Magento is considered as the best e-commerce platform available today and it has numerous features, plugins, regular updates and a huge community of developers. As the technology and security measures improve, so do the capabilities of the hackers. Hackers usually target e-commerce websites to gain credit card information or just for some kicks. The first step towards security starts with a secure Magento admin.

Although Magento is quite prompt in releasing security patches, still there’s always something that the hackers manage to exploit. It is always better to take precautions by safeguarding your website even if you have not fallen prey to hackers. The Magento admin URL is quite simple i.e. websiteURLadmin or URL/index.php/admin. So anyone can know the platform of your website and the file structure making their reconnaissance process in hacking easy.

Why is Magento Prone to Hacking Even After Being Advanced?

Magento has a large community of developers and contributors that know the strengths and weakness of the platform properly. There are lots of developers using this platform, solving issues, creating extensions etc. As the number of Magento stores increases so do the opportunities for people with malicious intentions. Although the below-mentioned strategies to secure your admin panel might not be 100% foolproof. But still, it will add a layer of security.

Related Guide – Magento Security Guide (For Rock Solid Security Against XSS, SQLi, Credit Card Hack, Admin Hack)

How to Keep a Track that Your Website is being Targeted by Hackers?

There are few signs that you must look out for that will help you detect if your website is being targeted for hacking or not. After hacking you can easily know as the hackers would disrupt the website’s home page by replacing it with a deface page or do a phishing attack or delete records from your database, but that will be too late. It is best to detect the problem beforehand.

  • Keep a check on the web root folder: Hackers add exploited files to the webroot folders and most commonly the index.php file of the theme. So you must check this section of your files for any sort of suspicious activities or files. If possible do not share the admin credentials of the cpanel or webmin with anyone, not even with your employees or change that often. If you find anything suspicious then change your database and file manager password and clear suspicious files or restore a backup.
  • Audit the core files of Magento: None of the developers with knowledge of Magento would recommend changes to the core files. If you find any changes done to the core files then it is a signal of danger.
  • Keep an eye on the crontab: there are several cron tasks running on a regular and ongoing basis in Magento on your server. You can also create custom crons for your website but this useful tool can be used by the attackers for hacking too. So you must check the crontab on a regular basis.

Consequences of an Insecure Admin Panel in Magento

The biggest and the most dangerous consequence of insecure admin panel is that the Magento e-commerce website can be hacked. Another problem that can occur is that the credit card or payment information of the customers and their personal information can be misused. Hacker may delete the database records related to orders or shipment and cause harm to your reputation. All these consequences can harm you monetarily as well as your website and product reputation too. Thus it is very important to secure and hide Magento admin panel for Bruteforce protection of Magento admin.

What are the Steps to Hide Magento Admin Panel:

In order to hide Magento admin, you must change the URL of the Magento admin panel from URL/admin to something else. This is essential for the Bruteforce protection of Magento admin from hackers. It is a quick and easy way to add protection to your website. You must follow these steps to change the URL of your admin section of e-commerce. Although many of the tutorials suggest that you can change the URL from the admin panel itself but that can cause several other problems.

Method 1 :

  1. Change the path – you must open the local.xml file which is used for configuration of your website by using a text editor. This file is generally located in the app/etc folder in your Magento installation. In that you have to change the following code:
    <admin>
    <routers>
    <adminhtml>
    <args>
    <frontName><![CDATA[admin]]></frontName>
    </args>
    </adminhtml>
    </routers>
    </admin>

Replace the admin with your new path that must be very hard to guess. Do not make use of any special characters and make use of only numbers and letters to define the path.

  1. Refresh Cache – Clear or refresh the cache by deleting the content of var/cache folder or using the command rm -rf var/cache/*
  2. Complete – the url will be changed and now you can login using the new url to access your admin panel. But make sure to change the password of the admin panel and keep it something more secure.

Method 2:

This method is to change the URL by using the .htaccess file.

  1. You must login to your magento cPanel and open the .htaccess file from it. Then open this file using editor of your webmin and add this code:
    RewriteCond %{ REQUEST_URI} ^/(index.php/)?admin(.*) [NC]
    RewriteCond %{ REMOTE_ADDR} !^10\.1\.1\.10
    RewriteCond %{ REMOTE_ADDR} !^10\.1\.1\.12
    RewriteRule .* - [F,L]
  1. To change the URL you will have to change the word admin in the first line of your above code. For example you want to change admin to backoffice then write as follows:
    RewriteCond %{ REQUEST_URI} ^/(index.php/)?backoffice(.*) [NC]
  2. After making this change save your .htaccess file and then you can access the magento admin using new URL.

Method 3:

To change the admin URL using the nginx.conf file :

  1. Login to the cpanel and open the nginx.conf file using the path usr/local/nginx/ or whichever path you have installed the nginx. Add the following code in that file:
    location ~* ^/(index\.php/admin|admin) {
    allow 1.1.1.1;
    try_files $uri $uri/ /index.php?$args;
    location ~* \.php$ { try_files /dummy @proxy; }
    deny all;
    }
  1. If you want to change the url of your admin then you must change the word admin in the above code to whatever you want in the url. If you want to keep it as backoffice then put code as:
    location ~* ^/(index\.php/backoffice|backoffice)
  2. Save the file and the url will be changed

How to Change the URL of Your Magento 2 Admin

For security of Magento 2 you must change the url of the admin in this case also.  There are 3 methods of doing it:

  • Through the Admin Panel
  • Via a Command Line
  • By Editing the env.php

Method1: From the Admin Panel

  1. Go to the admin panel, login with your credentials and then go to STORES → Configurationsecure magento admin
  2.  After that you must scroll down and then you must click on Admin under the menu of  ‘Advanced’secure magento admin
  3. You will see the section of the Admin Base URL and then select Yes and then click on Use Custom Admin Path drop down and then you must enter the custom admin path in the Custom Admin Path text field:secure magento2 admin

Method 2: Using the Command Line

For this you must open the cpanel using an SSH terminal and then go to the root directory of Magento 2 store. Now run the command:

php bin/magento setup:config:set --backend-frontname="magento"

By using the above command, the url will be set as magento, you can put whatever you desire.

Method3: Editing the env.php File

Open the cPanel and then go to the env.php file in the app/etc folder and then find the following code:

<?php

return array (

'backend' =>

array (

'frontName' => 'magento',

)

Here whatever you put in the frontname is the url of the store. For example here it is set as magento, but you can change it to one of your choice.

Clean the cache completely after following any of the above method. To do that, run the following commands in the Magento 2 root directory:

  1. rm -rf var/cache/*
  2. php bin/magento cache:clean
  3. php bin/magento cache:flush

This should help you in securing your Magento’s admin panel. But this is one of the first steps towards securing your Magento store. If you need additional security mechanisms, you can download this Ultimate Magento Security Checklist or use Astra’s Magento Security solution to assure 24×7 for your store.

 

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Sony

2 Comments

  1. Excellent blog post. I was searching for something very different but stumbled on your blog. I am glad I did. Many thanks for sharing useful information. Many thanks and all the best.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close