Magento makes up a substantial 14.5% of the e-commerce market share which makes it a juicy target for hackers. The steps to maintain Magento security are as follows:
All e-commerce websites are potential targets for hackers.
Magento makes up a substantial 14.5% of the e-commerce market share, which makes it a juicy target more so. Magento’s developers anticipated this and provided splendid out-of-the-box security features for its stores. However, just having a lot of security features makes it no cakewalk. You must also have the right knowledge about how to use them in increasing security measures of the platform that are insufficient to secure your website. The responsibility of securing a website belongs to the website owner too. In this article, we discuss Magento login security guidelines to help webmasters secure their websites.
An insecure admin panel is the biggest vulnerability that plagues Magento websites. The Magento admin URL is simple – “websiteURLadmin” or “URL/index.php/admin”. Thus, anyone can know about your file structure. This, sort of, exposes your website to people with malicious intent. Therefore, Magento login security is important.
How to maintain Magento Login Security?
Having an insecure login page is the cyber equivalent of leaving the front door unlocked for the thieves to enter. It makes it convenient for hackers to inject malware, steal information or deface your website. Here is how you can maintain Magento Login Security:
1. Change the Admin URL
The first step to maintain admin security is to hide the admin panel. This can be done by changing the URL of the Magento Admin Panel. Follow these steps to change the Magento admin URL:
- Login to Admin Panel with your credentials
- Go to Stores and click on “Configuration“
- Click on “Advanced Menu” and select “Admin“
- Click to expand “Admin Base URL”
- Set “Use Custom Admin URL” to ‘Yes’ and “Use Custom Admin Path” to ‘Yes’
- Type the “Custom URL and Path“
- Click on “Save Config” button
For details on Magento Admin panel security, refer to our experts’ advice on Magento Admin Panel Security
2. Set Password Protection
Weak passwords make your website vulnerable to brute-force attacks. Hence, it is important to have strong passwords. A combination of special characters and alphanumeric characters, both in uppercase and lowercase, makes a strong password. There are a few other things that you can do to protect your admin password:
- On the Admin panel, Go to Settings → Configuration
- Go to Admin menu (as stated in the previous section)
- Set Password Protection to IP and email. This ensures that the admin password can be reset only through the notification sent to the admin email address
- Set Admin Account Sharing to “No”. This disallows Admin users from logging in from the same account on different devices
- Limit the lifetime of passwords. This is done by entering the number of days beside the Password Lifetime option. The field is left black for an unlimited lifetime
You can configure other security options like password reset request time, add security keys to URL and more. For details about Magento security, refer to our Ultimate Magento Security Guide.
3. Use a Captcha for Login
Captcha stands for – Completely Automated Public Turing test to tell Computers and Humans Apart. It does exactly what it claims: Ensures that your website is interacting with a human and not a bot. Hackers don’t go about hacking individual websites. They create bots that look for vulnerable websites and inject malware into them.
Use captcha for admin login and password reset page. To configure captcha, follow these steps:
- On Admin panel, go to Settings –> Configuration
- Expand Advanced and click on Admin
- Expand Captcha
- Set Captcha to Admin to “Yes”.
- Change other details of the captcha according to your need
- Click on Save Config after making the desired changes
You can also use Google reCaptcha for Magento login security. It provides enhanced security over the Magento security captcha. Here are the steps to enable Google re-captcha.
- Register your website on the reCaptcha site. There are two types of Google re-captcha:-
- reCaptcha v2: Verifies with click or image selections
- reCaptcha v3: Verifies input score
- Google will generate secret keys for your website. Copy the keys
- Sign in as admin to your Magento store
- Go to settings → Configuration
- Expand Security in the left panel and choose Google reCaptcha
- Enter the secret API keys
- Select the type of reCaptcha (reCaptcha v2 or reCaptcha v3)
- Set other back-end and front-end features by expanding either the front-end option or back-end option
- Click on Save Config after making the desired changes
4. Use Multi-Factor Authentication
Multi-factor authentication requires the admin to undergo a second and third step of verification while accessing the website. Magento provides a two-factor authentication feature.
Here are the necessary steps to enable the two-factor authentication on your Magento website:
- On the admin sidebar, Go to Setting → Configuration
- Expand Security on the left panel and select 2FA
- Expand General
- Set Enable Two-factor authentication to “Yes”
- (Optional) Force Provider to force an authenticator globally for all users. If this option is not selected, you will have to enable authenticators for every user account
- Enable and configure the authentication provider. The authenticators supported by Magento are Google Authenticator, Yubikey, Duo Security and Authy
- Click on Save Config
However, this feature is restricted to the admin account. To apply two-factor authentication to customers’ accounts, you will have to install third-party addons.
You must choose at least one authenticator per account. Click here for detailed instructions to set authentication for every user account.
A firewall acts as a gatekeeper and filters all traffic entering your website. It allows your website to generate organic traffic and prevents malicious bots and other forms of unwanted traffic. Quality web application firewalls including Astra WAF provides several security features like:
- Blacklist monitoring
- Notification about suspicious login attempts and spam sign-ups
- Block malicious bot
- Limit web requests
- Malware scanning for uploads
There are several other features available apart from these. Thus, having an active firewall will increase the Magento Login Security by ten folds. For more details, request an Astra Demo today!
Refer the Magento security document for more details about Magento Login Security.
There are numerous threats that plague the e-commerce industry daily. Therefore, you need to stay safe from potential disasters by maintaining an active security around your website. Conduct regular malware scans, schedule content back ups, maintain PCI-DSS compliance and hire experts to give you round-the-clock protection.