHP 5.2.6 or earlier the System - Admin Tools plugin does not load at all because it's not compatible with these ancient versions of PHP. As a result you have no protection.
• Malware. If your computer is infected with malware it is possible that the attacker was able to intercept your keystrokes, take a snapshot of your screen or intercept your web traffic.
• Key logger. If you are using a desktop (or used a desktop at work or a shared desktop in a public location) there might have been a keylogger device installed, capturing your keystrokes.
• Compromised Keepass storage. If someone got hold of your Keepass storage it is possible that he broke the password protecting it, especially if it's a weak password.
• Access from a public hotspot. Public WiFi hotspots are usually unprotected and do not sport WcI (Wireless client Isolation) meaning that it's dead easy for an attacker to sniff your traffic. All he needs is a laptop, a WiFi card which can operate in promiscuous ("sniffer") mode and some easy to get software.
• Pineapple. Not the fruit. I mean this marvelous gizmo. Similar to the above.
• IP in whitelist. If the attacker came from a whitelisted IP the protection doesn't apply to him. Beware of whitelists; don't make them wider than they have to be.
• False alarm. Finally, it could just be a false alarm. Just because you saw someone trying to log in to your site doesn't mean they were actually seeing the login page. It simply means that they were trying to submit the login form using an automated programme ("bot"). If they tried to go into your site and log in to the back-end they wouldn't even see the login page.

OK, next time please tell me what you see (facts), not how you interpret it. It would have saved us a lot of time. In Dr. House's famous words "Patients lie" (usually unbeknownst to them and despite their best intentions) ;)

I was under the impression that, if you get an email from AT saying "Reason: Admin Query String", someone actually tried to log in from the admin login page. 

No. It means that someone tried to access the /administrator area of your site without providing the correct Admin Query String. This is the exact opposite of what you said. It actually means that Admin Tools blocked that person. This is what you want it to do. It would not have sent you an email if it didn't block the attacker, i.e. the attacker had your admin query string. Think about it. Do you get an admin query email when you log into your site, after providing your correct admin query string? No. You don't. So, what made you think that this email –which actually does tell you that the access was blocked– means that someone else logged into your site?

No, I did not think that the person managed to log in, but that the person managed to get to the admin login page, and there tried a password but that it wasn't the correct one.

No, that's not the case. The "Admin Query String" block reason means that the other party was blocked because he didn't provide the correct administrator secret URL query string.

As I recall, when I try to log in but make some mistake with the user name or password, this is the message ("Admin Query String") I get.

No, you get a "Failed login" message.

I also thought the warning message for the case of having the wrong secret would include something with the word "secret", as this is what it is called in the settings. I thought admin query ment someone tried to login from the admin login page.

The label in the configuration interface was changed. The original implementation was "Administrator secret query string".

But now I tried to access /administrator without the correct query string and it triggered this event, so I'm glad it's all working as it is supposed to. Thank you for the clarification, and sorry, I will post more informative initial tickets, I was just in an awful hurry, but it won't happen again :)

No problem :)