Support

The /media folder is actually web accessible to everything except .php files by default. I would recommend following the instructions in https://www.akeebabackup.com/documentation/admin-tools/server-protection.html#determine-required-exceptions to see exactly what is being blocked. Then tell me so I can further help you.

Well, if you remove that line OR set the front-end protection off the effect is the same: you get no front-end protection. If you follow the instructions in the documentation you should be able to see a 403 (or 404 in case of a badly set up server) in the affected pages. That blocked URL throwing the error? I actually need it to tell you what to do.

I SUSPECT that the component in question is adding a directly accessible .php file in the media directory which is a bad idea (but can be allowed if you're really sure you want to), or is using a file extension we need to add to the allowed list. I can't know for sure unless you provide me the blocked URL as I requested in my previous reply. Or at least enable all protections and give me the URL to the affected page so I can see for myself what is being blocked.

The component in question is using a directly accessible PHP file as you can see in the URL: components/com_jbusinessdirectory/assets/upload.php You can add this in "Allow direct access to these files" in .htaccess Maker per the instructions in the documentation page I linked you to.

In my opinion, no, it is not safe. Joomla! has a built-in API for safely uploading files to your site. The extension's developer chose not only to bypass that API, but completely sidestep Joomla!. As a result, when their .php file is called directly there is no protection whatsoever except what that developer has implemented. No, Admin Tools cannot protect you from security issues in this kind of file. Since this file is accessed outside Joomla, Admin Tools doesn't run when that file runs therefore cannot protect you.

Keep in mind that even Joomla, the result of the collaboration of hundreds of developers over 15 years, has sneaky security bugs which are being plugged all the time. Same applies for all software, including Windows, Linux and Mac OS X to name but a few. The empirical rule is that the more eyeballs are on the code the easier it is to catch security issues early and before they are exploited. Conversely, if the code is only seen by one developer the chances are its security will be crap. Therefore the probability that this extension developer single-handedly and in a very limited amount of time has managed to implement the level of security that hundreds of developers barely touch after 15 years of working together is exactly zero. For this reason I do not recommend anyone to allow direct access to .php files unless they are willing to accept the increased risk of getting their site hacked through a security issue in said .php file. Better use a different extension.