One of the good security practices in Magento (either 1 or 2) is to protect your backoffice url with password using htpasswd (directly in the Apache conf or in the htaccess file). It is not the perfect solution, but it adds an extra layer of security which:
- Will prevent anyone trying to log from anywhere
- Will prevent brute force attacks. This particular case is what we’ve experienced in our Magento stores.
Apache configuration
This is the configuration you need should be as follows. Take into consideration:
- Your website should be under SSL (port 443)
- The important part is the ‘Location’ part. There we specify our custom admin url (if you use it) and the default ‘admin’ string.
- We can whitelist some IPs if necessary
<VirtualHost *:443>
# Whatever comes before....
<Location ~ "^.*/(your_custom_admin_url|admin)(/|$)">
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/.htpasswd
require valid-user
<RequireAny>
Require ip 111.222.123.123 # Whitelisted IP
Require ip 123.123.123.123 # Whitelisted IP
Require valid-user
</RequireAny>
</Location>
# The rest of your configuration goes here....
</VirtualHost>
0 Comments