All e-commerce websites are potential targets for hackers.
Magento makes up a substantial 14.5% of the e-commerce market share, which makes it a juicy target more so. Magento’s developers anticipated this and provided splendid out-of-the-box security features for its stores. However, just having a lot of security features makes it no cakewalk. You must also have the right knowledge about how to use them in increasing security measures of the platform that are insufficient to secure your website. The responsibility of securing a website belongs to the website owner too. In this article, we discuss Magento login security guidelines to help webmasters secure their websites.
An insecure admin panel is the biggest vulnerability that plagues Magento websites. The Magento admin URL is simple – “websiteURLadmin” or “URL/index.php/admin”. Thus, anyone can know about your file structure. This, sort of, exposes your website to people with malicious intent. Therefore, Magento login security is important.
How to maintain Magento Login Security?
Having an insecure login page is the cyber equivalent of leaving the front door unlocked for the thieves to enter. It makes it convenient for hackers to inject malware, steal information or deface your website. Here is how you can maintain Magento Login Security:
1. Change the Admin URL
The first step to maintaining admin security is to hide the admin panel. This can be done by changing the URL of the Magento Admin Panel. Follow these steps to change the Magento admin URL:
- Log in to Admin Panel with your credentials
- Go to Stores and click on “Configuration”
- Click on “Advanced Menu” and select “Admin”
- Click to expand “Admin Base URL”
- Set “Use Custom Admin URL” to ‘Yes’ and “Use Custom Admin Path” to ‘Yes’
- Type the “Custom URL and Path”
- Click on the “Save Config” button
For details on Magento Admin panel security, refer to our experts’ advice on Magento Admin Panel Security
You can also use Google reCaptcha for Magento login security. It provides enhanced security over the Magento security captcha. Here are the steps to enable Google re-captcha.
- Register your website on the reCaptcha site. There are two types of Google re-captcha:-
- reCaptcha v2: Verifies with click or image selections
- reCaptcha v3: Verifies input score
- Google will generate secret keys for your website. Copy the keys
- Sign in as admin to your Magento store
- Go to settings → Configuration
- Expand Security in the left panel and choose Google reCaptcha
- Enter the secret API keys
- Select the type of reCaptcha (reCaptcha v2 or reCaptcha v3)
- Set other back-end and front-end features by expanding either the front-end option or the back-end option
- Click on Save Config after making the desired changes
4. Use Multi-Factor Authentication
Multi-factor authentication requires the admin to undergo a second and third step of verification while accessing the website. Magento provides a two-factor authentication feature.
Here are the necessary steps to enable the two-factor authentication on your Magento website:
- On the admin sidebar, Go to Setting → Configuration
- Expand Security on the left panel and select 2FA
- Expand General
- Set Enable Two-factor authentication to “Yes”
- (Optional) Force Provider to force an authenticator globally for all users. If this option is not selected, you will have to enable authenticators for every user account
- Enable and configure the authentication provider. The authenticators supported by Magento are Google Authenticator, Yubikey, Duo Security and Authy
- Click on Save Config
However, this feature is restricted to the admin account. To apply two-factor authentication to customers’ accounts, you will have to install third-party addons.
You must choose at least one authenticator per account. Click here for detailed instructions to set authentication for every user account.
5. Firewall
A firewall acts as a gatekeeper and filters all traffic entering your website. It allows your website to generate organic traffic and prevents malicious bots and other forms of unwanted traffic. Quality web application firewalls including Astra WAF provides several security features like:
- Blacklist monitoring
- Notification about suspicious login attempts and spam sign-ups
- Block malicious bot
- Limit web requests
- Malware scanning for uploads
There are several other features available apart from these. Thus, having an active firewall will increase the Magento Login Security by ten folds. For more details, request an Astra Demo today!
Refer to the Magento security document for more details about Magento Login Security.
Conclusion
There are numerous threats that plague the e-commerce industry daily. Therefore, you need to stay safe from potential disasters by maintaining active security around your website. Conduct regular malware scans, schedule content backups, maintain PCI-DSS compliance, and hire experts to give you round-the-clock protection.
Jinson Varghese
Hi, when will a website be marked as dangerous by chrome? I am using magento as a tech stack. If it happens how can I resolve this?
Thanks for responding to our article. In this case, you need to find malware, malicious links to reference to malicious links that could be causing this. Basically, a code review for malicious content is required in such cases. Followed by submitting to Google for a review. Ideally, a security firewall is recommended as the website will be on the radar of hackers. This article talks about various malware and fixes, please feel free to review them: https://www.getastra.com/blog/911/magento-hacked/
Hi there, I have a website using Magento CMS. How safe and secure is magento?
