Support

The versions listed don't matter, this has been something of an issue for numerous versions of Joomla - hoping you have a creative solution...

The issue appears to be one of the way newer browsers have those pages of thumbnails showing most visited sites. If someone does tons of editing on a site, the J! admin interface is one of the favorite sites. The browser isn't aware of the secret admin parameter so it tries to get an image of the page using plain http://sitedomain.com/administrator - it does this X times (enough to trigger auto blocking) and that IP is blocked.

If the administrator is working remotely and is not white listed for that reason, they are locked out until someone else can help them or they get back to their white listed site.

Do you have any suggestions for dealing with this? Since now Chrome, Firefox and Safari do this - probably others. I've tried shutting off the feature in Chrome - all I could find is a plugin and I'm afraid it just masks the issue and hides the icons but still generates them.

Many thanks for suggestions on this.

One thing that would work without compromising security would be to drop the secret URL parameter and use the Password protect /administrator instead. Everyone accessing the back end would use the same user ID and password to get through that, but they all know the secret URL parameter now, so it is no different. Depending on how the browser gets the thumbnail, it will either get a 403 error from .htaccess, which Admin Tools never sees, or it would be allowed to access the page because the local IP has been greenlighted by knowing the right access.

It would probably work to use an incognito browser to access the back end. Then the browser wouldn't take the thumbnail.

You could access the back end, including the secret URL via a bookmark. Then the browser uses the bookmark instead of the URL, the bookmark includes the secret. That has the disadvantage of making your secret URL not so secret.

And finally, you can adjust how fast and how many times an exception has to occur before the user is locked out. You may be too quick on the trigger.

Thank you Dale - those are some options, more than I thought about. I think the user/pass on admin is probably the easiest of the bunch.

As far as the trigger timing - do you have a general suggestion on that front? Obviously we have no way of knowing how these browsers get/try to get the thumbnail and how persistent they are at trying. Sadly with someone sniffing that this is a J! site, they immediately try to go to /administrator... which means perhaps remapping that name (I am aware of that option - just want to avoid it to not have to retrain all the editors involved).

Thanks again - look forward to more info on ideal timing. If it helps, we get tons of hits on our sites every day that Admin Tools catches - mostly MUA and SQL attacks. So I have to stay on top of these.

The user/pass probably is the best. The only downside is that we occasionally run into an extension that still tries to store something in /administrator and access it from the front end. That triggers the user/pass for front end users. There are rare and getting more and more scarce. J! isn't supposed to work that way and developers are cleaning up their act or the abandoned extensions are riding off into the sunset. But if you see it, that's what is happening.

There really isn't any ideal timing. If the user goes all thumbs and gets strike two, then the browser tries, we're done. No timing settings will cover all scenarios.

Thank you again.

Cheers!

You're welcome!

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.