Protecting Magento from Brute Force Attacks
E-Commerce websites are targets for such attacks due to the way the default /admin and /downloader installation because they are easily found. Those locations are then used to launch a brute-force attack where random passwords are tried automatically until one succeeds. This is one of the simplest ways to gain access to a website because it requires no additional skill or resources, only patience.
There are a few things that you do within your Magento installation to protect yourself from a Brute Force attack.
Change the name of the back-end panel
- The default “admin” is defined in the file app/etc/local.xml under admin → routers → adminhml → args → frontName. Change it into something you can easily remember, but that is difficult to guess by others. So do not use “control” or “admin123” or “manage”.
- Flush your cache in the back end through: System → Cache Management. Or run in SSH: magerun cache:flush
This step is not required, as Magento generates an obfuscated back-end name for you during installation.
Secure /downloader and /rss
This version uses the /downloader as a way to install programs via the Magento Connect Manager. This link is a standard Magento URL, making it an easy target for brute-force attacks. Although you will likely never use this folder, its presence is essential for installing (future) patches. So instead of renaming, we recommend to install IP access control (an “IP whitelist”). Modify the existing downloader/.htaccess file and add these lines to end:
order deny,allow deny from all allow from x.x.x.x
Note: x.x.x.x will be your connecting IP. You can obtain your IP address by visiting:
Don’t use admin account
Not using the admin as the account name is another thing that helps to stop brute force attacks. People usually use admin and this is a security issue for your Magento store because it’s easy for hackers to guess it. You should consider changing the admin account name to your own account name, nickname or your email address.