Thanks for responding to our post. It’s not Magento that makes your site safe and secure. Instead it’s how your programmer sets up your site with proper security features and does not compromise the code quality while setting it up. Magento being a Zend based CMS is pretty robust and secure in itself and does not encounter common security threats as often encountered with wordpress. In this case, we request you to use a security plugin and that is what we exactly offer.For more information: https://www.getastra.com/magento-firewall and You can follow our magento hack removal guide: https://www.getastra.com/blog/911/magento-hacked
Hello, for my website I can see a lot of Japanese gibberish URLs. Do you have any guide on how to remove this?
Thanks for responding to our post and sorry to hear about the japanese SEO spam. You can follow this article to remove the hack: https://www.getastra.com/blog/911/black-hat-seo-spam-magento-opencart-prestashop/. We recommend you to use a security plugin and that is what we offer where our experts will help you in securing your website. For pricing and details you can visit: https://www.getastra.com/pricing
Magento SQL injection is spreading all over and businesses are getting ruined and I don’t want to take the risk. Is there any guide on how to protect from this?
Yes, you are correct. SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. It will cause many harmful things to your Magento Store, and your database. You can refer our article on how to protect: https://www.getastra.com/blog/cms/magento-security/magento-sql-injection/
This is really a great article. How can I avoid a Malware injection for my website? I am using Magento.
Thanks for responding to our post. Yes, Magento has witnessed a steep rise in malware attacks. E-commerce platforms are a goldmine for malicious actors to harvest lucrative credit card and personal information from online transactions. You can refer our guide to protect against it: https://www.getastra.com/blog/cms/magento-security/how-to-prevent-magento-code-injection/
So, I own a website and haven’t been using a security plugin or a firewall. How important is it to use a WAF?
Thanks for responding to our post. Precisely, a WAF (Web Application Firewall) is like a gatekeeper that filters all traffic coming to your portal. It protects you from hackers, bots, malware etc. A business can set up online rules for users by having a Web Application Firewall. For more info on the significance of WAF kindly refer this article: https://www.getastra.com/blog/astra-product/ecommerce-security-web-application-firewall/
Hi, I would like to secure my Magento 2 admin panel from hackers. Is there any way I can protect against the attacks?
Thanks for responding to our post. Magento is considered as the best e-commerce platform available today and it has numerous features, plugins, regular updates and a huge community of developers. As the technology and security measures improve, so do the capabilities of the hackers. Hackers usually target e-commerce websites to gain credit card information or just for some kicks. You can refer this article to guard your magento admin panel: https://www.getastra.com/blog/cms/magento-security/steps-secure-magento-admin-panel-hackers-bruteforcing-magento-1-magento-2/
Hello, my Magento website started acting weird. It is sending some spam mails and I think the website got hacked. What can I do?
Thanks for responding to the article. Spam emails are irritating like no other, it might piss off a user to a point that he/she may end up unsubscribing you or worse reporting your email. If you have noticed or have been receiving warnings about spam emails from your Magento account, it is time you checked it for a Magento hack. Magento hacked sending spam is a common query people have when they do come to know of hidden spam email campaigns taking place from their site. For more information visit here: https://www.getastra.com/blog/cms/magento-security/magento-hacked-sending-spam/
I am using PHP 7.1 still are there any vulnerabilities that can cost me? It’s a Magento stack btw.
Thanks for responding to the article. The leading web application language PHP is found to have several critical vulnerabilities in versions 7.1, 7.2 & 7.3. The most dreading of it all is the arbitrary code execution vulnerability in PHP. Many popular CMS like Magento. For more info, visit here: https://www.getastra.com/blog/cms/magento-security/magento-stores-at-risk-due-to-php-vulnerability/
Hello, can you tell me what Magecart attacks are and how can I protect them? I have been running a Magento store for a very long time.
Thanks for responding to the article. Magecart attacks came out of the dark and made headlines when it targeted credit card info of giants like British Airways, Ticketmaster, Netwegg, etc. But, this does not mean Magecart attacks came into existence recently. In fact, Magecart attacks on Magento and other e-commerce websites can be traced back to 2014 when a group of hackers first started monetizing with stolen credit card details. Since then, masterminds of Magecart have been actively skimming the web. For more information, visit here: https://www.getastra.com/blog/911/magecart-attacks-on-magento/
I am not tech savvy and I own a magento store but want to know about the file permissions. What are correct permissions that I can use for my Magento 2?
Thanks for responding to the article. Magento is an open-source CMS for e-commerce websites. Being open source, basically means anyone is free to write/change its source codes. Even though open source CMS(s) are the current go-to CMS type in the cyber world, it opens doors to threat as well. To keep your files out of reach of the hackers, you need to have the most secured file permissions handy. Not having enough strict file & folder permissions will elevate the risk of it getting compromised. For more info, visit here: https://www.getastra.com/blog/cms/magento-security/how-to-set-magento-file-permissions/
Can you tell me the features that Astra firewall comes with? I am looking for a firewall for my website.
Thanks for responding to the article and also for showing interest in Astra. You don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra take care of it all.You can know more info about features and other here: https://www.getastra.com/features