Magento stores can be severely damaged even if there is a software vulnerability. The weak security of the admin panel can often lead to website breaches.
Unauthorized admin access can cause a lot of damage to the Magento store, without alarming security personnel. This person can modify store configuration, product catalogue, order data, and other things. It is possible to steal information on credit cards, billing addresses and shipping addresses.
Magento store owners should make every effort to reduce the chance of admin panel access compromise. These are the basic admin protection practices that we have described.
Change admin panel default URL
To protect the admin panel, the store owner must change its default URL. The default Magento admin URL is typically a store_domain/magento/admin. Cybercriminals can easily guess the admin URL of a Magento store because the domain name is publically available.
The default Magento admin URL is composed of two parts: admin URL, and admin Path. The admin Path is part of the admin URL. It’s a text that follows the last slash in the Default Base URL. The latter is a store domain name with an additional address after the slash, for example https://magento_store/magento
.
Modifying the default admin URL increases Magento store security by forcing malicious actors to find the correct URL first before they can begin hacking activities, such as using brute force cyber-attacks.
The Global Awarded Magento POS – 2021 Stevie Awards Product Innovation winner provides you witha powerful Magento POS as well as 24/7 support
Caution : Always be careful when changing the Magento admin URL. Any mistake in configuring it could block normal access to the backend store through the web browser. Only by correcting any errors in the server’s configuration, access can be restored.
Note – Before you make any changes to your store’s admin URL, please consult with your hosting provider. For firewall rules to function, some hosters need default URLs.
Modifying the Magento admin URL
Log in to Magento admin panel with the admin account. Navigate to Stores. Locate the Settings Section and the link to Config. Open the Advanced Settings section and click Admin.
Set both the Use Admin URL and Use Admin Path to true in the section.
After the last slash, the Custom Admin Path will be added to the Custom Admin URL.
Once the configuration is completed, click Save Configuration to sign out of the admin panel. Next, log in with a new admin URL address.
Modify the admin path directly in Env.php on-server**
If you only need to change the Magento backend admin path, it might be simpler to directly modify the data on your server. The env.php file contains the configuration of the custom admin paths. This file can be found at app/etc/
in the Magento installation.
In a text editor, open Env.php and locate the section at the beginning of the file.
You can change the default admin
path to any admin path that you like, such as storename_admin
.
To activate changes, flush the Magento cache. Execute PHP bin/magento caching:flush
on the server. Alternativly, you can flush the cache via the admin interface: Tools>Cache Management>Flush Magento Cache
.
How do I find the Magento admin URL currently displayed?
It may be difficult to remember the new address after changing the default Magento admin URL. Magento offers several ways to retrieve the admin URL if you have lost it. Both require access to server.
To get the current admin URL, run the command PHP bin/magento information:adminuri
from the server. You will get the output in the form Admin URI: /magento_custom_admin
.
You can also check the current admin path by viewing the file /app/etc/env.php located in the Magento installation directory. It can be opened with any text editor. You will find the value of the back-end frontName option.
Simply add the result to the main URL address of the store.
How do I revert to the default Magento Admin URL/Path
The store admin panel won’t be accessible through your web browser if the admin URL or path is not correctly set. To restore the backend access lost, you will need to use the command line from the server.
You can reset the admin URL to its default value by using the command PHP bin/magento configuration:set admin/url/use_custom
. Revert the admin path with php bin/magento config:set admin/url/use_custom_path 0
.
Clear Magento cache using the command PHP bin/magento caching:flush
.
Set two-factor authorization
Two-factor authorization (also known as 2FA) is a key security method that prevents unauthorized access. This allows you to use an additional security key in addition to your password.
A second factor can be used to block unauthorized access, even if the password is known by malicious actors. This key is typically a number or string that you obtain via an SMS, an app such as Google Authenticator, Authy, or Duo Security on your Android or iOS smartphone.
A store administrator can use browser extensions to access 2FA apps if his smartphone is not compatible with the 2FA app. Alternately, a store can set up a 2FA USB device (U2F) using YubiKey.
Adobe has integrated 2FA in Magento version 2.3.0. Starting with version 2.4.0, the 2FA will be enabled automatically during Magento installation.
Configure the 2FA in a store by navigating to Stores>Settings>Configuration>Security>2FA. Find the General section and select which 2FA provider you wish to use.
Magento allows you to use multiple 2FA providers at once. Each one must be set up individually.
Google Authenticator offers one option for how long the window with a unique password (OTP), should be displayed. Duo Security needs an Integration key, Secret Key, and API hostname. Authy requires an API key. A WebAPi Challenge Domain is required for U2F devices.
If you don’t wish to set up 2FA, stick with Google Authenticator. Simply scan the QR code displayed by Magento on your smartphone to connect.
CAPTCHA to enable admin
Brute force is still a popular way to gain access the admin panel. Enable CAPTCHA on the admin login page to protect your store from password guessing.
