OTP - I have been blocked; how I sort this?

Sometimes a Securitycheck Pro configuration can result in accidentally blocking a Super User from the site. Normally that would require you to rename some folders of Securitycheck Pro' system plugin or launch some queries from phpmyadmin to unblock yourself. This can be rather complicated for some site administrators. The One Time Password feature (OTP) works around that problem in a secure manner. Visiting a special URL lets you log in to your site's administrator and unblock yourself.

  • How to use the OTP feature

    IMPORTANT

    OTP needs a Two Factor Autentication (2FA) method configured in a Super user account to work. Also note that if you are not the only Super User on your site it's possible that someone have turned off Rescue Mode. If these instructions don't work you should assume OTP is not available or disabled on your site.

Assuming that your site's URL is http://www.example.com, your Super User username is admin and your 2FA gives you the secret key 123456 you need to visit the following URL (order matters!) to use the OTP:

http(s)://www.example.com/administrator/?username=admin&otp=123456

If Backend protection is enabled (let’s suppose is mybackendprotection) then the URL will be:

http(s)://www.example.com/administrator/?username=admin&otp=123456&mybackendprotection

Visit the url twice and if all goes well you will see your site's administrator backend login page or the Joomla! administrator control panel. If you see the login page just log in with the Super User account you used in the OTP .

IMPORTANT

If you were logged in as a different Super User account you will still be blocked. You will need to clear your browser’s cache and use the OTP again.

Now you can go to Components, Securitycheck Pro and unblock yourself.

  • OTP and security

OTP was designed with security in mind. There's no point having a security extension if there's an easy backdoor to it! We have ensured security by taking several measures. First and foremost, the OTP only applies to the administrator backend. The frontend of your site is not affected. This means that nobody can abuse it to subvert Securitycheck Pro's protection of your public site.

You also must be already blocked from accessing the site and know the Super User's username. If your backend login page is protected by a .htaccess password or a secret key you will need to supply that before the request has any effect.

A Two Factor Autentication medhod (configured and working for a Super User account) is also needed to use it. This means that even in the unlikely event of you being fully compromised (including control of your email account AND your Super User username and password) the attacker would still be stumped by Two Factor Authentication.

Does this mean I will also need a 2FA to access Joomla backend with that Super User account? YES. Maybe do you think this is a drawback, but I think you'll thank me in the end. The OTP only temporarily disables Securitycheck Pro's blocking to allow a Super User logging into the site. It does not disable Securitycheck Pro WAF and Joomla's own security checks.

Finally, OPT is opt-out. This means that you can disable it by editing the Configuration – Global Configuration – Tuning tab and setting the OPT option to No.