Skip to content
Bernhard Froehler edited this page Dec 4, 2017 · 31 revisions

What can I do in case I have locked myself out?

In case that for some reason you have locked yourself out of your own installation, the way to unblock yourself depends on whether you have .htaccess blocking enabled or not. If you don't know about .htaccess blocking, you probably have it disabled (it's disabled by default).

If you are using database blocking (the default), you have two alternatives to get back into your Joomla! installation:

  • If you have access to the database behind Joomla! (e.g. via phpmyadmin), then you have several options: To specifically remove the block on your IP address:

    • Either go to the table #__bfstop_bannedip (where #_ must be replaced by your database prefix); there, delete the entry with your IP address.
    • Or go to the table #__bfstop_whitelist and add an entry for your IP there (an entry in the whitelist will override any active block)

    To disable bfstop altogether:

    • Navigate to the table #__extensions (where #__ again needs to be adapted to your database prefix). Locate the entry with name='plg_system_bfstop' and set 'enabled' for this entry to 0.
  • Alternatively, if you have FTP access to the server running Joomla!, you can also move the file "bfstop.php" in the folder "plugins/system/bfstop/bfstop.php" to another location, e.g. to "plugins/system/bfstop/bfstop.php.bak". Note that this will disable the whole plugin, though! You can then go to the backend, go to the list of blocked IP addresses (Components -> Brute Force Stop Administration), and unblock yours. Then it's safe to move the bfstop.php file back to its old location.

If you .htaccess blocking enabled:

  • You need FTP access to the server running Joomla! or another form of accessing the files on your Joomla! installation folder (e.g. ssh).
  • Go to the root Joomla! folder, identify the .htaccess file
  • If you have only FTP access, download the file; otherwise (e.g. via ssh) you can directly edit the file
  • Open the file in an editor, find your IP address between the # BEGIN Brute Force Stop Blocks and the # END Brute Force Stop Blocks (prefixed with "deny from "), and remove the line.
  • If you have FTP access, you will have to re-upload the file
  • Note: .htaccess blocking works in addition to blocking via database. So you also have to go through one of the options mentioned above to get rid of the database block entry.

What can I do if something doesn't work as expected?

It is always worth to take a look at your webserver and php logfile first; if there's nothing there, enable logging on plugin side (see How do I turn on logging? ); repeat the process which leads to the unexpected behavior, and see if something meaningful turns up in the logfile; possibly you can then already resolve the problem yourself. If you find that something is wrong which you don't think you can do anything about, and which is an error in bfstop, then create an issue here:

How do I turn on logging?

  • Go to the bfstop configuration (Extensions -> Plugins -> "System - Brute Force Stop")
  • In newer versions (starting with 0.9.11):
  • Under "Advanced settings", set "Logging" to "Detailed information"
  • In versions prior to 0.9.11:
  • Under "Advanced settings", set "Logging" to "enabled".

The log file is named "plg_system_bfstop.log.php", and resides in the configured Joomla! log directory. Note that the file only exists if there already were some log entries.

How do I find out what has changed in a new version?

Check the Changelog:

What can I do if I don't get any notifications / email sending fails?

BFStop uses the Joomla! mail configuration. So, first make sure you have configured it correctly. To do so, in your backend, go to "Global Configuration->Server", and verify that everything there is set up correctly, e.g. that your mail server details are entered. See the Joomla! Documentation for details on that. Second, make sure you have configured a recipient for the notifications (currently configured in the plugin configuration). Make sure that at least one of the following applies:

  • You have entered a valid email address in the respective input field
  • You have selected a user
  • You have selected user group with at least one member

When that is done, you can test the notification in the "Brute Force Stop Administration" Component under "Settings". On the upper right there is a button to test the current notification settings. It will report any issues it encounters during sending in the messages box. If something after the immediate sending goes wrong, you might have to check your inbox for return messages. Also make sure to check the logs.

Can I block/whitelist a subnet / IP range (can I block IP addresses by "wildcard")?

Yes, specifying ranges is possible, both in the whitelist and in the blocked list. The tooltip on hovering over the address input caption shows some information on how to do that. You have to enter the subnet in CIDR suffix notation. You enter an IP address, and after it, you enter a slash and the number of bits that need to match the given IP address.

Some Examples:

  • If you enter "" in the IP address field, it will block all IP addresses in the range to (this would be equivalent to a "wildcard" block of 10.1.*).
  • If you enter "", it will block IP addresses in the range to ("wildcard" equivalent would be "192.168.0.*).

When blocking such IP ranges, make sure you know what you are doing, so that you don't block yourself with a too generic range! Please cconsult for example the above linked article for more details.

Note: At this point, IPv6 ranges / CIDR suffixes are not supported yet, you will not be prevented to enter such entries, but they will simply be ignored. Their handling will be implemented in version 1.5.0

Why don't I see the password from the attempted login?

Such a feature has been previously requested; and in a pre-release version this was also included.

However, the Joomla! Security experts considers this a possible information disclosure problem, as was reported for the Login Failed Log extension, see here:

Therefore, there is a low probability that I will implement this. Under some special circumstances (when you want to do some statistics about used passwords in attacks, I guess?) this might be useful; but for the general usecase it is not needed. Should you feel that this is a must-have, please report it at the issue tracker:

Or even better, if you're into development yourself, create a pull request for that feature! In the latter case, make sure the feature can be disabled and is disabled by default (to avoid said information disclosure). You'd be listed as contributor here in the wiki and on the Joomla! extensions directory page!

Is there a BFStop version for Joomla! 1.5?

Short answer: No there isn't, and I will not provide one.

Long answer: bfstop development started when Joomla! 2.5 was the lowest supported version. There were extensive API changes between 1.5 and 2.5, so there would probably be many changes required to get it running on 1.5 (though I haven't tried, as I have no 1.5 installation anymore). Since the official support for Joomla! 1.5 has stopped as of 2012 as far as I know, there are no plans on my side to backport it to older versions than 2.5. Due to possible security issues not being adressed in such old versions, I highly recommend to update to a more recent and still supported version of Joomla! In case you are bound to 1.5 for some reasons, feel free to use the existing code to create a fork for Joomla! 1.5.

How do I configure Community Builder to work together with BFStop


How can I support bfstop?

I used to experiment with donations, but as it just is a fun project I to do in my spare time, I currently do not accept monetary donations, and do not plan to do so any time soon. I would however be very happy about feedback in bfstop's Joomla! Extensions Directory entry or, preferred in case it is a bug or feature request, in the issues section here on github.

You can’t perform that action at this time.