This evening, a new client from Florida approached us with what seemed to be a very easy issue: whenever he tried to login to the backend of his Joomla website with his super user (aka super administrator) account, he was seeing the following error:
Login denied! Your account has either been blocked or you have not activated it yet.
We were happy because after weeks of doing a lot of hard and complex Joomla labor, we were rewarded with a very simple task! We thought that fixing this problem simply consisted of doing the following:
- Logging in to phpMyAdmin.
-
Clicking on the #__users table (where #__ is the table prefix used by the Joomla website).
-
Searching for the user in question and then changing the value of block from 1 to 0.
But, our hopes of an easy job faded quickly when we saw that the #__users table consisted only of 2 users (admin and admin2), and neither of them was blocked.
So we started debugging this issue by trying to find out the conditions under which the Joomla engine would throw the above error. We noticed that the block logic was only performed in the User – Joomla plugin – specifically in the following lines of the onUserLogin function which is located in the joomla.php file, which is in turn located in the plugins/user/joomla folder:
if ($instance->get('block') == 1){
$this->app->enqueueMessage(JText::_('JERROR_NOLOGIN_BLOCKED'), 'warning');
return false;
}
So we thought: let’s, at the beginning of the onUserLogin function (after $instance = $this->_getUser($user, $options);), add the following code…
print_r($instance);
die();
…and then try to login. And so we did, but, to our surprise, we still saw the same error when we tried to login. At this point, we started doubting whether we were working on the right website, and so we added a die() at the beginning of the main index.php file (located under the administrator folder), and the website indeed, died, which meant we were working on the right folder. So this only meant one thing, there is another, non-core plugin, throwing the exact error… Our job now was to find that plugin…
But we didn’t: We created a script to search every single file on the Joomla website to find that error message, yet we only found it in the aforementioned joomla.php file. We then looked into the extensions table in the database, and we checked all the authentication plugins, and we noticed that the plg_authentication_joomla plugin was disabled. Aha!
So we changed the enabled field of the plg_authentication_joomla plugin from 0 to 1 and we disabled the plg_authentication_cookie plugin (which was enabled, for some reason), and then we we closed the browser, and tried to login again, and it worked! (Note that due to some aggressive caching you may have to wait a few minutes before trying to login after re-enabling the plugin).
But how come the “print_r($instance);” didn’t work?
The answer is server side caching. In fact, to prove our point, we re-added the print_r statement followed by the die(); statement, and then we tested it after fixing the problem, and still we weren’t able to see that $instance printed. But, after a few minutes, the mysterious cache expired and we were able to see it. (Note: we noticed that that type of caching is the trait of a cheap, mainstream host, and the Joomla website that we were working on resided on such host.)
But what caused this?
We’re not really sure – but we suspect that someone with a super user login to the Joomla website disabled the Authentication – Joomla plugin either intentionally or unintentionally.
So, if you’re trying to login to your own Joomla website and you’re seeing the Login denied! Your account has been blocked… error, then check if the account is not really blocked in phpMyAdmin (as described above). If it’s not blocked, then check if the Authentication – Joomla plugin is enabled in phpMyAdmin. If it isn’t, then you should enable it. If it is, then please contact us. We will fix the problem for you in no time and for a super affordable fee.