How to keep your Magento Admin console safe from intrusion
Your Magento Admin Panel is a lifeline to critical systems within your eCommerce store. While you use it to manage your online storefronts, hackers, if they gain access, can use your admin panel to steal data, redirect traffic to malicious sites, change the payment account configuration so they receive the money from purchases made on your site instead of you and otherwise wreak havoc on your business. It’s not a Magento-specific problem; however, there are Magento-specific solutions that you can deploy along with general security best practices.
- Two-Factor Authentication (2FA): Rather than rely on only a username and password to access the admin console, consider enabling a two-factor solution, much like you may with your bank or email accounts. Magento 2.3+ includes a native 2FA solution. There are also reliable Magento 1 two-factor authentication extensions in the Magento Marketplace for those that are still on M1.
- Encryption: In order to avoid hackers intercepting your username and password, your Magento admin should be loading securely using an SSL. Not only should your admin be loading via HTTPS, but your SSL should also be up to date. There are sites that you can use to test and see if any updates are needed.
- Enable Captcha: While you may not want to use Captchas on the frontend of your site, you should use them to help protect the backend of your website. These can help deter brute force attacks by which hackers keep testing usernames and passwords until they find a working combination that grants access to your Magento admin.
- Admin URL: Your Magento admin page should not load at a standard URL like /admin. Rather, it should be at a unique address that’s easy for you to remember, but hard for hackers to guess.
- Firewalls: If your staff consistently access your Magento admin from specific locations, the IP addresses of those locations should be the only locations that can even access the URL of your Magento admin panel. Your host should be able to help with this as part of their commitment to your security. Additionally, if you’re using a Web Application Firewall (WAF) to help block bad traffic from your Magento store, you can use your WAF for this purposes. You may even be able to block traffic altogether from countries that you don’t do business with, just to cut down on the hacking attempts altogether.
- Set User Roles: It can be easy for multiple members of an eCommerce business to share the same admin account to access all of Magento’s features. However, you should provide each employee with their own login credentials and permissions. Providing limited access ensures employees only have access to what they need to fulfill their tasks. For instance, someone that helps with data entry should not have access to change payment methods and settings.
- Audit and Update User Access: You should enforce best-practices for having users update their passwords. There are differing opinions on how often, but passwords should be changed, ideally, once a year at the very least. You should also ensure that former employees and vendors no longer have active credentials to access your Magento admin. Auditing accounts will help to ensure that there are fewer vulnerable entry points.
- Strong Credentials: Both Usernames and Passwords should be strong. A username like “admin” is much too simple and gives hackers one of the two keys they typically need to access your admin (your password being the other). You should not use the same credentials for other systems. Hackers that get access to credentials you use for another website or system may very well test those credentials to see if they’ll provide access to other systems you’re associated with.
- Store and Use Passwords Wisely: You should be logging into your admin from computers and devices that you have reason to believe are safe. A secure system has the latest security updates, runs antivirus software, and has a clean bill of health from such software. Similarly, you should not store your login credentials in a system that does not have strong security protocols. For instance, you shouldn’t send your Magento credentials in an email that does not have an extra layer of security such as two-factor authentication.
- General Magento Security: If you’re not keeping up with Magento patches and hosting updates and patches, you’re giving hackers ways to directly access files and data within your website. Whether they’re circumnavigating or accessing your Magento admin through known vulnerabilities, the net results are the same – a compromised website. It’s highly encouraged to seek a Magento hosting security audit and a Magento website security audit to make sure that your site is safe and secure.
- Admin Server: If you’re using a clustered hosting solution, consider giving your Magento admin its own server, which your hosting team can further lockdown. As opposed to a general web server that needs to be accessible, your admin server can be set up with very limited and specific access points. With this setup, make sure to choose an admin URL that is unique versus the obvious, admin.yoursite.com.
At the end of the day, you owe it to yourself and your customers to protect your Magento website, your business, and your livelihood. Following best-practices can take some effort, but it’s a lot less work than addressing a security breach.
It would be our pleasure to help you secure your website.