The Super Admin permission overrides all other permissions in Joomla’s ACL, such that a user with the Super Admin permission can create, edit, delete, change state, and configure anything on the website. A user with the Super Admin permission, by default, is in the Super User group.
However, with the new ACL, you could assign the Super Admin permission to registered users, meaning anyone with a login could do anything they wanted with your website. (Right, just because you can, doesn’t mean you should!)
The reverse is also true. If you set the default Super Users group to no longer have the Super Admin permission, you’ve just “bricked” your site. That means you’re completely locked out of the Joomla admin, with no way to log in again! For other groups, if you disable the Admin Login permission, that will prevent them from logging into the back end of Joomla as well.
Fortunately, there is a “back door” that will let you log into your website again. You must have access to the files on the web server in order to make the back door work. You can either use FTP to access the files, or you can go through your site’s control panel to a file manager and edit the files on the server.
However you access your files, you’ll need to edit the configuration.php file, located in the root of your website. You will need to know the Super User username or their ID. Let’s assume that the Super User username is johnsmith for this example. (For security reasons, it’s strongly recommended that you use something other than admin as a username for your Joomla site.)
Add this line of code to the bottom of configuration.php:
If you would prefer, you could also use the ID of the user (although it’s less likely you’d know this without looking up the number in the database):
Once you add this line to configuration.php, you should be able to log into the back end of Joomla again, and then you should promptly fix the problem, setting the Super User group to have the Super Admin permission.
Joomla will remind you that you have this line added to configuration.php. As long as it is present, on every screen of the admin, you will see the following message:
You are logged in using the emergency Root User setting in configuration.php.
You should remove $root_user from configuration.php as soon as you have restored control to your site to avoid future security breaches.
Click here to try to do it automatically.
Be sure to remove the line from configuration.php as soon as possible, as having it present is a security risk. While you could just comment it out, it’s better to remove it completely for security reasons.