6 Ways to Protect Your Magento Panel

When it comes to an eCommerce platform, Magento needs no introduction.

However, with a market share of 0.8% of all known websites, Magento is the most common target for hackers. [i]

In fact, it is the most hacked CMS after WordPress.

Even though Magento comes with many in-built security features, they are not enough to protect your store from potential threats and cyberattacks.

Thus, you need to take primitive actionable measures to strengthen your Magento eCommerce site.

And the first step towards securing your Magento website is to protect your Magento Admin Panel.

Let’s discuss the top 6 ways to secure your Magento admin panel from cybercriminals.

Ready? Let’s dive right in!

Change Admin Panel Default URL

The first and foremost step you can take as a store owner to protect your admin panel is to change the default URL to a more complex one. Since the store’s domain is publicly available, it is vulnerable to brute force attacks.

When you use a unique, custom admin panel URL, you can reduce exposure to scripts that try to gain unauthorized access.

Follow these steps to change the URL of your Magento Admin:

• Log in to Admin Panel using your credentials
• Go to Stores, and click on “Configuration”
• Click on “Advanced Menu” and select “Admin”
• Click to expand “Admin Base URL”
• Set “Use Custom Admin URL” to “Yes” and “Use Custom Admin Path” to “Yes”
• Type the “Custom URL and Path”
• Lastly, click on the “Save Config” button

However, while changing the default admin URL, you have to be extremely careful because any error while configuring it can block normal access to your store backend. And you can restore access only by correcting the misconfigured fields on the server.

Also, make sure you consult your hosting provider before making any changes to the admin URL of the store. It’s simply because some web hosting services require default URLs for their firewall to work.

Set Two-Factor Authorization

Two-factor authorization adds an extra layer of security beyond a username and password against unauthorized access.

It blocks unauthorized access even if a hacker knows the password.
Generally, it requires an additional password or a key obtained through an SMS or a dedicated app like Google Authenticator, Authy, or Duo Security on an Android or iOS smartphone to gain access to an account.

You can set up two-factor authentication on your Magento website by following these steps:

• On the admin sidebar, Go to Setting → Configuration
• Expand Security on the left panel and select 2FA
• Expand General
• Set Enable Two-factor authentication to “Yes”
• (Optional) Force Provider to force an authenticator globally for all users. If this option is not selected, you will have to enable authenticators for every user account
• Enable and configure the authentication provider. The authenticators supported by Magento are Google Authenticator, Yubikey, Duo Security and Authy
• Click on Save Config

However, this feature is accessible only to the admin account. If you want to apply two-factor authentication to your customers’ accounts, you will have to install third-party addons.

Use a CAPTCHA for Login

Hackers do not hack individual websites, they create bots that look for vulnerable websites and inject malware into them. This is the reason why CAPTCHA is used to secure websites.

CAPTCHA is an abbreviation for “Completely Automated Public Turing test to tell Computers and Humans Apart.” And the purpose of CAPTCHA is exactly the same, to ensure your website is interacting with a human and not a bot.

To use CAPTCHA for the admin login, configure it by following these steps:

• On the Admin panel, go to Settings –> Configuration
• Expand Advanced and click on Admin
• Expand CAPTCHA
• Set CAPTCHA to Admin to “Yes”.
• Change other details of the CAPTCHA according to your need
• Click on Save Config after making the desired changes

Magento Security Tab

Another way to make your eCommerce store more secure is by using the security tab of the Magento admin panel. The Magento Security Tab allows you to configure the admin security, for instance limiting the admin session duration, blocking access from multiple devices, etc.

Follow these steps to find and configure the security tab:

• Go to the sidebar on the left of the admin panel and click Stores
• Find the Settings section and locate the link to Configuration.
• Choose the Advanced section and open the Admin sub-menu, where the Security tab is located.

You have the following security options to choose from:

• Add Secret Key to URLs: Enabling this option appends a secret key to the existing Admin URL. Activating this option will protect your store from Cross-site request forgery attacks.

• Login is Case Sensitive: Using case-insensitive usernames and passwords makes it easier for hackers to guess your login credentials and gain access to your account. You can manage the case sensitivity of your username and password by enabling this option.

• Admin Session Lifetime: This field aims to determine the time in seconds a current admin session expires if the store manager is taking no action. This prevents unauthorized access in various ways, one of them being cookie theft. Cookie theft happens when the hacker doesn’t know the password, but has obtained a cookie file that allows access to the current admin session.

• Maximum Login Failures to Lockout Account: It is one of the ways to prevent brute force attempts of guessing the username and password combinations.

• Lockout Time: This option specifies the number of minutes a locked-out account remains locked out before getting automatically unlocked. This option comes in handy to protect the admin against brute force and password guessing

• Password Lifetime: Enabling this option will require the admins to change their passwords frequently. It helps in blocking unauthorized access if a person has current login credentials.

• Password Change: This option helps to stimulate store managers to change their passwords before they expire.

IP Whitelisting And .htaccess in Magento

IP whitelisting and .htaccess password protection block access to any development, staging, or testing systems.

Since these are highly sensitive systems, any compromise to these systems’ security would lead to an ugly data leak or brutal attack.

You can follow these steps to modify your .htaccess file to protect certain URLs from cyber hackers:

For a single-store view Magento installation

For a Store View in a Subdirectory

If you have Magneto installed in a sub-directory or a store view as a virtual sub-directory of the main domain name:

Besides, you can also whitelist IP addresses using an extension that grants store access to specific IP addresses. Such extensions block traffic from unwanted countries, regions, and IP addresses. Furthermore, you can also block access to the entire store, specific products, and web pages.

Log Admin Actions

Stores that are based on the Adobe Commerce edition can utilize the embedded activity logging functionality. This helps retrace the actions made by the admin account with the help of the activity log.

Here’s how you can turn on the Action log:

Stores> Settings> Configuration> Advanced> Admin> Admin Actions Logging. The function by default tracks every action, however, you can configure it to log only specific actions.

To Summarize

Securing your Magento panel is a crucial step in protecting your online store from cyber attacks and other online threats. Other than the ways mentioned above, conducting regular malware scans, scheduling content backups, and maintaining PCI-DSS compliance ensures your Magento admin panel is protected against information theft, unlawful transactions, and other malware attacks.

Want to Build a Secure eCommerce Store? Contact Us!

References:

[i] Kinsta: Magento Market Share in 2022