Magento admin security is one of the most important things on your website to pay attention to. Even if you have an extensive customer database and great conversion rates, one security breach is enough to ruin all of that.
Though the platform has a comprehensive approach to security, you have to cover all of the smallest details to improve Magento security. You can never overdo it.
In this article, we want to talk about Magento admin security and how you can configure it to avoid brute force attacks and other malicious actions.
Step 1: Configure Magento Admin Security Options
1. Navigate to Stores > Configuration > Advanced > Admin > Admin Security.
2. If you want to prevent admin users from logging in from different devices disable the Admin Account Sharing option.
3. Choose the method to manage password reset requests in the Password Reset Protection Type select box.
- By IP and Email — admin user can reset their password in the online mode after a reset notification response is sent to the email associated with their account.
- By IP — admins reset passwords online with no additional confirmation.
- By Email — the password is reset by replying to the email notification sent to the email associated with the admin account.
- None — only store administrators can reset passwords for admin users.
Note: you can also check other methods you can reset admin panel password in Magento.
4. Enter the number of hours the recovery email link should be valid in the Recovery Link Expiration Period (hours) field.
5. Set the maximum number of password requests per hour in the Max Number of Password Reset Requests.
6. Specify the Min Time Between Password Reset Requests that should pass between password requests.
7. Enable the secret key to the admin URL in the Add Secret Key to URLs field.
8. Enable the Login is Case Sensitive option to make login credentials case-sensitive and require lower and upper case characters.
9. Enter the Admin Session Lifetime (seconds) to determine the length of the admin user session before it times out.
10. Set the Maximum Login Failures to Lockout Account to specify how many times a login can try to enter the admin panel before their account is locked out. By default, it is 6, but if you like you can leave it empty for the unlimited logins.
11. Specify the Lockout Time (minutes) for the admin user to be locked out.
12. Enter the Password Lifetime (days) to define the number of days the passwords will be valid. When this period expires admins will have to change it.
13. Choose the method of Password Change:
- Forced — requires the admin user to change their password.
- Recommended — recommend the admin user to change their password.
These are the basic Magento admin security precautions you have to take to secure your admin and the data stored. But you shouldn't stop there.
Make sure to change Magento 2 admin URL and path to a more secure one to avoid security breaches and keep your data safe.
Step 2: Define User Roles
Once users log in to your admin panel they start working on the tasks they are responsible for. Thus, not all admin users need access to all sections of your store e.g. orders, products, shipping, blog, etc.
By configuring the user roles in Magento you restrict access to certain areas of your store. This helps you ensure users work only with those sections you allow them to access.
Step 3: Track Admin Activity
Although you restrict access to different store sections through the user roles, you still can't track each action admin users take. That comes to light when there is a mistake you can't track down to anyone.
However, it stops with the . This tool helps you monitor each action admin users take in your admin panel. Besides, you can view all login attempts for a specific period.
You can never be too cautious when it comes to Magento admin security since that's where you store a lot of data.
Configure Magento 2 admin security, restrict admins' responsibilities and monitor what changes they make in your admin panel. Ensure a safe environment and keep track of all store activities.
