Wards off known Joomla attacks (JCE, Novarain/Tassos, Astroid, com_ajax LFI ...) and generic attack classes – in two layers from one signature list: the .htaccess blocks GET attacks before PHP, the real-time firewall additionally catches POST attacks and uses new signatures instantly. This switch controls both.
On/off is above under „Most important settings“. Here are the details:
/api interface (Joomla 4+)route (normal when the API is used) block completely (recommended when unused) do nothing
A complete /api block would have prevented the Joomla core leak CVE-2023-23752 (reading the configuration including database credentials) from the outset. Only block if no extension uses the Joomla web services.
Manage signatures individually (17) JCE profile import (CVE-2026-48907) everyone (incl. logged in) Unauthenticated profile import in the JCE editor - start of the current RCE chain (enables PHP uploads). No legitimate frontend call. JCE webshell upload via plugin.rpc (CVE-2026-48907) guests only File upload via the JCE file browser (plugin.rpc, method=upload). Applies only on the frontend; logged-in authors (legitimate editor upload) are unaffected. JCE Image Manager (legacy exploit) guests only Classic unauthenticated file upload via the JCE image manager (very old JCE versions). Novarain / Tassos Framework (com_ajax include) everyone (incl. logged in) CVE-2026-21627: unauthenticated PHP file inclusion via plg_system_nrframework through com_ajax (task=include). Astroid Framework (AJAX endpoint) everyone (incl. logged in) CVE-2026-21628: unchecked Astroid AJAX endpoint (upload/installation). Coarse match on com_ajax + astroid. Helix3 (JoomShaper): unauth com_ajax handler (file write/delete) guests only Helix3 < 3.1.1: the onAjaxHelix3 ajax handler checked neither login nor permission. Targets the dangerous unauth POST-body actions: save (write layout JSON into the active template), remove (delete a file via path traversal), import (overwrite template style settings) plus upload_image/remove_image/updateFonts. Legitimate guest actions (voting, load) and logged-in template use are unaffected. Fix: Helix3 3.1.1. Helix3 (JoomShaper): unauth com_ajax dispatcher (file write/delete, style injection) guests only Helix3 < 3.1.1: the front-end dispatcher (option=com_ajax with plugin=helix3) invoked onAjaxHelix3 BEFORE any token/permission check - unauthenticated save/import/remove/resetLayout/updateFonts/fontVariants (file write, path-traversal delete, template style injection, stored XSS). Blocks every GUEST call of this dispatcher on the front end (defense in depth, also catches ongoing scans) - complements the action-specific helix3-ajax signature with the bare dispatcher access. Logged-in template editing runs in the backend behind auth and is NOT affected; guest scope + waf_only. Fix: Helix3 3.1.1 (2026-06-29). Not to be confused with Helix Ultimate - separate product, own signature helixultimate-comajax. Helix Ultimate (JoomShaper): unauth com_ajax dispatcher (menu write/file/export) guests only Helix Ultimate < 2.2.7: the com_ajax handler onAjaxHelixultimate (option=com_ajax with plugin=helixultimate, action in the task param) ran BEFORE any login/permission check - an anonymous attacker could write into the menu settings (stored XSS reaching the admin session), delete files anywhere via path traversal, trigger an open redirect and export the template unprotected. Blocks every GUEST call of this dispatcher on the front end; logged-in template/menu editing runs behind auth and is NOT affected (guest scope + waf_only, FP-free). Fix: Helix Ultimate 2.2.7 (2026-07-07). Separate product - NOT Helix3. com_ajax: file inclusion (generic) everyone (incl. logged in) Catches unknown LFI holes of the same class: com_ajax with task=include/require. Frontend. SP Page Builder: unauthenticated icon upload (RCE) guests only Zero-day in SP Page Builder up to 6.6.1: the asset controller (task=asset.uploadCustomIcon) had no access/login check - unauthenticated file upload to /media/com_sppagebuilder/assets/iconfont/ - RCE. Mini-WAF only (guests), since logged-in builders use the endpoint legitimately. AcyMailing: unauth SQL injection (entity-select column list) guests only CVE-2026-56292 (AcyMailing 6.0.0-10.11.0): the front-end endpoint EntitySelectController::loadEntityFront (option=com_acym, task=loadEntityFront) placed the request parameters columns/join_table unchecked into the SELECT column list of UserClass::getMatchingElements - an anonymous visitor could read arbitrary DB tables (incl. password hashes) via a subquery. Blocks GUEST calls of this task whose columns/join_table/join value contains an injection character (parenthesis or space) - legitimate values are plain column names (email,name,id ...) and never contain those. Logged-in backend use runs behind auth (guest scope) and is NOT affected. Fix: AcyMailing 10.11.1 (2026-07-09). Matches on GET (scanners/mass exploits); full protection only with the update. Path traversal (encoded variants) everyone (incl. logged in) Extends the standard filter with bypass tricks: ....// , double encoding (%252e), %c0%ae, %2e%2e%5c. PHP stream wrapper in the path everyone (incl. logged in) Blocks php:// , phar:// , data:// , expect:// etc. directly in the requested path. Joomla API configuration leak everyone (incl. logged in) CVE-2023-23752: protects the /api/.../v1/config/application endpoint even without a complete API block. PHP object injection (serialised payload) everyone (incl. logged in) Serialised PHP object in a parameter (O:/C:<length>:) - typical entry point for object injection/POP chains. Does not occur in normal requests. PHP stream wrapper in a parameter everyone (incl. logged in) php:// , phar:// , data:// etc. as a parameter value - LFI/RCE vector. Complements the path variant (php-wrapper-uri). Path traversal in a parameter everyone (incl. logged in) Repeated ../ as a parameter value - generic directory traversal/LFI in any component. The real-time WAF blocks „everyone“ patterns for logged-in/newly registered users too (no legitimate call exists); „guests only“ patterns could be used legitimately and therefore only affect non-logged-in visitors. Super users are never blocked. Query-string signatures cannot be simulated in the path test, path-based ones can.