Magento Security

5 Tips to Enhance Your Magento Login Security

Updated on: May 1, 2020

5 Tips to Enhance Your Magento Login Security

Article Summary

Magento makes up a substantial 14.5% of the e-commerce market share which makes it a juicy target for hackers. The steps to maintain Magento security are as follows:

All e-commerce websites are potential targets for hackers.

Magento makes up a substantial 14.5% of the e-commerce market share, which makes it a juicy target more so. Magento’s developers anticipated this and provided splendid out-of-the-box security features for its stores. However, just having a lot of security features makes it no cakewalk. You must also have the right knowledge about how to use them in increasing security measures of the platform that are insufficient to secure your website. The responsibility of securing a website belongs to the website owner too. In this article, we discuss Magento login security guidelines to help webmasters secure their websites.

An insecure admin panel is the biggest vulnerability that plagues Magento websites. The Magento admin URL is simple – “websiteURLadmin” or “URL/index.php/admin”. Thus, anyone can know about your file structure. This, sort of, exposes your website to people with malicious intent. Therefore, Magento login security is important.

How to maintain Magento Login Security?

Having an insecure login page is the cyber equivalent of leaving the front door unlocked for the thieves to enter. It makes it convenient for hackers to inject malware, steal information or deface your website. Here is how you can maintain Magento Login Security:

1. Change the Admin URL

The first step to maintain admin security is to hide the admin panel. This can be done by changing the URL of the Magento Admin Panel. Follow these steps to change the Magento admin URL:

  1. Login to Admin Panel with your credentials
  2. Go to Stores and click on “Configuration
  3. Click on “Advanced Menu” and select “Admin
  4. Click to expand “Admin Base URL
  5. Set “Use Custom Admin URL” to ‘Yes’ and “Use Custom Admin Path” to ‘Yes’
  6. Type the “Custom URL and Path
  7. Click on “Save Config” button

For details on Magento Admin panel security, refer to our experts’ advice on Magento Admin Panel Security

2. Set Password Protection

Weak passwords make your website vulnerable to brute-force attacks. Hence, it is important to have strong passwords. A combination of special characters and alphanumeric characters, both in uppercase and lowercase, makes a strong password. There are a few other things that you can do to protect your admin password:

  1. On the Admin panel, Go to Settings → Configuration
  2. Go to Admin menu (as stated in the previous section)
  3. Set Password Protection to IP and email. This ensures that the admin password can be reset only through the notification sent to the admin email address
  4. Set Admin Account Sharing to “No”. This disallows Admin users from logging in from the same account on different devices
  5. Limit the lifetime of passwords. This is done by entering the number of days beside the Password Lifetime option. The field is left black for an unlimited lifetime

You can configure other security options like password reset request time, add security keys to URL and more. For details about Magento security, refer to our Ultimate Magento Security Guide.

3. Use a Captcha for Login

Captcha stands for – Completely Automated Public Turing test to tell Computers and Humans Apart. It does exactly what it claims: Ensures that your website is interacting with a human and not a bot. Hackers don’t go about hacking individual websites. They create bots that look for vulnerable websites and inject malware into them.

Use captcha for admin login and password reset page. To configure captcha, follow these steps:

  1. On Admin panel, go to Settings –> Configuration
  2. Expand Advanced and click on Admin
  3. Expand Captcha
  4. Set Captcha to Admin to “Yes”.
  5. Change other details of the captcha according to your need
  6. Click on Save Config after making the desired changes

Magento login security
Magento Advanced Captcha Setting

You can also use Google reCaptcha for Magento login security. It provides enhanced security over the Magento security captcha. Here are the steps to enable Google re-captcha.

  1. Register your website on the reCaptcha site. There are two types of Google re-captcha:-
  • reCaptcha v2: Verifies with click or image selections
  • reCaptcha v3: Verifies input score
Magento Login Security- captcha
Google re-Captcha version
  1. Google will generate secret keys for your website. Copy the keys
  2. Sign in as admin to your Magento store
  3. Go to settings → Configuration
  4. Expand Security in the left panel and choose Google reCaptcha
  5. Enter the secret API keys
  6. Select the type of reCaptcha (reCaptcha v2 or reCaptcha v3)
  7. Set other back-end and front-end features by expanding either the front-end option or back-end option
  8. Click on Save Config after making the desired changes

4. Use Multi-Factor Authentication

Multi-factor authentication requires the admin to undergo a second and third step of verification while accessing the website. Magento provides a two-factor authentication feature.

