We’re seeing an increasing number of brute force password guessing attacks on Magento installations worldwide. In some cases, these attacks have resulted in unauthorized admin panel access. We highly recommend that you take steps outlined below to protect your store against such attacks.
As a first step, take an inventory all of the ways your installation can potentially be accessed from the outside world by a brute force password guessing attack. You can scan your site identify all access points. In a typical Magento 1 installation (e.g., Magento Enterprise Edition 1.14.2), 3 locations, /admin (or a custom name you have chosen for admin), /downloader, and /rss, will need to be protected. In the case of Magento 2, only the admin panel location (the location is generated automatically during installation) will require protection.
The best way to protect access to admin and downloader locations is to enable access only for users coming from a specified IP address or network. This works best if you always access the store backend from the same location and computer or computers. It should show an address like 111.222.333.444 . This solution will not work properly if you are using dynamic IP addresses or accessing the backend through a mobile device. If your company has a remote workforce, it is important to add their IP addresses as well to ensure that they have access to the network.
The approach for whitelisting the admin panel and RSS feeds differs from the method used to protect the downloader. This is because the downloader has a physical directory, while the admin, which is accessible through /admin and /index.php/admin URLs (or custom paths that you can choose), and RSS feeds, such as low stock notifications or order status updates, are not real directories on the server.
The way to protect the admin panel and RSS feeds is to redirect requests coming from unknown IP addresses to the main page. This can be done by editing the .htaccess file in the root Magento folder right after the rewrite rules for mobile user agents. This is located just before a section called “always send 404 on missing files in these folders.”
In most cases you will need to work with your hosting provider to restrict access to the admin, downloader and RSS locations.
Password guessing attacks assume typical admin panel locations like /admin, /backend, /manage, /control and similar and the default location of the Magento Connect Manager: /downloader. Changing the location of the admin panel and downloader can reduce the likelihood of being targeted by a generic attack. However, it does not protect against targeted attacks which try to guess the location with multiple requests.
Be sure to check with your hosting provider before making these changes. Some have specific security rules that apply to default locations. Also, if you are not planning on installing extensions from Magento Connect, you can delete or fully block access to the downloader directory.
Changing the name of the Magento Connect Manager is another option, but once you have made this change, it will no longer be possible to open Magento Connect Manager from the Magento admin panel. It must be accessed directly using the new URL.
To change the name of Magento Connect Manager, simply change the folder name from downloader to something unique.
In some situations, it might be impossible to limit access to a set of IP addresses, especially when the site administration panel needs to be accessed by multiple people from different locations. In this case, there are other approaches that might be used:
In summary, there are several approaches you can take to help protect your store from brute force password guessing attacks. We recommend that you quickly review these approaches with your Solution and Hosting Partners and implement the ones that are best suited to your unique situation.