0 Shares 3110 Views 2 Comments

How to Secure Magento 2 Store Against Brute Force Attacks

Wajid Hussain Sep 07, 2016

The most popular e-commerce software today is Magento and it is more than likely to get attacked by many hackers since they want to get hold of your store. Hackers intend to steal the personal information and credit card details of your customers through brute-force attacks. These are simple trial and error attacks in which the hacker uses combinations of usernames and passwords in order to break into your account. Even though Magento itself has several build in security protocol and features yet there is still more you can do to protect your Magento store from security breaches. Over the years we have observed several improved security tactics which we recommend for all the merchants who want to further protect their store and stop hackers from getting access of it.

Custom Admin Path
The standard two sections in each Magento store for administrative purposes are located at /admin and /downloader by default. Through the browser you can access the Magento store by navigating to domain.com/admin. The admin panel is prone to abuse in several ways by hackers as they can launch the brute-force attack easily. Simple passwords and usernames can be guessed with a few minutes. Your site will become slower while it undergoes the attack and valuable server capacity is wasted.

To change the Admin path, go to Stores and choose Configuration. In the panel on the left, under Advanced, choose Admin and expand the Admin Base URL section. Then, do the following:

Set Use Custom Admin URL to “Yes.” Then, enter the Custom Admin URL and you are all set.

Choose an Intricate Username and Password
If you have changed your admin login page there are still chances that a hacker can locate it. To ensure more security you should use a username and password so complex that it becomes almost impossible to guess. Keep your password at least composed of 16 characters which are mixed with lower and upper case, numbers and also symbols.

Use the Upgraded Latest Version of Magento
Each version of Magento upgrades to newer versions which are often released to patch up the discovered security risks found within the software. This gives you reason good enough to update your Magento store to the latest stable version which is released in the web market. After the release of Magento 2.0 it didn’t take long to release Magento 2.1 since there were some prominent bugs which required update.

Update Your Antivirus Software on Daily Bases
This is an understood thing which goes without saying, but there are several Magento store owners who hardly seem to update their anti-virus software. Hackers can place key-loggers on your laptop easily that’s why you have to ensure that you are using an anti-virus software which is commercial graded and is being updated on a daily basis.

HTTPS/SSL Must for All Login Pages
Without a secure connection you are under the risk of being attacked by a hacker each time you use your username and password. You should eliminate this by always using HTTPS/SSL in Magento. For doing this click on the “System” tab present at the main toolbar and select “Configure” from drop down menu. After doing this click on “Web” tab which is present at the left hand navigation side, select “Secure” in the main window. You will be able to change the Base URL from here for your store, change it from http://… to https://… Do Not forget to select “yes” for both “use secure URLs in Front-end” and “Use secure URLs in Admin”. At the end, click “Save Config” which is present at the top of the page. Now you are set to go.

Ensure the Usage of Private and Secured Email Address
There are some sophisticated hackers who use social engineering to find out who is running the e-commerce site they are going to hack. Social websites like LinkedIn, Facebook are easily used to do searches regarding the company’s details and name. There are several companies and people who list their official email address in their social profiles or follow a standard email format of the company like [email protected] The hacker tries to hack the company’s email address and after getting access of that they can easily reach your Magento admin panel and request to reset the password. They can now easily change the username, email address and password that links to the admin and get full control of your Magento store.
To stop this from happening you should never use your common email address for your admin login. Try using a private email address instead, which is not likely to be shared outside your company. For example [email protected] also use a very complex combination of password to ensure extra security for accessing this private email account.

Before and After Services of Outside developer Change Your Passwords
Each business requires the services of outside developers from time to time in order to help them with improving their Magento store. To ensure security make sure you change your admin and FTP password before giving them access. Once the work is done, then change it again. There is no surety that the companies you outsourced the work to are as guarded as you are. It’s always better to be taking extra precautions in such cases to avoid a security breach.

Do you want to know more tips about how to secure your Magento Store from brute-force attacks? Share with us the issues you have faced personally and we will provide you with more tips on how to safeguard your store.

Wajid Hussain

Wajid Hussain

Community Manager at Arpatech
Wajid Hussain has a vast experience in Magento and PHP fields. He is currently a Community Manager at Arpatech. He keeps himself engaged with latest e-commerce and Magento trends and also happens to be an avid football fan. You can follow him on Twitter at @wajidstack or contact him through e-mail wajid.hussain[at]arpatech.com
Wajid Hussain