Magento Tips and Tutorials Web Hosting

Tips to Increase Admin Security for Magento 2

October 23, 2024

Bruno Gaiteiro

Senior Magento Developer

Table of Contents

1. Use Two-Factor Authentication (2FA)
2. Limit Admin Access
3. Change the Admin URL
4. Use Strong Password Policies
5. Regularly Review Admin User Accounts
6. Monitor Admin Activity with Logging
7. Limit Access by IP
8. Install Security Patches Regularly
9. Set Up an Intrusion Detection System (IDS)
10. Disable Unused Admin Accounts and Functions
11. Implement a Secure Hosting Environment
12. Set Admin Session Timeout
13. Use HTTPS for Admin Panel
14. Regularly Review Integrations
15. Disable Admin Account Sharing
16. Rotate Passwords Regularly

Tips to Increase Admin Security for Magento 2

Securing a Magento 2 store from potential rogue admin accounts is essential for safeguarding your online business. Here are several important security tips to help protect your Magento 2 installation:

1. Use Two-Factor Authentication (2FA)

Why: Adds an additional layer of security by requiring both a password and a second factor (e.g., a smartphone app) to access the admin panel.
How: Install and configure Magento’s built-in 2FA module or use third-party 2FA extensions.

2. Limit Admin Access

Why: The fewer people with access to the admin panel, the smaller the attack surface.
How: Only grant admin privileges to trusted users and regularly audit user roles to ensure minimal access rights.
Use Role-Based Access Control (RBAC): Assign permissions based on roles, ensuring users only have access to the features they need.

3. Change the Admin URL

Why: The default admin URL (/admin) is a known target for attackers.
How: Change the admin path to something unique by editing the env.php file:

'backend' => [ 'frontName' => 'custom_admin_path', ],

4. Use Strong Password Policies

Why: Weak passwords are a common attack vector.
How: Enforce strong password policies (minimum length, complexity, expiration, etc.) for all admin users. Consider using password management tools.

5. Regularly Review Admin User Accounts

Why: To ensure there are no unauthorized or inactive accounts.
How: Periodically audit admin users and delete or disable unused or suspicious accounts.

6. Monitor Admin Activity with Logging

Why: To detect unusual or suspicious activity in your admin panel.
How: Enable and regularly review admin actions via Admin Actions Log. Use tools or extensions that provide detailed logs of admin activities.

7. Limit Access by IP

Why: Reducing access to known IPs limits the potential for unauthorized logins.
How: Configure IP whitelisting so that only specific IP addresses or ranges can access the admin panel. This can be done through .htaccess for Apache or nginx.conf for Nginx.

8. Install Security Patches Regularly

Why: Magento releases security patches to fix vulnerabilities. Leaving your site unpatched opens it to potential exploits.
How: Stay informed about Magento’s security updates and apply patches as soon as they are released. Check Sansec server section on a weekly basis.

9. Set Up an Intrusion Detection System (IDS)

Why: Helps to detect and respond to suspicious activity.
How: Consider using tools such as Magento Security Scan, custom logging scripts, or third-party services to monitor your store for potential threats.

10. Disable Unused Admin Accounts and Functions

Why: Reduce the risk by limiting the attack surface.
How: Deactivate or remove any unused admin accounts and disable any features or modules that are not in use.

11. Implement a Secure Hosting Environment

Why: A secure hosting environment adds another layer of defense.
How: Ensure that your hosting provider implements firewalls, malware detection, daily backups, and regular security audits.

12. Set Admin Session Timeout

Why: Shorter session times reduce the risk of unauthorized access if an admin leaves their session unattended.
How: Go to Stores > Configuration > Advanced > Admin and set a reasonable session timeout.

13. Use HTTPS for Admin Panel

Why: Encrypting all traffic ensures sensitive information like passwords are not transmitted in plain text.
How: Install an SSL certificate and configure your Magento store to use HTTPS in the admin panel under Stores > Configuration > Web.

14. Regularly Review Integrations

Why: Many integrations require full access via Magento 2 API. One compromissed integration can make your admin access exploitable.
How: Regularly check which integrations are you using and which ones aren't. Disable or remove the non used integrations at System > Integrations.

15. Disable Admin Account Sharing

Why: Shared admin accounts make it harder to track accountability.
How: Enforce unique logins for each admin user and disable account sharing.

16. Rotate Passwords Regularly

Why: Ocasionally 3rd party data can be breached and passwords leaked exposing your admin access.
How: Take advantage of magento core features and enable admin password forced rotation every x days. Verify settings at System > Advanced > Admin > Security.

By following these tips, you can significantly reduce the risk of a rogue admin or other unauthorized users gaining access to your Magento 2 store.