How to restrict access to Magento admin area by IP Address (.htaccess & nginx)
Updated on: August 12, 2020
Ananda Krishna
2 mins read
With the rise in Magento related security incidents, it is important to restrict access to the Magento admin area. One foolproof way to secure the Magento backend from the password guessing attacks is to only allow access to trusted IP addresses. This drastically minimizes the security risk and only takes a couple of minutes to configure.
In this guide, we will explain how you can ensure that only whitelist IP addresses can access the Magento admin area on your Apache or Nginx web server.
Steps to restrict IP addresses in Apache using .htaccess file
- Login to your server via cPanel/FTP/SSH and navigate to the root of your Magento installation
- Open the .htaccess file in your text editor and add the following code:
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC] RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10 RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.12 RewriteRule .* - [F,L] - If you have changed the admin URL, update it in line #1 of the above code. Let us say your admin URL is ‘backoffice’ , line #1 will become:
RewriteCond %{REQUEST_URI} ^/(index.php/)?backoffice(.*) [NC] - For every IP address/range that should have access to the Admin area, you can add the following line after replacing the sample IP with yours:
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10 - Save the .htaccess file and verify the changes by accessing the Magento Admin area from your browser
Don’t forget to check our detailed Step by Step Magento Security Guide – Reduce the chances of getting hacked by 90%
Steps to restrict IP addresses in Nginx using nginx.conf file
- Login to your server via cPanel/FTP/SSH and navigate to the nginx.conf path. It is usually, /usr/local/nginx/ but can vary depending on your configuration
- Open the nginx.conf file in your text editor and add the following code:
location ~* ^/(index\.php/admin|admin) { allow 1.1.1.1; try_files $uri $uri/ /index.php?$args; location ~* \.php$ { try_files /dummy @proxy; } deny all; } - If you have changed the admin url, update it in line #1 of the above code. Let us say your admin url is ‘backoffice’ , line #1 will become:
location ~* ^/(index\.php/backoffice|backoffice) { - For every IP address/range that should have access to the Admin area, you can add the following line after replacing the sample IP with yours:
allow 1.1.1.1; - Save it and reload the config file with the following command:
# /usr/local/nginx/sbin/nginx -s reloadFollow the above steps to restrict access to the Magento admin. Download our Ultimate Magento security checklist. This will help you to reduce the chances of getting hacked but for 24×7 security from all malware and attacks, you need a Web Application firewall Astra.
Don’t forget to check our detailed Step by Step Magento Security Guide – Reduce the chances of getting hacked by 90%
About Astra Magento Security
Astra provides end-to-end Magento Security for your online store. Astra’s security suite secures your store with a state of the art Website Firewall and ensures that you follow all the Magento Security Best Practices. You can subscribe to our plans if you need professional assistance in placing IP restrictions on the Magento admin area.
Ananda Krishna
[…] Ensure that only Whitelisted IP addresses are allowed to access the admin panel. To learn how to restrict access to the Magento Admin area. […]