Accordingly Magento Tech Resources
We’re seeing an increasing number of brute force password guessing attacks on Magento installations worldwide. In some cases, these attacks have resulted in unauthorized admin panel access. We highly recommend that you take steps outlined below to protect your store against such attacks.
As a first step, take an inventory all of the ways your installation can potentially be accessed from the outside world by a brute force password guessing attack. You can scan your site identify all access points. In a typical Magento 1 installation (e.g., Magento Enterprise Edition 1.14.2), 3 locations, /admin (or a custom name you have chosen for admin), /downloader, and /rss, will need to be protected. In the case of Magento 2, only the admin panel location (the location is generated automatically during installation) will require protection.
The best way to protect access to admin and downloader locations is to enable access only for users coming from a specified IP address or network. This works best if you always access the store backend from the same location and computer or computers. It should show an address like 111.222.333.444 . This solution will not work properly if you are using dynamic IP addresses or accessing the backend through a mobile device. If your company has a remote workforce, it is important to add their IP addresses as well to ensure that they have access to the network.
IP Whitelisting the Admin Panel, Downloader, and RSS Feeds
The approach for whitelisting the admin panel and RSS feeds differs from the method used to protect the downloader. This is because the downloader has a physical directory, while the admin, which is accessible through /admin and /index.php/admin URLs (or custom paths that you can choose), and RSS feeds, such as low stock notifications or order status updates, are not real directories on the server.
Apache Server Users
The way to protect the admin panel and RSS feeds is to redirect requests coming from unknown IP addresses to the main page. This can be done by editing the .htaccess file in the root Magento folder right after the rewrite rules for mobile user agents. This is located just before a section called “always send 404 on missing files in these folders.”
Nginx Web Server Users
In most cases you will need to work with your hosting provider to restrict access to the admin, downloader and RSS locations.
BLOCKING THE RSS AND DOWNLOADER
- If you are not planning to use the RSS feed or downloader, it is best to completely block or remove them.
- You can delete the whole download folder or alternatively block access if you do not install or upgrade extensions on the production server and use a version control system to manage files.
- If you are not planning to use the RSS feed, you need to block it through appropriate commands.
CHANGING THE LOCATION OF THE ADMIN PANEL AND MAGENTO CONNECT MANAGER (DOWNLOADER)
Password guessing attacks assume typical admin panel locations like /admin, /backend, /manage, /control and similar and the default location of the Magento Connect Manager: /downloader. Changing the location of the admin panel and downloader can reduce the likelihood of being targeted by a generic attack. However, it does not protect against targeted attacks which try to guess the location with multiple requests.
Be sure to check with your hosting provider before making these changes. Some have specific security rules that apply to default locations. Also, if you are not planning on installing extensions from Magento Connect, you can delete or fully block access to the downloader directory.
Changing the Name (Location) of the Admin Panel (Magento 1 only)
- To change the name, first log into the admin panel and navigate to System -> Cache Management.
- Then edit file app/etc/local.xml in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.
- After this change, clear all the caches and then log out and log in again using the new URL.
- Change the Name of Magento Connect Manager (Downloader) (Magento 1 Only)
Changing the name of the Magento Connect Manager is another option, but once you have made this change, it will no longer be possible to open Magento Connect Manager from the Magento admin panel. It must be accessed directly using the new URL.
To change the name of Magento Connect Manager, simply change the folder name from downloader to something unique.
ADVANCED USE CASES
In some situations, it might be impossible to limit access to a set of IP addresses, especially when the site administration panel needs to be accessed by multiple people from different locations. In this case, there are other approaches that might be used:
- Use a VPN tunnel and block any other access to the services (you will need to work with your hosting provider to set up this method).
- Install and enable 2-factor authentication,
Note: you still need to block or restrict /rss and /downloader access.
Accordingly Magento Tech Resources
In summary, there are several approaches you can take to help protect your store from brute force password guessing attacks. We recommend that you quickly review these approaches with your Solution and Hosting Partners and implement the ones that are best suited to your unique situation.