Here are the necessary steps to enable the two-factor authentication on your Magento website:

  1. On the admin sidebar, Go to Setting Configuration
  2. Expand Security on the left panel and select 2FA
  3. Expand General
  4. Set Enable Two-factor authentication to “Yes”
  5. (Optional) Force Provider to force an authenticator globally for all users. If this option is not selected, you will have to enable authenticators for every user account
  6. Enable and configure the authentication provider. The authenticators supported by Magento are Google Authenticator, Yubikey, Duo Security and Authy
  7. Click on Save Config

However, this feature is restricted to the admin account. To apply two-factor authentication to customers’ accounts, you will have to install third-party addons.

You must choose at least one authenticator per account. Click here for detailed instructions to set authentication for every user account.

MAgento login security: Multifactor authentication
Multi-level login (Image source: NIST)

5. Firewall

A firewall acts as a gatekeeper and filters all traffic entering your website. It allows your website to generate organic traffic and prevents malicious bots and other forms of unwanted traffic. Quality web application firewalls including Astra WAF provides several security features like:

  • Blacklist monitoring
  • Notification about suspicious login attempts and spam sign-ups
  • Block malicious bot
  • Limit web requests
  • Malware scanning for uploads

There are several other features available apart from these. Thus, having an active firewall will increase the Magento Login Security by ten folds. For more details, request an Astra Demo today!

Astra Protection
Astra WAF (image source: Astra)

Refer the Magento security document for more details about Magento Login Security.

Conclusion

There are numerous threats that plague the e-commerce industry daily. Therefore, you need to stay safe from potential disasters by maintaining an active security around your website. Conduct regular malware scans, schedule content back ups, maintain PCI-DSS compliance and hire experts to give you round-the-clock protection.

Was this post helpful?

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

24 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Harry Harrison
Harry Harrison
2 months ago

Hi, when will a website be marked as dangerous by chrome? I am using magento as a tech stack. If it happens how can I resolve this?

Sai Krishna
Editor
2 months ago
Reply to  Harry Harrison

Thanks for responding to our article. In this case, you need to find malware, malicious links to reference to malicious links that could be causing this. Basically, a code review for malicious content is required in such cases. Followed by submitting to Google for a review. Ideally, a security firewall is recommended as the website will be on the radar of hackers. This article talks about various malware and fixes, please feel free to review them: https://www.getastra.com/blog/911/magento-hacked/

Ellis Atkinson
Ellis Atkinson
2 months ago

Hi there, I have a website using Magento CMS. How safe and secure is magento?

Sai Krishna
Editor
2 months ago
Reply to  Ellis Atkinson

Thanks for responding to our post. It’s not Magento that makes your site safe and secure. Instead it’s how your programmer sets up your site with proper security features and does not compromise the code quality while setting it up. Magento being a Zend based CMS is pretty robust and secure in itself and does not encounter common security threats as often encountered with wordpress. In this case, we request you to use a security plugin and that is what we exactly offer.For more information: https://www.getastra.com/magento-firewall and You can follow our magento hack removal guide: https://www.getastra.com/blog/911/magento-hacked

Imogen Gardner
Imogen Gardner
2 months ago

Hello, for my website I can see a lot of Japanese gibberish URLs. Do you have any guide on how to remove this?

Sai Krishna
Editor
2 months ago
Reply to  Imogen Gardner

Thanks for responding to our post and sorry to hear about the japanese SEO spam. You can follow this article to remove the hack: https://www.getastra.com/blog/911/black-hat-seo-spam-magento-opencart-prestashop/. We recommend you to use a security plugin and that is what we offer where our experts will help you in securing your website. For pricing and details you can visit: https://www.getastra.com/pricing

Alicia Howe
Alicia Howe
2 months ago

Magento SQL injection is spreading all over and businesses are getting ruined and I don’t want to take the risk. Is there any guide on how to protect from this?

Sai Krishna
Editor
2 months ago
Reply to  Alicia Howe

Yes, you are correct. SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. It will cause many harmful things to your Magento Store, and your database. You can refer our article on how to protect: https://www.getastra.com/blog/cms/magento-security/magento-sql-injection/

Amelie Pearson
Amelie Pearson
2 months ago

This is really a great article. How can I avoid a Malware injection for my website? I am using Magento.

