Magento Security

6 Steps To Prevent Brute-Force In Magento Stores

Updated on: June 9, 2020

6 Steps To Prevent Brute-Force In Magento Stores

Brute force attacks in Magento is becoming more common and most websites are vulnerable to this type of attack. It has become so common that hundreds of malicious login attempts are made on Magento websites throughout the day. There are instances where multiple Magento stores were hacked using brute force techniques and information such as credit card details were stolen.

brute force in magento
Brute force attacks on Magento sites

Like many other attacks, the risk of a brute-force attack rises due to the negligence of some particular security areas. And like many other vulnerabilities, it can be mitigated by taking some steps (which we will talk about in a minute). But, first, let’s understand the modus operandi of a brute-force attack.

What Does Brute Force attacks in Magento Mean?

In simple terms, brute force in Magento are trial and error techniques to get into a website. Attackers try several arbitrary combinations of usernames and passwords to eventually sneak into an account. By continually guessing the credentials, attackers might be able to ultimately log into the account. By using tools (and bots) for such an attack, they can automate it on a larger level and target multiple websites with insane speed. Attackers also use dictionaries to increase the efficiency of their attacks.

How to Detect a Brute Force attacks in Magento?

All stores that have a login field run the risk of Brute Force attacks in Magento. Hence, it is such a common method of attack. It’s not uncommon to see multiple attack login attempts on your website throughout a day, especially for an e-commerce store like Magento.

If you have the Astra firewall installed on your Magento store, you can see all login attempts which are stopped in the “Login Protection” section. To see this,

  1. Log into your Astra dashboard.
  2. Navigate to the “Login Protection” tab.
  3. Review the login activity.
Astra stops suspected login attempts

If you don’t have a firewall that monitors your website’s login activities yet, get the Astra firewall now and check Brute-forcing on your Magento store.

How to prevent Brute force in Magento store?

The nature of Brute-force in Magneto also makes it simpler to protect your website and accounts. The following steps, if followed, will help you protect your website against maximum Brute-force attacks:

1. Using stronger passwords

Since Brute-Force in Magento targets usernames and passwords generally, using a strong and complex password will make it much difficult for attackers to guess it. A good option is to use an alphanumeric password or unusual phrases of 8-14 characters. These will take a lot of time and computing power to guess. Regularly change your username and passwords for all your accounts. Previously, we have published a blog on how to create strong passwords. Refer to this blog for more guidance.

2. Edit your admin path

Most of the time, the default admin path is unchanged and since default paths are common knowledge, they can become easy targets. Securing the Magento admin panel can work wonders when it comes to mitigating Brute-force in Magento. One way you can secure the admin panel is by changing the admin path. This will hide the admin panel from all except the concerning people.

To change your admin path to a custom one, you can follow the below steps:

1. For Magento 1.x: Go to “System” – > Configuration -> Advanced -> Admin -> Custom Admin Path (edit a custom path for your admin)

2. For Magento 2.x: Go to “Stores” -> Configuration -> Advanced -> Admin -> Custom Admin Path

Source: Magento docs

Another way to change the path is to edit the “local.xml” configuration file. Within this file, look for “CDATA[Admin]”.

This is how the default admin paths looks in the app/etc/local.xml file:


Here, replace “admin” with a custom path.

3. Edit your admin account security settings

You can configure admin security to allow for only 3 attempts of password resets, along with the maximum number of login failures. Once a user or attacker fails to log in to an account, the account can be locked for a limited time thus stopping Brute-force in Magento. You can change these settings by following the below steps:

1. For Magento 1.x: Go to “System” -> Configuration -> Advanced -> Admin -> Security

2. For Magento 2.x: Go to “Stores” -> Configuration -> Advanced -> Admin -> Security

4. Enabling CAPTCHA

Using CAPTCHA has become a new security standard for accounts and websites. It essentially differentiates a human action by that of a bot. Multiple login attempts by programs like in Brute-force in Magento can be stopped by using CAPTCHAs. A CAPTCHA allows only legitimate users (who identify letters, words, or images) to go ahead with the login procedure. You can activate this feature in Magento through following steps:

1. For Magento 1.x: Go to “Stores” -> Configuration -> Advanced -> Admin -> CAPTCHA

2. For Magento 2.x: Go to “Stores” -> Configuration -> Advanced -> Admin -> CAPTCHA

brute force in magento
CAPTCHA sample

Also, set the maximum number of unsuccessful attempts to log in to 0. This will ensure that all login attempts will require CAPTCHA verification which will prevent Brute-force in Magento.

5. Update Magento version

Using the latest version of Magento is always a good idea. Newer versions have security fixes for known vulnerabilities and thus updating it protects your websites from attackers and attacks. If you are on Magento 1, consider migrating to the new and secure Magento 2. Also, update all extensions and themes that you use on your website.

6. Using security firewalls to prevent Brute-force in Magento

Using a firewall protects your website not only from the Brute-force in Magento but also from other types of attacks. A firewall will also protect you from unauthorized access and will also filter out harmful packets of data. Firewalls like Astra’s can protect your website round the clock and from a variety of attacks.

How does the Astra firewall work?


Magento being such a popular platform for eCommerce websites, always faces multiple threats. Brute force in Magento is a common attack and with just a few steps you can protect your website from these. To have a complete suite of protection, you have Astra’s intelligent and hacker-tested set of security tools and expertise of security professionals. With Astra, you will not need to worry about your Magento store’s security ever, be it a Brute force in Magento or any other advanced attacks.

Was this post helpful?


Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany