Support

There is really nothing urgent here, or anything to be worried about.

Admin Tools has a feature to report all failed login attempts (Web Application Firewall, Configure WAF, Hardening Options, Treat failed logins as a reason for blocking the request). Whenever Joomla reports a failed login attempt, Admin Tools dutifully sends you the email. This will happen when a legitimate visitor with an expired Remember Me cookie comes to the site, when a legitimate user tries to login but mistypes their username / password, or when an attacker tries to brute force (guess) a username and password.

For the latter case, here's what you can do. Note that what you do will not stop the emails (whether these attackers try anything is not under your control) but it will make it sure that you are not at risk. Also remember that we see the same thing, too, on our site. We have of course made sure that the attackers have exactly zero chance of success ;)

First of all, Admin Tools will automatically block repeat offenders, temporarily and / or permanently, based on the settings in the Auto-ban tab of the Configure WAF page.

Set the following Configure WAF options: 

• Disable password reset for specific User Groups: Yes
• User groups blocked from resetting the password: Super User, Administrator, Manager (and any other privileged group you may have)
• Disable editing user properties: Yes
• Disable creating / editing users from the frontend: Yes
• Disable creating / editing users in these groups from the frontend: Super User, Administrator, Manager (and any other privileged group you may have)
• Monitor Super User accounts: Yes
• Forbid frontend Super Administrator login: Yes   Note that this makes it impossible for Super Users to log into the front end.
• Prevent forgotten backend users from logging in: Yes

You need to make sure passwords used on your site are not known to hackers. Admin Tools has the "Warn about use of well-known passwords" feature which does exactly that, using the third party HaveIBeenPwned service.

Make sure your passwords are long and complex. You can set up password complexity rules in Joomla itself, in the Options of the Users component. I also recommend using a password manager to store your passwords. A password that you can remember is NOT a good password.

Always use Multi-factor Authentication. It is now built into Joomla itself. It was a component we built and maintained for 7 years before donating it to Joomla. Multi-factor Authentication means that even if you give someone the login URL, username, and password they will not be able to log in without entering the second authentication factor. Use WebAuthn as your second authentication factor for maximum security.

Then, let the attackers try in vain to brute-force your site. It's like trying to drill a hole in the water, as we say in my country: obvious waste of time on something that's obviously impossible.