Sai Krishna
Editor
2 months ago
Reply to  Amelie Pearson

Thanks for responding to our post. Yes, Magento has witnessed a steep rise in malware attacks. E-commerce platforms are a goldmine for malicious actors to harvest lucrative credit card and personal information from online transactions. You can refer our guide to protect against it: https://www.getastra.com/blog/cms/magento-security/how-to-prevent-magento-code-injection/

Amelie Pearson
Amelie Pearson
2 months ago

So, I own a website and haven’t been using a security plugin or a firewall. How important is it to use a WAF?

Sai Krishna
Editor
2 months ago
Reply to  Amelie Pearson

Thanks for responding to our post. Precisely, a WAF (Web Application Firewall) is like a gatekeeper that filters all traffic coming to your portal. It protects you from hackers, bots, malware etc. A business can set up online rules for users by having a Web Application Firewall. For more info on the significance of WAF kindly refer this article: https://www.getastra.com/blog/astra-product/ecommerce-security-web-application-firewall/

Leo Townsend
Leo Townsend
2 months ago

Hi, I would like to secure my Magento 2 admin panel from hackers. Is there any way I can protect against the attacks?

Sai Krishna
Editor
2 months ago
Reply to  Leo Townsend

Thanks for responding to our post. Magento is considered as the best e-commerce platform available today and it has numerous features, plugins, regular updates and a huge community of developers. As the technology and security measures improve, so do the capabilities of the hackers. Hackers usually target e-commerce websites to gain credit card information or just for some kicks. You can refer this article to guard your magento admin panel: https://www.getastra.com/blog/cms/magento-security/steps-secure-magento-admin-panel-hackers-bruteforcing-magento-1-magento-2/

Reece Owens
Reece Owens
2 months ago

Hello, my Magento website started acting weird. It is sending some spam mails and I think the website got hacked. What can I do?

Sai Krishna
Editor
2 months ago
Reply to  Reece Owens

Thanks for responding to the article. Spam emails are irritating like no other, it might piss off a user to a point that he/she may end up unsubscribing you or worse reporting your email. If you have noticed or have been receiving warnings about spam emails from your Magento account, it is time you checked it for a Magento hack. Magento hacked sending spam is a common query people have when they do come to know of hidden spam email campaigns taking place from their site. For more information visit here: https://www.getastra.com/blog/cms/magento-security/magento-hacked-sending-spam/

Katie Sinclair
Katie Sinclair
2 months ago

I am using PHP 7.1 still are there any vulnerabilities that can cost me? It’s a Magento stack btw.

Sai Krishna
Editor
2 months ago
Reply to  Katie Sinclair

Thanks for responding to the article. The leading web application language PHP is found to have several critical vulnerabilities in versions 7.1, 7.2 & 7.3. The most dreading of it all is the arbitrary code execution vulnerability in PHP. Many popular CMS like Magento. For more info, visit here: https://www.getastra.com/blog/cms/magento-security/magento-stores-at-risk-due-to-php-vulnerability/

Sarah Chamberlain
Sarah Chamberlain
2 months ago

Hello, can you tell me what Magecart attacks are and how can I protect them? I have been running a Magento store for a very long time.

Sai Krishna
Editor
2 months ago

Thanks for responding to the article. Magecart attacks came out of the dark and made headlines when it targeted credit card info of giants like British Airways, Ticketmaster, Netwegg, etc. But, this does not mean Magecart attacks came into existence recently. In fact, Magecart attacks on Magento and other e-commerce websites can be traced back to 2014 when a group of hackers first started monetizing with stolen credit card details. Since then, masterminds of Magecart have been actively skimming the web. For more information, visit here: https://www.getastra.com/blog/911/magecart-attacks-on-magento/

Connor Howe
Connor Howe
2 months ago

I am not tech savvy and I own a magento store but want to know about the file permissions. What are correct permissions that I can use for my Magento 2?

Sai Krishna
Editor
2 months ago
Reply to  Connor Howe

Thanks for responding to the article. Magento is an open-source CMS for e-commerce websites. Being open source, basically means anyone is free to write/change its source codes. Even though open source CMS(s) are the current go-to CMS type in the cyber world, it opens doors to threat as well. To keep your files out of reach of the hackers, you need to have the most secured file permissions handy. Not having enough strict file & folder permissions will elevate the risk of it getting compromised. For more info, visit here: https://www.getastra.com/blog/cms/magento-security/how-to-set-magento-file-permissions/

Archie Charlton
Archie Charlton
2 months ago

Can you tell me the features that Astra firewall comes with? I am looking for a firewall for my website.

Sai Krishna
Editor
2 months ago

Thanks for responding to the article and also for showing interest in Astra. You don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra take care of it all.You can know more info about features and other here: https://www.getastra.com/features

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany