Security is one of the most important things on your website you have to focus your attention on. Even if you have an extensive customer databases and great conversion rates, one security breach is enough to ruin all of that.
Though the platform has a comprehensive approach to security matters, you have to cover all of the smallest details to improve Magento security. You can never overdo it.
In this article, we want to talk about Magento 2 admin security and how you can configure it to avoid brute force attacks and other malicious actions.
To Configure Magento 2 Admin Security:
1. Navigate to Stores > Configuration > Advanced > Admin > Admin Security.
2. If you want to prevent admin users from login in from different devices disable the Admin Account Sharing option.
3. Choose the method to manage password reset requests in the Password Reset Protection Type select box.
- By IP and Email — admin user can reset their password in the online mode after a reset notification response is sent to the email associated with their account.
- By IP — admins reset passwords online with no additional confirmation.
- By Email — the password is reset by replying to the email notification sent to the email associated with the admin account.
- None — only store administrators can reset passwords for admin users.
Note: you can also check other methods you can reset admin panel password in Magento.
4. Enter the number of hours the recovery email link will be valid in the Recovery Link Expiration Period (hours) field.
5. Set the max number of password requests per hour in the Max Number of Password Reset Requests.
6. Specify the Min Time Between Password Reset Requests that should pass between password requests.
7. Enable the secret key to the admin URL in the Add Secret Key to URLs field.
8. To make login credentials case sensitive and require lower and upper case characters enable the Login is Case Sensitive option.
9. Enter the Admin Session Lifetime (seconds) to determine the length of the admin user session before it times out.
10. Set the Maximum Login Failures to Lockout Account that specifies how many times a login can try to enter the admin panel before their account is locked out. By default, it is 6, but if you like you can leave it empty for the unlimited logins.
11. Specify the Lockout Time (minutes) for the admin user to be locked out.
12. Enter the Password Lifetime (days) to define the number of days the passwords will be valid. When this period expires admins will have to change it.
13. Choose the method of Password Change:
- Forced — requires the admin user to change their password.
- Recommended — recommend the admin user to change their password.
These are the basic Magento admin security precautions you have to take to secure your admin and the data stored. But you shouldn't stop there.
Make sure to change Magento 2 admin URL and path to a more secure one to avoid security breaches and keep your data safe.