Hello Magento folks,
I hope you all had a great weekend. Last we talked about how you can fix a 404 error in your Magento 2 admin. Today we will talk about how you can secure your Magento website from brute force attack.
Brute force attacks are increasing day by day, and most of the websites are weak to face these break-in attacks. From these attacks, you could potentially lose millions of dollars, and your personal data can be lost and misused. You should take this matter seriously save your Ecommerce store.
If you don’t know what brute force attack is in ethical hacking, then let me explain it in simple terms. By using the Brute Force attack, one bot is fired to your login page to try different username/passwords, which are inbuilt in the brute force attack program. They have thousands of weak username/password combination to try in minutes.
If you have a weak username/password and kept the same admin link, hackers are just some minutes away to hack your admin and do whatever they want.
Below are the steps to save and secure your Magento website from a brute force attack.
Contents
1. Use a customized admin path for your website.
Magento 1: Default Magento URL is domain.com/admin, so don’t let hackers know your admin login page. For that, you have to change it.
Go to app/etc/local.xml open this file, scroll down below and find admin, change it to something unusual and weird that only you can remember.
You can see <![CDATA[admin]]>, change it to your own admin URL, e.g.: important or Backoffice or stayaway
Clear and flush the cache and check the frontend then.
2. Securing your Magento Admin account
I believe that there are almost 90% Magento store owners who keep their username as admin.
If you are in the same 90%, understand that hackers already know that you kept the admin as a username, and now they only need to try different passwords using brute force. Whatever combination applies, and your store will be hacked.
So, it is a good security practice to keep a different username instead of admin.
You can change your admin username from
Magento1: System – My account.
Magento2: Admin – Account setting (admin) on top right in the backend.
The second important thing here is to keep your admin password strong. You can use online strong password generator tools and keep it safe on your desktop somewhere. Or use service like LastPass easy management of passwords.
3. Downloader folder for Magento 1
Magento 1 is having a downloaded folder in the root of your Magento files. It was generally used for extension installation from Magento Marketplace.
Some hackers can gain access to your website from this downloader folder. To protect your Magento site, you have the following choices.
You can rename the downloadable folder as it’s not useful anymore.
Or you can make it not accessible using .htaccess
Apache
Edit the file downloader/.htaccess and add the following lines:
order deny, allow
deny from all
allow from 1.2.3.4
1.2.3.4 is your whitelist IP v4 address.
Nginx
Open configuration file of your Magento website. E.g: /etc/Nginx/conf/mywebsite.conf
Add the following block of lines:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
location /downloader/ { allow x.x.x.x; deny all; location ~ \.php$ { echo_exec @phpfpm; } } |
4. Keep Magento version always up to date
No Matter you are using Magento 1 or Magento 2, you should always upgrade the Magento version and keep it up to date with the latest available Magento version because every new version fixes a lot of security loopholes and vulnerabilities. Magento directly publishes these loopholes and vulnerabilities of older versions so hackers get to know from where and how they can get access to your store.
You can use our service of Annual Upgrade Service, and once subscribed, you will never have to worry about the upgrade for a whole year. We keep upgrading as soon as new version launches.
5. You can enable reCaptcha for admin login
ReCaptcha is, by default, a feature included in Magento 2. With the latest Magento 2 versions, you should keep reCaptcha enabled for your admin login too. The latest reCaptcha helps to secure your admin login page from the brute force attack.
6. Use two-factor authentication
Two-factor is also another option to use for authentications. There are several free extensions available to set up this functionality for your admin login, which also adds a good security layer for your Magento 2.
https://github.com/mageplaza/magento-2-two-factor-authentication
Perform all of these steps one by one on your Magento website to secure your Magento store from brute force attacks. If you have any other solution that worked for your Magento website, then do let us know in comments and we will add that into our tutorial so that other Magento people can benefit from these.
So, today, we learned how you can save yourself and your Magento website from brute force attacks. If you like this tutorial, then give it thumbs-up, and if you want me to share more tutorials like this in the Magento tutorial series, then let me know in the comments below.
Also, if you want me to write on something you are having a problem in the Magento store, let me know in comment sections.
Lastly, if you need any help with your Magento store, then you can always contact our Magento support center. We will be happy to help you.
