One of the good security practices in Magento (either 1 or 2) is to protect your backoffice url with password using htpasswd (directly in the Apache conf or in the htaccess file). It is not the perfect solution, but it adds an extra layer of security which:

  • Will prevent anyone trying to log from anywhere
  • Will prevent brute force attacks. This particular case is what we’ve experienced in our Magento stores.

Apache configuration

This is the configuration you need should be as follows. Take into consideration:

  • Your website should be under SSL (port 443)
  • The important part is the ‘Location’ part. There we specify our custom admin url (if you use it) and the default ‘admin’ string.
  • We can whitelist some IPs if necessary
<VirtualHost *:443>
    # Whatever comes before....

    <Location ~ "^.*/(your_custom_admin_url|admin)(/|$)">
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /var/www/.htpasswd
        require valid-user

        <RequireAny>
            Require ip 111.222.123.123 # Whitelisted IP
            Require ip 123.123.123.123 # Whitelisted IP
            Require valid-user
        </RequireAny>
    </Location>

    # The rest of your configuration goes here....
</VirtualHost>
Categories: Security

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.