Nexcess Logo

How to restrict Magento Admin Panel access in Cloudflare

Knowledge Base Home

Notice anything different?

We've enhanced the appearance of our portal and we're working on updating screenshots. Things might look different, but the functionality remains the same.
December 13, 2022


Restricting access to your Magento Admin Panel is one of the most important measures you can take to improve the security of your Magento store. Although 2FA was finally made mandatory in Magento 2.4.x, there are additional security solutions that you can use to restrict access to your Magento Admin Panel.


Cloudflare Web Application Firewall (WAF) is one of the best options that can protect your store on the application level and filter out malicious requests before they even make it to the server. In this tutorial, you will learn how to secure your store by restricting access to your Magento Admin Panel using the built-in options and the features provided by Cloudflare.

How to secure your Magento Admin Panel with built-in features


Magento provides great built-in options to secure your Magento site and the admin panel. Implementing all built-in security measures Magento offers while using an additional layer of security offered by the Cloudflare Web Application Firewall ensures your Magento Admin Panel is protected from cyber attacks and various security threats.

Adobe provides their official recommendations for configuring admin security, with the majority of measures implemented by default. This includes 2-Factor Authentication for Magento admin in newer Magento versions and a number of other options that limit the number of login attempts and the ability to reset the admin password.

Aside from the 2FA, which is enabled by default in Magento 2.4 and higher, you can use a customer admin URL and configure a CAPTCHA for admin login. Let’s take a quick look at what you can do to secure your Magento admin on the site level. You can find all built-in options to limit access to your Magento Admin Panel from the Stores > Configuration > Advanced > Admin interface.

The default settings already ensure a high level of security. Here is what some of the most important settings represent:

  • Admin Account Sharing. If set to Yes, it allows users to log in to the same account from different devices. By default, it is not allowed.
  • Password Reset Protection Type. Determines the method that is used to manage password reset requests. The ‘By IP and Email’ option means that the password can be reset online after a response is received from the notification sent to the admin email address.
  • Add Secret Key to URLs. Used to append a secret key to the Admin URL as a preventive measure against exploits.
  • Login is Case Sensitive. Not enabled by default, this setting makes the login username case sensitive.
  • Maximum Login Failures to Lockout Account. Set to 6 by default, but you can lower the number to block access earlier.
  • Password Lifetime. This setting limits the lifetime of admin passwords. After the selected number of days, Magento will require you to update the password.


The default settings already ensure a high level of security.


Changing your Magento Admin Panel URL

"How to change the Magento Admin Panel URL?" is one of the frequently asked questions Magento store owners have when just started getting familiar with the platform. Changing your Magento Admin Panel URL is one of the additional steps you can take to ensure better security and protect your store's backend from unauthorized access.

You can change your Magento Admin Panel URL from the Stores > Configuration > Advanced menu under Admin Base URL. By making changes to the app/etc/env.php, you can use the magento setup:config:set command with the --backend-frontname value to specify the new address:

You can change your Magento Admin Panel URL from the Stores > Configuration > Advanced menu under Admin Base URL.



Using the Cloudflare Web Application Firewall (WAF) to restrict access to Magento Admin Panel


Cloudflare provides additional features to ensure a higher level of security for all websites, including Magento Stores. You can leverage the premade managed rulesets to provide protection against known attacks and security threats or create your own rules to restrict access to any part of your Magento store, including the admin panel.

The main benefit of using Cloudflare in terms of security is that every request coming to your website gets scanned by the CDN. If necessary, it can be blocked before it can make it to the server, thus providing a higher level of protection and reducing bandwidth usage.

The general security options along with the Web Application Firewall (WAF) are designed to check every request against a number of patterns and take the appropriate action when those conditions are met. Even without using the Cloudflare WAF rules, you ensure better security for the admin panel by adding Cloudflare to your Magento store.

Cloudflare general security settings


The general security settings include four options. First, Cloudflare determines the threat score of each request based on the data collected from Project Honey Pot and performs additional checks to evaluate HTTP headers.

