How to Secure your Magento Admin Panel

Software vulnerabilities are not always the reason a Magento store can be significantly damaged. Often a website is breached due to the weak protection of its admin panel. Even though there is no way to eliminate all security risks, there are steps you can take to make your shop a less likely target.

We are here to help with 7 tips to help secure your Magento Admin.

Magento Security Tab

The Magento Security Tab is a simple way to improve your admin security. The platform offers multiple options for configuring the admin security like limiting the admin session duration, blocking access from multiple devices, and a way to reset the account password.

To open the security tab, go to the sidebar on the left of the admin panel and click "Stores." Find the setting section and locate the link to the configuration. Choose the "Advanced" section and open the admin sub-menu, where the security tab is located.

The security tab offers the following options:

Add a Secret Key to URLs
- Adding a secret key to your URL is a simple way to protect your panel. Make sure this feature is enabled with a "yes." It is recommended to activate this option to protect the store from Cross-site request forgery attacks.
Case-Sensitive Logins
- Case-sensitive logins make it harder to guess a password for your admin panel. You can configure Magento to recognize the case of password characters. When the option is enabled, upper and lowercase symbols are considered different entities.
Admin Session Lifetime
- Limiting the amount of time an admin can spend in a session is another way to protect your admin panel. In this field, you can set how many seconds an admin session will last if the store manager makes no actions. This parameter helps prevent unauthorized access in several ways, one of which is cookie theft. Cookies theft is when a hacker doesn't know the user's password but has obtained a cookie file that allows them to enter the current admin session.
Maximum Login Failures to Lockout Account
- Maximus login failures to lockout an account is another great way to protect your admin from password guessing. After a certain number of incorrect credentials have been entered, the account will lock.
Lockout Time
- The lockout time is a determinant of, in minutes, how long a user must wait until they can retry entering their credentials after a failed attempt. This rule helps protect the admin against brute force and password guessing.
- The password lifetime feature makes your admins change their passwords regularly. It helps block unauthorized access if a person has found or guessed login credentials. The longevity of passwords is stated in days. It also helps to forcefully encourage admins to change their passwords before they expire. Password Lifetime
  Change the Admin Panel Default URL

Change the Admin Panel Default URL

Changing the Admin Panel Default URL is one of the most basic and most important steps a store owner can take to protect their admin panel. The default Magento admin URL is generally store_domain/magento/admin. Since the store's domain name is publicly available, it is not hard for cybercriminals to guess the store admin URL. For this reason, we strongly recommend using a custom admin URL that contains a minimum of 7 characters and is a combination of numbers, letters, and symbols.

That said, you should be cautious when making changes as any error while configuring a URL can block the normal access to the store backend through the web browser and the access will only be able to be restored by correcting the misconfigured fields on the server.

Set Two-Factor Authorization

Two-Factor Authorization, or multi-factor authorization is becoming a standard practice, that being said it shouldn't be overlooked or underutilized. Having a second factor helps block unauthorized access even if a cybercriminal knows your password.

Typically, this key is a number or string of numbers obtained through an SMS or a dedicated app like Google Authenticator on an Android or iOS smartphone.

CAPTCHA for Admin

Cyber threats come not only from flesh and blood hackers but bots as well. CAPTCHA is a visual device that will ensure only humans, not computers (bots), interact with your admin. Enabling CAPTCHA codes on your admin login page is another way a store can protect itself from password guessing. You can set up CAPTCHA in Magento, using its native functionality, or by using Google reCAPTCHA.

Check out how to enable CAPTCHA in your admin from Adobe

IP Whitelisting

IP Whitelisting limits the number and controls which IP addresses can access your Magento admin. Magento 2 offers a tool to limit access by IP address. Simply add the allowed IP addresses to an IP whitelist, If using a static IP address is not suitable, you will need to add every possible dynamic IP for store admins to access the backend to your whitelist.

Keep in mind that a lot of internet providers use dynamic IP addresses and they are especially common when accessing mobile sites through smartphones.

Set User Roles

Setting User Roles gives you even more control over your admin security. Creating user roles sets the permissions around the actions a specific account can make in the admin.

Magento assigns any admin account a full list of granted permissions by default. However, this can be reduced by selecting each in-store resource or activity a user should have permission to. These permissions can limit the access to: - Sales - Catalog - Customers - Cart - Marketing - Content - Stores - System - Action log

Log Admin Actions

Stores based on the Adobe Commerce edition can utilize the embedded activity logging functionality. This helps to rebuild the actions made by the admin account with the help of the activity log.

The Action logs can be turned on in Stores > Settings > Configuration > Advanced > Admin > Admin Actions Logging. The function by default tracks every action, however, it can be configured to log only specific actions.