Brute force in Magento is becoming more common and most websites are vulnerable to this type of attack. It has become so common that hundreds of malicious login attempts are made on Magento websites throughout the day. There are instances where multiple Magento stores were hacked using brute force techniques and information such as credit card details were stolen.
Like many other attacks, the risk of a brute-force attack rises due to the negligence of some particular security areas. And like many other vulnerabilities, it can be mitigated by taking some steps (which we will talk about in a minute). But, first, let’s understand the modus operandi of a brute-force attack.
What Does Brute-Force in Magento Mean?
In simple terms, brute force in Magento are trial and error techniques to get into a website. Attackers try several arbitrary combinations of usernames and passwords to eventually sneak into an account. By continually guessing the credentials, attackers might be able to ultimately log into the account. By using tools (and bots) for such an attack, they can automate it on a larger level and target multiple websites with insane speed. Attackers also use dictionaries to increase the efficiency of their attacks.
How to Detect a Brute Force in Magento?
All stores that have a login field run the risk of Brute Force in Magento. Hence, it is such a common method of attack. It’s not uncommon to see multiple attack login attempts on your website throughout a day, especially for an e-commerce store like Magento.
If you have the Astra firewall installed on your Magento store, you can see all login attempts which are stopped in the “Login Protection” section. To see this,
- Log into your Astra dashboard.
- Navigate to the “Login Protection” tab.
- Review the login activity.
If you don’t have a firewall that monitors your website’s login activities yet, get the Astra firewall now and check Brute-forcing on your Magento store.
How to prevent Brute force in Magento store?
The nature of Brute-force in Magneto also makes it simpler to protect your website and accounts. The following steps, if followed, will help you protect your website against maximum Brute-force attacks:
1. Using stronger passwords
Since Brute-Force in Magento targets usernames and passwords generally, using a strong and complex password will make it much difficult for attackers to guess it. A good option is to use an alphanumeric password or unusual phrases of 8-14 characters. These will take a lot of time and computing power to guess. Regularly change your username and passwords for all your accounts. Previously, we have published a blog on how to create strong passwords. Refer to this blog for more guidance.
2. Edit your admin path
Most of the time, the default admin path is unchanged and since default paths are common knowledge, they can become easy targets. Securing the Magento admin panel can work wonders when it comes to mitigating Brute-force in Magento. One way you can secure the admin panel is by changing the admin path. This will hide the admin panel from all except the concerning people.
To change your admin path to a custom one, you can follow the below steps:
1. For Magento 1.x: Go to “System” – > Configuration -> Advanced -> Admin -> Custom Admin Path (edit a custom path for your admin)
2. For Magento 2.x: Go to “Stores” -> Configuration -> Advanced -> Admin -> Custom Admin Path
Another way to change the path is to edit the “local.xml” configuration file. Within this file, look for “CDATA[Admin]”.
This is how the default admin paths looks in the app/etc/local.xml file:
Here, replace “admin” with a custom path.
3. Edit your admin account security settings
You can configure admin security to allow for only 3 attempts of password resets, along with the maximum number of login failures. Once a user or attacker fails to log in to an account, the account can be locked for a limited time thus stopping Brute-force in Magento. You can change these settings by following the below steps:
1. For Magento 1.x: Go to “System” -> Configuration -> Advanced -> Admin -> Security
2. For Magento 2.x: Go to “Stores” -> Configuration -> Advanced -> Admin -> Security
4. Enabling CAPTCHA
Using CAPTCHA has become a new security standard for accounts and websites. It essentially differentiates a human action by that of a bot. Multiple login attempts by programs like in Brute-force in Magento can be stopped by using CAPTCHAs. A CAPTCHA allows only legitimate users (who identify letters, words, or images) to go ahead with the login procedure. You can activate this feature in Magento through following steps:
1. For Magento 1.x: Go to “Stores” -> Configuration -> Advanced -> Admin -> CAPTCHA
2. For Magento 2.x: Go to “Stores” -> Configuration -> Advanced -> Admin -> CAPTCHA
Also, set the maximum number of unsuccessful attempts to log in to 0. This will ensure that all login attempts will require CAPTCHA verification which will prevent Brute-force in Magento.
5. Update Magento version
Using the latest version of Magento is always a good idea. Newer versions have security fixes for known vulnerabilities and thus updating it protects your websites from attackers and attacks. If you are on Magento 1, consider migrating to the new and secure Magento 2. Also, update all extensions and themes that you use on your website.
6. Using security firewalls to prevent Brute-force in Magento
Using a firewall protects your website not only from the Brute-force in Magento but also from other types of attacks. A firewall will also protect you from unauthorized access and will also filter out harmful packets of data. Firewalls like Astra’s can protect your website round the clock and from a variety of attacks.
Magento being such a popular platform for eCommerce websites, always faces multiple threats. Brute force in Magento is a common attack and with just a few steps you can protect your website from these. To have a complete suite of protection, you have Astra’s intelligent and hacker-tested set of security tools and expertise of security professionals. With Astra, you will not need to worry about your website’s security ever, be it a Brute force in Magento or any other advanced attacks.