Support

Your web host is where your web site is hosted. I don't see a reason why your site would be changing its IP address or why that would be an issue with Admin Tools.

Most likely you mean that your ISP (Internet Service Provider), the company that connects your house/office to the Internet, is changing the IP address of your Internet connection regularly. This is normal and expected. In this case you need to go to Admin Tools, Web Application Firewall, Configure WAF and set "Allow administrator access only to IPs in Exclusive Allow IP List" to No. Please note that the documentation of this feature tells you to not enable it if you do not have a static IP address because ISPs do, indeed, change your IP address very often. Some do even on an hourly basis.

This is the only feature which would be triggered by just your IP changing. We can conclude that the IP change is a red herring. So let's go back to the basic troubleshooting.

First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log security exceptions" is set to Yes; if it's not, set it to Yes and click on Save.

Now try reproducing your issue – or, rather, wait until it happens again. At this point you'll be blocked from your site. Follow Step 1 (only Step 1, please) of these instructions. Immediately after that, please go to Admin Tools, Web Application Firewall, Blocked Requests Log. The latest log entry at the top should have the date and time of when the issue occurred. Please copy the Reason and Target URL here so that we can further help you.

After filing your reply to me follow the Step 2 of the instructions I linked to completely unblock yourself and resume Admin Tools protection on your site.

This is a known issue. Here's a mitigation for now. When you try to visit the Rescue URL make sure you do not include the /administrator in it.

However, you only get to visit a rescue URL after you're already blocked. I want to know what got you clocked in the first place. That is what we need to address.

Every entry has an IP address listed. You can filter the entries matching your own IP address. If you do not know what your IP address is go to https://www.what-is-my-ipv4.com/en

I have a suspicion that you used the “Unblock my IP” button instead of following my instructions. Please don't do that. That button removes all entries with your IP from the blocked requests log.

It's best if you don't use the Rescue URL or the Unblock my IP button. Just follow my instructions from last Wednesday. I have taken care to give you instructions which will preserve the information I need long enough for you to relay it to me.

As you can read in our documentation about blocking reasons, the description of this blocking reason is:

Someone tried to access your site's administrator section but he didn't provide the secret URL parameter. Admin Tools blocked him and prevented him from seeing the login page at all.

So the real problem is that you are trying to access your administrator login page without using the Secret URL Parameter that you have configured in Components, Admin Tools, Web Application Firewall, Configure WAF, Basic features. Follow that link and look under “Administrator secret URL parameter” for more information about how to use this feature.

Please remember that when your IP address changes Joomla will automatically try to log you out of your site because your login session’s IP address does not match your current IP address. If at this point you are still logged into your backend and try to access a backend page – or editing an article, in which case Joomla automatically tries to access your backend every few minutes to renew your session – you will trigger this block reason. If this happens enough times, as configured in the Configure WAF page’s Auto-ban tab, your IP address will be blocked.

If you suspect this is the case you can first try to log out of your Joomla administrator area once you are done using it and not leave browser tabs to it open in the background (background tabs do try to refresh periodically and may cause this block reason to be triggered without you knowing). If this is not enough you should disable this feature by setting the Administrator Secret URL Parameter to an empty string. In fact, I recommend instead using Admin Tools’ administrator password protection feature if available on your server. This latter feature relies on your web server handling the additional authentication, before PHP (let alone Joomla and Admin Tools) has a chance to load. It better protects you against brute force attacks trying to guess your admin login information than the secret URL parameter. The only downside is that it only works on Apache and Litespeed servers which are nearly 90% of servers used out there and by far and large what commercial hosting providers use.