Restrict Access to Magento Admin Area

With the rise in Magento related security incidents, it is important to restrict access to the Magento admin area. One foolproof way to secure the Magento backend from password guessing attacks is to only allow access to trusted IP addresses. This drastically minimizes the security risk and only takes a couple of minutes to configure.

In this guide, we will explain how you can ensure that only whitelist IP addresses can access the Magento admin area on your Apache or Nginx web server.

Steps to restrict IP addresses in Apache using .htaccess file

  1. Login to your server via cPanel/FTP/SSH and navigate to the root of your Magento installation
  2. Open the .htaccess file in your text editor and add the following code:
    RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC]
    RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
    RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.12
    RewriteRule .* - [F,L]
    
  3. If you have changed the admin URL, update it in line #1 of the above code. Let us say your admin URL is ‘backoffice’ , line #1 will become:
    RewriteCond %{REQUEST_URI} ^/(index.php/)?backoffice(.*) [NC]
  4. For every IP address/range that should have access to the Admin area, you can add the following line after replacing the sample IP with yours:
    RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
  5. Save the .htaccess file and verify the changes by accessing the Magento Admin area from your browser

Don’t forget to check our detailed Step by Step Magento Security Guide – Reduce the chances of getting hacked by 90%

Steps to restrict IP addresses in Nginx using nginx.conf file

  1. Login to your server via cPanel/FTP/SSH and navigate to the nginx.conf path. It is usually, /usr/local/nginx/ but can vary depending on your configuration
  2. Open the nginx.conf file in your text editor and add the following code:
    location ~* ^/(index\.php/admin|admin) {
        allow 1.1.1.1;
    
        try_files $uri $uri/ /index.php?$args;
        location ~* \.php$ { try_files /dummy @proxy; }
        deny all;
    }
  3. If you have changed the admin url, update it in line #1 of the above code. Let us say your admin url is ‘backoffice’ , line #1 will become:
    location ~* ^/(index\.php/backoffice|backoffice) {
  4. For every IP address/range that should have access to the Admin area, you can add the following line after replacing the sample IP with yours:
    allow 1.1.1.1;
  5. Save it and reload the config file with the following command:
    # /usr/local/nginx/sbin/nginx -s reload

    Follow the above steps to restrict access to the Magento admin. Download our Ultimate Magento security checklist. This will help you to reduce the chances of getting hacked but for 24×7 security from all malware and attacks, you need a Web Application firewall Astra. 

Don’t forget to check our detailed Step by Step Magento Security Guide – Reduce the chances of getting hacked by 90%

Fixing hacked Magento website

About Astra Magento Security

Astra provides end-to-end Magento Security for your online store. Astra’s security suite secures your store with a state of the art Website Firewall and ensures that you follow all the Magento Security Best Practices. You can subscribe to our plans if you need professional assistance in placing IP restrictions on the Magento admin area.

Take a demo today.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

1 Comment

  1. Magento 2 Security: How To Prevent Your Magento Store From Being Hacked - Astra Web Security Blog - Reply

    […] Ensure that only Whitelisted IP addresses are allowed to access the admin panel. To learn how to restrict access to the Magento Admin area. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close