One of the most common security concerns for Magento merchants is that hackers will gain access to their Magento admin. From the Magento admin control panel, a wide variety of sensitive data is available, including customer data. This backend panel can also be used to manage payment settings, insert content (including links to malicious files), and in general, wreak havoc on a merchant’s business.
With such a significant pressure point, you’d think that there would be a way to keep bad actors out, and only allow in approved users… and you’d be right! There are a number of things that you can do to protect your Magento backend admin panel.
One of the best ways to keep your Magento admin safe is to use 2-factor authentication (2FA), a method of confirming the identities of your admin users when they log in. This methodology goes above and beyond the use of a username and password. It’s a technology that’s now commonly used by consumers for logging in to a bank, e-mail, or social media account.
The Magento team agrees that two-factor authentication is highly valuable. They’ve gone as far as including a two-factor authentication solution in Magento 2.3. You can learn more about the 2FA extension for Magento 2 directly from Magento’s devdocs and user guide.
What if you’re not on Magento 2 yet? If you’re still on Magento 1, you can get a free and reliable Magento 1 2FA extension from the Magento Marketplace. We created this extension and made it publicly available for free, because we know how important it is to keep your ecommerce site safe and secure regardless of what version of Magento you’re on.
Both 2FA solutions allow you to use a system like the Google Authenticator app to provide an additional dynamic login credential. You can learn more about the JetRails Magento 1 two-factor authentication extension on our website as well.
Additionally, we recommend taking further steps to keep your Magento admin secure. These include:
– Setting strong usernames and passwords
– Using an SSL for admin pages
– Accessing your admin from “safe” computers that run up-to-date antivirus software
– Enabling captcha technology on the admin login page
– Having your hosting provider block access to your admin from non-approved IP addresses
– Not keeping passwords stored in unsecure or public locations
– Limiting the access that you give to admin users, restricting them to only necessary admin features
– Auditing your admin user list in order to remove users that should no longer have access
– Having admins update their passwords on a regularly scheduled basis
You can also leverage a web application firewall (WAF) like Cloudflare. We’ve even created a free Cloudflare extension for Magento 1 & 2 to make managing Cloudflare faster and easier for you.
Have other Magento security questions or concerns? We’re here to help! Please be in touch with the JetRails team to learn more about secure Magento hosting, or for help finding a great JetRails partner agency that can help audit, harden, and maintain your Magento site.