Support

There are only 2 users on this website, and both are probably on dynamic IP addresses!

I was going to set this up: "The second approach is to use the Safe IP List. All IPs in that list will not be automatically banned. In order to do that, go to Components, Admin Tools, Web Application Firewall and click on the WAF Configuration button. Inside the Auto-ban Repeat Offenders area find the Never block these IPs field. This is a comma-separated list. Add the IPs you want to never be automatically blocked separated by commas on that list." but can not find: Never block these IPs

What should I do?

I would also like to change the email address that one user have. Is that possible?

Thanks!

"Never block..." is not going to work well with dynamic IP addresses. You will need to change the IP in the list every time the IP changes for the user.

Keep in mind that "Never block..." is a convenience, a backup. What is the reason the IPs are being blocked? Can we fix the root problem instead of hiding it?

I haven't set up anything yet for our IP addresses. So we both are being locked each time we are trying to log in.

Any suggestions what I can do?

Thanks!

That isn't what's supposed to happen. The first run wizard sets up a secret parameter, quite a few people miss that little detail and have trouble logging in. The secret parameter is on the first tab of the WAF Configuration screen. When that field is filled in, you need to access your admin login screen with

www.mysite.com/administrator/index.php?secret

Where "secret" is the contents of the field. Without that, you will trigger a security exception.

You might also look at the autoban settings. If you're getting banned after only one login attempt, they may be set a little too tight.

Should ALL users Use this to login?

Thanks!

All users logging into the back end or administrative area of Joomla! need to use the secret parameter if it is set up. Front end users do not have to use the secret parameter.

My Joomla administrator account is set up as two users and I would like to remove the one that is used in Akeeba. Can I just change the email address that is listed in Configure WAF?

Thanks!!

I'm sorry, I'm confused on what you are trying to do. Can you explain more please?

I migrated this site from Joomla version 2.5 to 3.5 and the system created a me as a new user with another email address. The email address that is listed in Configure WAF which is used sending out emails is set to the "old" email address. Thats the one I wanted to change. I tried with another email address and it is working, so I guess we can forget this question.

BUT the second user for the site can not login using the secret parameters!

Thanks!

Yes, changing the email address is no problem.

What happens when the second user tries to log in? Does he get an error, redirected to the home page, etc.?

It said restricted area.

There's an odd message. Joomla! doesn't think that user belongs in the back end. Please double check that the user belongs to a group that can log in to the administrator area.

I changed both users to Super Users. I can login as both users. The other user is getting these messages:
1) Restricted area

2) Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

The only thing I changed in the set up was the email it is sending these messages from! Otherwise I am using the secret parameters!

I have no clue what to do!

Thanks

Without me trying to log in to the site I am getting SO many "exception was detected on your site messages"!!!!!!

Do you have .htaccess and .htpasswd files in the /administrator folder of your site?

Is this you trying to log on as another user or is is somebody else on another computer?

I have .htacess and .htaccess.admintools.

I tried to login to the second user on my computer and it works but not when she is trying to login. As I said, now I am getting tons of those emails "exception was detected on your site messages"

Thanks!!!

No, htaccess.admintools would be in the root folder. I'm interested in the /administrator folder.

Sorry, I misunderstood. Yes, there are .htaccess and .htpasswd

OK, I have a working theory. You have the /administrator folder password protection set up. The first time you visit the back end login screen, you are prompted for that extra user ID and password, then the browser remembers that for the rest of the browser session, so you are not prompted again. She skipped it, or did not enter the proper credentials, now the browser is remembering that she should not access that screen. I think restarting the browser should fix the problem, but she will not be able to log in without that extra user ID and password.

I am not sure if I remember this: "You have the /administrator folder password protection set up. The first time you visit the back end login screen, you are prompted for that extra user ID and password."

Did I set this up during the Quick Set Up Wizard? I know I did something!?!? I have another password on the Joomla login screen which I remember I used once. Should the other user also set this up?

She used another browser which she is normally not using, so it can't be a cache problem. What can she do to get to that screen again to set up that extra user ID and password?

Thanks!!!

I asked the other user about this and this is what she told me: "No the only thing I ever entered was User and then the pw.

I did not get anything else or I would have asked you first. I wondered if with the firewall it doesn't recognize my IP because the same ID and PW is connected to yours."

I can't know that the admin password is set up without looking at the contents of the .htaccess file in /administrator. But the presence of both the .htaccess and .htpasswd files there is strong circumstantial evidence that is is being used. The first run wizard in Admin Tools would set that up for you. I am very puzzled why you can get in and she can't. This works at the server level, long before any white lists or "never ban" settings kick in.

Lets rename the .htaccess file in the /administrator folder - NOT the root of your site.

The other user can login now!

Is this the only thing I have to do to keep the site secure?

Thanks so much for your help!

Your user ID and password are the normal protection for the administrative area. The secret URL parameter adds another layer, an attacker has to find the form before they can try to attack the user ID and password. This /administrator folder protection is yet another layer of protection. So right now we've gone from three layers down to two.

When that password is active, when you enter the administrator URL, with the secret parameter, you should see a blank screen with a popup box with "Authentication Required" at the top and user ID and password fields. After you enter the user ID and password, then you get the normal Joomla! back end login screen. Not all servers support this feature, but they generally throw a 500 error when they don't like it. As I said, it only prompts you once per browser session, but when you close the browser, it should start over fresh.

Since it appears to be working without that extra password, it is up to you if you want to continue to try to diagnose the problem or not.