The higher the Security Level chosen, the less chance that a malicious request will come through. For example, setting the Security Level setting to Medium or High ensures that requests coming from IP addresses with a known history of abuse will be challenged:

The higher the Security Level chosen, the less chances that a malicious request comes through. Setting the Security Level setting to Medium or High ensures that requests coming from IP addresses with a known history of abuse will be challenged.


Cloudflare Web Application Firewall (WAF) rules for limiting access to Magento Admin Panel


The Cloudflare Web Application Firewall (WAF) provides three general types of custom rules that can help you restrict access to your Magento Admin Panel:

  • IP Access Rules. IP access rules allow you to filter traffic based on the visitor's IP address, country, or AS number.
  • Custom Firewall Rules. You can create your own rules of all kinds by specifying custom criteria.
  • Rate Limiting Rules. Rate limiting rules can protect your site from malicious traffic by blocking IP addresses that exceed the allowed number of requests for the chosen period of time.

Cloudflare firewall rules priority order

Different types of Cloudflare WAF rules have different priorities. Here is the general order Cloudflare follows when checking incoming requests against the existing set of rules:


IP Access Rules > Custom Firewall Rules > Rate Limiting Rules > Managed Firewall Rules


IP Access Rules have a priority, so if a specific IP address is allowed there, no requests from it will be blocked, even if there is a custom rule that says otherwise. An important thing to note is that if a certain IP or a country is allowed to use an IP access rule, traffic from it will not be checked against custom rules. Further filtering will only be available if you have Managed Firewall Rules enabled, which are not available in the Free plan.

Using Cloudflare custom firewall rules to restrict Magento Admin Panel Access


Custom Cloudflare firewall rules allow you to deny access to your Magento store or its specific areas by using a number of parameters. Generally, you would want to limit access to a list of IP addresses or IP ranges to specify who can access the Magento Admin Panel.

Configure the URL Path field as containing your Magento Admin Panel address and choose who can access it. You can choose either the contains or the equals operator.

You can specify a list of IP addresses by the equals or is in the list operators; if you need to deny access to a certain IP, choose does not equal or is not in the list. If you are working with IP ranges, the operators to be used are is in list or is not in list.

You can additionally deny access by Threat Score. As we discussed, the chosen Security Level in the general security settings is applied to the whole site. You can change it for a specific part of your store for higher security. Blocking all requests with a Threat Score greater than 0 equals the High Cloudflare security level:


You can additionally deny access by Threat Score. As we discussed, the chosen Security Level in the general security settings is applied to the whole site. You can change it for a specific part of your store for higher security. Blocking all requests with a Threat Score greater than 0 equals the High Cloudflare security level.


Conclusion


Running an online store presents new security risks as hackers get access to your website and your customers’ information can be stolen and used for malicious purposes. To prevent it from happening, Magento website owners can use a wide range of tools, including built-in features like 2 Factor Authentication and various security extensions.

Built for speed and scale

All the features and capacity you love in Magento hosting, without the hassle

While using the built-in security features Magento provides is a great way to secure your Magento Admin Panel, you can use Cloudflare to ensure additional protection from common security threats for all areas of your online store.

By configuring Cloudflare Web Application Firewall (WAF), you can effectively filter web traffic and restrict access to your store’s backend by specifying the list of IP addresses that can access the Magento Admin Panel.

Managed web hosting with Nexcess


Nexcess provides an enterprise-level technology stack with infrastructure fully optimized for the chosen content management system. Leverage better performance and enhanced security with the best solutions already enabled for you. Check out Nexcess Managed Hosting plans to start today!


Recent articles

Related articles

Kiki Sheldon
Kiki Sheldon


Kiki works as a Security Specialist for Liquid Web. Before joining the Abuse & Security Operations Department, she worked on the Liquid Web Managed Hosting Support Team, where she gained extensive knowledge of Linux System Administration and popular Content Management Systems (CMSs).

Kiki’s passion for writing allows her to share her professional expertise and help others. She keeps up with technology and always looks to improve her technical skills. In her free time, she enjoys reading, especially classic books and detective stories.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.