Continued Magento 1 Support ⋅ 7-Day Money-back guarantee ⋅ Implemented by a Magento Certified Developer

How to secure the Magento backend?

I'm available for Magento, PHP, Shopware or ReactJS projects.

Especially for Magento 1 after its end of life but also for the new Magento 2 it is important that you secure the Magento backend as best as possible.

In the following I will list some tips of that I use for my clients to secure their Magento backends.

1. The obvious: Use SSL certificates

Using a SSL certificate for your Magento online shop and especially for your Magento backend should be a no-brainer today. In times of availability of free SSL certificates and with the importance of encryption in search engine optimization (SEO) you should simply ask your Magento hoster to get one SSL certificate for your store.

The certificate ensures that no external hacker can read your passwords, uploads, etc. on the way from your browser to the server. So simply do it

2. Use strong passwords

First of all the most important thing, which applies to all your internet accounts, is to use strong passwords. Each Magento user should have a strong password which especially means it is long enough (e.g. 20 characters or more).
The Magento 2 built-in password configurations to enable password rotation and complexity rules for passwords are a good starting point for that.
Magento 1/OpenMage unfortunately does not have such a feature yet.

3. Regularly check Magento users

Even if every user has a strong password, it does not help security-wise if there old employee accounts still active or unknown user accounts enabled. So go through the list of users in the Magento backend regularly to check if there is anything to do.

4. Change Magento default admin route

Security by obscurity is never a good thing, but if it prevents even some attacks, I am happy to apply it. So I would definitely recommend to change the default Magento backend route from /admin to something unique to your store.
This can be done easily in app/etc/local.xml in Magento 1 / OpenMage or app/etc/env.php in Magento 2.

5. Use 2-Factor-Authentication

A more advanced solution is to use 2-Factor-Authentication for your backend accounts or at least for the Administrator ones. This is a little bit more complex as Magento 1 and 2 do not provide such a feature out of the box. So you have to use some extensions like this 2-Factor-Authentication extension for Magento 1 .

Of course a 2-Factor-Authentication also comes with a little bit more complexity for your users, so you have to decide if that is an option in your case.

An additional measure to protect your Magento backend from unplanned access is to use some blocking - either by allowing only specific IP addresses or requiring a set cookie.
Allowing only specific IP addresses in most cases of course only works, if you have some sort of VPN so that the IP range does not change (everyone should have a VPN by the way ;-).
If your IP address changes regularly another way would be to use some secret cookie that must be set in order to access the Magento backend.

Both measures can easily be applied e.g. by using a rule in your .htaccess file like this for the cookie limitation:

RewriteCond %{REQUEST_URI} ^/(index.php/)?your_admin_route/ [NC]
RewriteCond %{HTTP_COOKIE} !TheSecureCookieName=TheSecureCookieValue;? [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/ [R=302,L]

7. Apply all Magento security patches

Whether you use MageOne or OpenMage it is always important to apply the latest security patches as soon as they released. Because after they have been published even the last malicious hacker knows the weaknesses and tries to exploit them.

Which measures do you take to secure your Magento backend?

Posted in