Support

Site IP Allow = whitelist. Only these trusted IPs can access the backend of the site. Moreover, they also act as if they are in the exceptions list. Only use this feature of you want to prevent access to your site's backend from anywhere except a small range of static IP addresses.

Exceptions = malicious requests coming from these IP addresses are blocked BUT they are neither logged, nor will you get emailed about them. Use that for the IP addresses of search engine bots and other automations which will be accessing your site, possibly cause false positives, but you really don't want them to get automatically blocked temporarily or permanently as it would cause problems for your site.

The backend does not have the protections you find in the frontend. It's only access control, and making sure you don't try to edit a user to elevate their privileges. If you are already logged into the backend, the former is an already cleared hurdle. Unless you are stubbornly trying the same thing over and over again despite getting a Not Authorized message until you get your IP blocked, I don't think your problem is what you think it is.

Is it possible that when you or anyone else gets blocked you only see one of a small handful of IP addresses? If so, your site may be behind a CDN, reverse proxy, or load balancer which means that its IP address will be seen by PHP on your server as the visitor's address. In this case you need to go to Joomla's Global Configuration and enabled Behind Load Balancer. This setting tells Joomla^* to instead use the X-Forwarded-For (or a similar, vendor-specific) HTTP header as the source of the visitor's IP address. This is a header set by the CDN / reverse proxy / load balancer to communicate the real visitor's IP address to the web server.

^* Joomla's IP handling code was written by me. It used to be part of Admin Tools, and was contributed to Joomla! back in 2013. This is why I know so well how it works, why it works the way it does, and why Admin Tools no longer has this code in it.

It's not about your network. It's about your site. I think you are conflating CDN with VPN. Read those pages, understand the difference, then re-read my previous reply. It will all make more sense to you.

The screenshot is useless since you redacted the IP addresses. Without these IP addresses I cannot tell if you are behind a VPN, your server is behind a CDN / reverse proxy, or you are causing the problem yourself with your settings about the administrator secret URL parameter.

As per my original reply, you need to go to Joomla's Global Configuration and enable the setting Behind Load Balancer.

This ticket is now closed as it's been resolved since the first reply, and everything after that is a clear waste of everyone's time.

I will give you a lot more information that you need to understand and internalize for future troubleshooting.

A load balancer is a physical network device or software which sits between a server's physical network connection and the Internet. Its role is to spread out incoming requests across multiple physical servers, thus accelerating the site's response time. It's unlikely, but not impossible, that it's used with a Joomla or WordPress site. It's controlled by the site's host and/or owner.

A reverse proxy is a physical network device or software which sits between a server's physical network connection and the Internet. Its role is usually to filter the TCP/IP traffic and accelerate the site by caching some responses (e.g. static files). It's controlled by the site's host and/or owner. Common examples: Varnish, Squid.

A CDN is a reverse proxy which is managed by a company other than your host. It works exactly the same way as a reverse proxy. Just like any other reverse proxy, it sits in front of a server. It's controlled by the site's owner. Common examples: CloudFlare, Sucuri.

All of these have the same side effect. They are NOT transparent in the way an Ethernet switch is, dozens of which sit between the visitor and your server to route the traffic between your visitor and your site. They are opaque to the network; they have an IP address. Therefore the web server software only ever sees the IP address of the load balancer / reverse proxy / CDN, not the IP address of the visitor. If you block its IP address then all of the traffic to your site is blocked. This is what happens to you.

This is a common problem, with a common solution. All these opaque network services take the original IP address of the visitor and put it in a special HTTP header, usually X-Forwarded-For. Therefore, we need to tell Joomla to ignore the visitor's IP address reported by the web server, using the one from X-Forwarded-For instead. This is what the Behind Load Balancer option does.

And that concludes what happens with your server which has anything to do with your problem.

In your head, you are confusing CDNs and VPNs.

A VPN is something that encapsulates your TCP/IP traffic to appear as if it originates inside a different network. This is used by site visitor's to obfuscate their IP address. It's controlled by the site's visitor.

A CDN sits in front a site. A VPN sits in front of a visitor's Internet connection. Let me paint a picture:

VISITOR ---> VPN ---> { Internet } ---> CDN ---> Server

What is on the left hand site of the Internet is controlled by the visitor.

What is on the right hand side of the Internet is controlled by the site's host and/or owner.

Since your problem has to do with the right-hand side, it doesn't matter where you connect from (that's the left hand side!). Therefore, the fact that you get blocked always, every time, regardless of where you connect from and which machine you use tells us that the problem is indeed on the right hand side.

You really need to understand the massive difference between a VPN and a CDN. Insisting they are the same thing is a wrong assumption not based in objective reality. Insisting that both would be under the control of the visitor is a wrong assumption not based in objective reality. If you start with a wrong assumption not based in objective reality you will never understand your problem, therefore you will never solve it.

If you can't understand that, that's okay. I understand that for you. That's what I am here for. All I ask of you is to follow my instructions instead of arguing with me about whether they are right or not. If there are different possibilities, as it was the case before your last reply, we can narrow it down by trying the solution for Root Cause A. If it doesn't work, it tells us Root Cause A is not the case, so let's proceed with Root Cause B and see if addressing that fixes things.

If, however, you are unwilling to do anything I tell you, I can't help you. We'll just be wasting each other's time with me telling you how things actually work, and you telling me how you misunderstand how things work. It's a pointless dance, I'd like to avoid. We'd both get frustrated for no reason.

If the solution I gave you does not work, open a new ticket and we'll check whether you are inadvertently using a VPN (some browsers and OS do it for you, e.g. Opera, Firefox, and macOS), or if we can just change your admin secret URL parameter options to best match your use of your site. But, please, stop telling me that a CDN and VPN are both under the visitor's control because I might lose it :p