Support

 I followed instructions here but cannot access my Joomla back end

Any other steps I should take?

Go inside the plugins/system/admintools/admintools directory on your site (on older versions of Admin Tools: plugins/system/admintools). You will see a file named main.php. Rename it to main-disable.php. This will turn disable the Web Application Firewall from executing and you can access your site's back-end again. After you have fixed the cause of your issue remember to rename main-disable.php back to main.php, otherwise your site will remain unprotected!

You did exactly the right thing. The main.php file is cached and still active. There are lots of places that it could be cached these days, the browser cache, Joomla! cache, a site level cache provided by your host. Your version of PHP is before the automatic caching at the PHP level so it is not guilty. You can easily clear the browser cache, but that is the least likely to be where it is. The path of least resistance is to just wait until the cache expires. You can ask your host how to clear the host level cache manually.

cleared the host level cache but still out. Joomla cache was only 15 minutes and that has past. Can I not delete everything akeeba and start over?

After 18 hours and following the directions again, I still cannot access my admin side... I have 30 websites I am locked out of....

I have found that the troubleshooting procedure is working on all other sites, with the exception of one... the one I need to alter.

Please send suggestions, thanks

What do you see when you try to access the back end? Do you get any error message?

Please double check to make sure main.php is renamed. If your FTP user doesn't have rights, it may still be active. That's not very likely.

Rename your .htaccess file. Your site won't work right without it so we don't want it renamed for long. It is possible to put a deny/allow from command in there. Once again, not likely.

I see this:

Forbidden
You don't have permission to access /administrator/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at silverfoxaccounting.com Port 80

I also have this issue on a number of other domains. Some are fine, others do not give me access even after changing the main.php file name in cPanel.

Renaming .htaccess to .htaccess-temp has no effect - same error

As a test, with main.php renamed, I cannot access the admin side from my mobile device on a different IP address. It is not connected to my local network, only my cellular network and I can see that the IP is different.

OK, what can block an IP address? Admin Tools can do it, but we have that disabled. GeoIP can do it, but that is called through Admin Tools, so it is disabled too. The .htaccess file can do it, but we renamed that. I'm running out of suspects.

Please look for a user.ini or php.ini file in the root of the site. I'm not even sure you can block an IP through them, but they are similar to an .htaccess file, so they are worth a look.

Please look at the server error log to see if there is any more information about the cause of the 403 errors. I think you're going to see the same information that you posted above.

What is common among the sites you're locked out of? Is there any other security software running on them?

I have gone through all of my sites and changed the WAF settings on those I could access. I have 10 that I cannot access, all stating

Forbidden
You don't have permission to access /administrator/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at candrain.com Port 80

I do not see user.ini or php.ini file in the root of the site. I am on a managed VPS. Should I have to contact the hosting company?

What is common among the sites you're locked out of?
They are all J 3.6.4
Nothing that is common to all 10 sites that I can see. You might be able to find a common thread however

Is there any other security software running on them?
No, only Akeeba

I think I have missed a very significant point in this process... I was renaming the .htaccess file in the public_html folder, not the Administrator folder. When I did this, I regained access once more and was able to log into all sites.

I don't recall seeing the reference to the Administrator folder. Correct me if I am wrong.

Thanks for your continued support though. Looks like the fix was my shortcoming all along.

The .htaccess in the root folder was what I was thinking. It never occurred to me that it was the password protect administrator that was keeping you out. Yes, deleting the .htaccess and .htpasswd files in /administrator will disable that protection. The first run wizard sets that protection up for you. It shows it to you, but it is very easy to miss what it's telling you. I'm sorry I didn't spot the problem earlier.

Lesson learned.

I remember reading about this very subject last spring sometime and then altering the administrator/.htaccess file when I needed to edit a couple of sites when I was away one week.

It's in my notebook now...

Thanks for your steady assistance

You're welcome!

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.