One of the good security practices in Magento (either 1 or 2) is to protect your backoffice url with password using htpasswd (directly in the Apache conf or in the htaccess file). It is not the perfect solution, but it adds an extra layer of security which:
- Will prevent anyone trying to log from anywhere
- Will prevent brute force attacks. This particular case is what we’ve experienced in our Magento stores.
This is the configuration you need should be as follows. Take into consideration:
- Your website should be under SSL (port 443)
- The important part is the ‘Location’ part. There we specify our custom admin url (if you use it) and the default ‘admin’ string.
- We can whitelist some IPs if necessary
<VirtualHost *:443> # Whatever comes before.... <Location ~ "^.*/(your_custom_admin_url|admin)(/|$)"> AuthType Basic AuthName "Restricted Area" AuthUserFile /var/www/.htpasswd require valid-user <RequireAny> Require ip 220.127.116.11 # Whitelisted IP Require ip 18.104.22.168 # Whitelisted IP Require valid-user </RequireAny> </Location> # The rest of your configuration goes here.... </VirtualHost>