Starting Magento 2.3 or later has embedded support for the most recent reCAPTCHA from Google.
Ensure that reCAPTCHA is enabled before you enable it. To see the active modules, launch the terminal from the Magento installation directory.
php bin/magento module:status
In case the module is disabled, activate it with php bin/magento module:enable Magento_TwoFactorAuth
You will not be allowed to log in to the store admin panel until the 2FA module has been activated. Magento will prompt you to create two-factor authorization in order to allow you to log in. If you need time to prepare your smartphone for 2FA setup, you can temporarily disable the 2FA module with php bin/magento module:disable Magento_TwoFactorAuth
Magento Security tab
To further increase your Magento admin panel’s security, you can use the Security tab. There are many options available to configure the security of the admin panel, including limiting the session duration and blocking access from multiple devices. You can also reset your account password.
Go to the sidebar at the left of your admin panel and click Stores. Locate the Settings Section and the link to Config. Select the Advanced section, then open the Admin menu. This is where you will find the Security Tab.
These options are available to you through Security
- Add secret key to URLs. If Yes, this option allows you to add a secret key the existing Admin URL. This option is strongly recommended to be activated to protect your store against Cross-site request forgery attacks.
- Login is case sensitive. Magento can recognize the case of characters to make it more difficult to guess passwords to your admin panel. This option will allow you to distinguish between uppercase and lowercase symbols.
- Admin Session Time. This field tells the store manager how long a current admin session will last. This field helps to prevent unauthorized access in many ways. One example is cookies theft. The hacker may not know the password but have a cookie file that allows him to access the current admin session.
- Maximum Login Failures to Lockout an Account This is another way to prevent password guessing by store administrators.
- Lockout Time. This option allows you to specify in minutes how an admin account can be re-logged into. This option protects the administrator against password guessing and brute force.
- Password for life. This option allows admin accounts passwords to be updated regularly. This option helps prevent unauthorized access by ensuring that a user has current login credentials. This option gives you the ability to specify how long passwords last.
- Password Change. This option can be used to encourage store managers to change their passwords prior to expiry.
IP whitelisting
Limiting access to the admin panel is a powerful way to protect it from unauthorised access. Magento 2 provides tools that allow you to restrict IP addresses. Add the IP addresses you are allowed to an IP whitelist.
If store admins have access to the store backend from specific locations and computers, then IP whitelisting works best.
First, determine the IP address for every computer that can connect to Magento 2’s backend. You can use Google’s functionality for revealing the public IP address. To do this, make a what my ip request.
Please note: Many internet providers use dynamic IP addresses. This is especially important when accessing the internet from a smartphone. You will need to add every dynamic IP to the whitelist if a static address is not appropriate. Store admins can have access to the backend via the whitelist.
A VPN tunnel can also be used to access the store admin from multiple IP addresses. This usually requires consulting with the hosting provider.
Apache Server
The following steps are used to whitelist Apache Server stores .htaccess
File is located in the root directory of Magento installation. This file can be opened in a text editor. Add the whitelisting rule to the file. :
RewriteCond %REMOTE_ADDR !^xx.xx.xx.xx RewriteRule ^(index.php/)?admin/ - [L,R=403]
xx.xx.xx
should be replaced with the IP address from whitelist. You should specify the address in IPv4 format.
Nginx Server
The Magento store that uses Nginx Server should usually consult the hosting provider about the issue of IP whitelisting, as the configuration files may not be available.
The official admin access restriction guide can be used to restrict Nginx access to stores that have full access to the server.
The nginx.conf
rule should be used to set an IP address on a whitelist.
location
xx.xx.xx
should be replaced with the IP address from whitelist. You should specify the address in IPv4 format.
Configure User Roles
Magento allows you to minimize the potential damage if an unauthorized person gains access to the admin panel. This is accomplished by creating user roles that represent permissions for specific accounts to perform certain actions in a store.
Navigate to System>Permissions>User Roles>Add New Role
, and assign a name to the role.
Magento automatically grants all admin accounts a complete list of permissions. This can be decreased by choosing each activity or resource in-store that a user should have access to.
Permissions can be used to limit access to: – Sales – Catalog – Customers Cart Marketing — Content Stores System – Action log
Log admin actions
The embedded activity logging function can be used by stores that are based on Adobe Commerce edition. This allows admin accounts to restore the actions they have taken using the activity log.
The Action logs can be turned on in Stores>Settings>Configuration>Advanced >Admin>Admin Actions Logging
. The default function logs all actions, but it is possible to configure the function to log specific actions.
Summary
Protecting the Magento 2 admin panel is an essential step to protect your web store from many online threats. The steps above are simple enough to make changes that will protect the backend of your store.
source https://mirasvit.com/blog/magento-admin-protection-guide.html