1. Magento Security Scan Tool

Configure Magento Security Scan Tool.

2. Unique Admin Panel Route

Never use "/admin/" or any other common path as a route (front name) to your Magento 2 admin panel. This increases your chances of becoming a brute force victim. You can easily change the admin route (backend frontend name) following this link.

3. Enable ReCaptcha

Save your store from bots. In order to enable ReCaptcha in Magento 2.0.x - 2.2.x you need to install MSP ReCaptcha module (Magento 2.3 and greater already has it). ReCaptcha configurations can be found in Magento 2 Admin Panel > Stores > Configuration > Security > Google ReCaptcha. We recommend to use ReCaptcha for both Storefront and Admin Panel.

4. Disable Admin Account Sharing

Make sure the Admin Account Sharing option is disabled. In order to do that navigate to Stores > Configuration > Advanced > Admin and find the Security section. Once disabled, the login and password are used by only one admin so that every time someone else tries to log in another will be unlogged. That allows notifying any unauthorized admin account entries. Best of all is for each admin to have their own account.

 

Magento 2 Configuration, Security 

5. Enable the Add Secret Key to URLs and Login is Case Sensitive.

Magento 2 store security

6. Forced Password Change

Enforce the Password Change together with the Password Lifetime where you set the number of days you want your password to be changed in.

Magento 2 password change

7. Access Control List

Configure the Access Control List. Before doing this please read more about user roles and users managing. Besides, we recommend you to restrict user's access and change the route to the admin panel. 

8. SSL

Use SSL (https://) on your website. Ask your server administrator or hosting provider to configure this and change the URLs by going to Stores > Configuration > Web.

Magento 2 Configuration, Security, Base Link URL

Magento 2 Configuration, Security, Base URLs

9. Admin Activity Module

Install the Magento 2 Admin Activity Module. It allows you to track login activity including time, IP address and admin user name as well as all the performed changes in the admin panel.