Restricting access to your Magento Admin Panel is one of the most important measures you can take to improve the security of your Magento store. Although 2FA was finally made mandatory in Magento 2.4.x, there are additional security solutions that you can use to restrict access to your Magento Admin Panel.
Cloudflare Web Application Firewall (WAF) is one of the best options that can protect your store on the application level and filter out malicious requests before they even make it to the server. In this tutorial, you will learn how to secure your store by restricting access to your Magento Admin Panel using the built-in options and the features provided by Cloudflare.
How to secure your Magento Admin Panel with built-in features
Magento provides great built-in options to secure your Magento site and the admin panel. Implementing all built-in security measures Magento offers while using an additional layer of security offered by the Cloudflare Web Application Firewall ensures your Magento Admin Panel is protected from cyber attacks and various security threats.
Adobe provides their official recommendations for configuring admin security, with the majority of measures implemented by default. This includes 2-Factor Authentication for Magento admin in newer Magento versions and a number of other options that limit the number of login attempts and the ability to reset the admin password.
Aside from the 2FA, which is enabled by default in Magento 2.4 and higher, you can use a customer admin URL and configure a CAPTCHA for admin login. Let’s take a quick look at what you can do to secure your Magento admin on the site level. You can find all built-in options to limit access to your Magento Admin Panel from the Stores > Configuration > Advanced > Admin interface.
The default settings already ensure a high level of security. Here is what some of the most important settings represent:
- Admin Account Sharing. If set to Yes, it allows users to log in to the same account from different devices. By default, it is not allowed.
- Password Reset Protection Type. Determines the method that is used to manage password reset requests. The ‘By IP and Email’ option means that the password can be reset online after a response is received from the notification sent to the admin email address.
- Add Secret Key to URLs. Used to append a secret key to the Admin URL as a preventive measure against exploits.
- Login is Case Sensitive. Not enabled by default, this setting makes the login username case sensitive.
- Maximum Login Failures to Lockout Account. Set to 6 by default, but you can lower the number to block access earlier.
- Password Lifetime. This setting limits the lifetime of admin passwords. After the selected number of days, Magento will require you to update the password.
Changing your Magento Admin Panel URL
"How to change the Magento Admin Panel URL?" is one of the frequently asked questions Magento store owners have when just started getting familiar with the platform. Changing your Magento Admin Panel URL is one of the additional steps you can take to ensure better security and protect your store's backend from unauthorized access.
You can change your Magento Admin Panel URL from the Stores > Configuration > Advanced menu under Admin Base URL. By making changes to the app/etc/env.php, you can use the magento setup:config:set command with the --backend-frontname value to specify the new address:
Using the Cloudflare Web Application Firewall (WAF) to restrict access to Magento Admin Panel
Cloudflare provides additional features to ensure a higher level of security for all websites, including Magento Stores. You can leverage the premade managed rulesets to provide protection against known attacks and security threats or create your own rules to restrict access to any part of your Magento store, including the admin panel.
The main benefit of using Cloudflare in terms of security is that every request coming to your website gets scanned by the CDN. If necessary, it can be blocked before it can make it to the server, thus providing a higher level of protection and reducing bandwidth usage.
The general security options along with the Web Application Firewall (WAF) are designed to check every request against a number of patterns and take the appropriate action when those conditions are met. Even without using the Cloudflare WAF rules, you ensure better security for the admin panel by adding Cloudflare to your Magento store.
Cloudflare general security settings
The general security settings include four options. First, Cloudflare determines the threat score of each request based on the data collected from Project Honey Pot and performs additional checks to evaluate HTTP headers.
The higher the Security Level chosen, the less chance that a malicious request will come through. For example, setting the Security Level setting to Medium or High ensures that requests coming from IP addresses with a known history of abuse will be challenged:
Cloudflare Web Application Firewall (WAF) rules for limiting access to Magento Admin Panel
The Cloudflare Web Application Firewall (WAF) provides three general types of custom rules that can help you restrict access to your Magento Admin Panel:
- IP Access Rules. IP access rules allow you to filter traffic based on the visitor's IP address, country, or AS number.
- Custom Firewall Rules. You can create your own rules of all kinds by specifying custom criteria.
- Rate Limiting Rules. Rate limiting rules can protect your site from malicious traffic by blocking IP addresses that exceed the allowed number of requests for the chosen period of time.
Cloudflare firewall rules priority order
Different types of Cloudflare WAF rules have different priorities. Here is the general order Cloudflare follows when checking incoming requests against the existing set of rules:
IP Access Rules > Custom Firewall Rules > Rate Limiting Rules > Managed Firewall Rules
IP Access Rules have a priority, so if a specific IP address is allowed there, no requests from it will be blocked, even if there is a custom rule that says otherwise. An important thing to note is that if a certain IP or a country is allowed to use an IP access rule, traffic from it will not be checked against custom rules. Further filtering will only be available if you have Managed Firewall Rules enabled, which are not available in the Free plan.
Using Cloudflare custom firewall rules to restrict Magento Admin Panel Access
Custom Cloudflare firewall rules allow you to deny access to your Magento store or its specific areas by using a number of parameters. Generally, you would want to limit access to a list of IP addresses or IP ranges to specify who can access the Magento Admin Panel.
Configure the URL Path field as containing your Magento Admin Panel address and choose who can access it. You can choose either the contains or the equals operator.
You can specify a list of IP addresses by the equals or is in the list operators; if you need to deny access to a certain IP, choose does not equal or is not in the list. If you are working with IP ranges, the operators to be used are is in list or is not in list.
You can additionally deny access by Threat Score. As we discussed, the chosen Security Level in the general security settings is applied to the whole site. You can change it for a specific part of your store for higher security. Blocking all requests with a Threat Score greater than 0 equals the High Cloudflare security level:
Running an online store presents new security risks as hackers get access to your website and your customers’ information can be stolen and used for malicious purposes. To prevent it from happening, Magento website owners can use a wide range of tools, including built-in features like 2 Factor Authentication and various security extensions.
Built for speed and scale
All the features and capacity you love in Magento hosting, without the hassle
While using the built-in security features Magento provides is a great way to secure your Magento Admin Panel, you can use Cloudflare to ensure additional protection from common security threats for all areas of your online store.
By configuring Cloudflare Web Application Firewall (WAF), you can effectively filter web traffic and restrict access to your store’s backend by specifying the list of IP addresses that can access the Magento Admin Panel.
Managed web hosting with Nexcess
Nexcess provides an enterprise-level technology stack with infrastructure fully optimized for the chosen content management system. Leverage better performance and enhanced security with the best solutions already enabled for you. Check out Nexcess Managed Hosting plans to start today!
- What are the php.ini default values set for Nexcess Customers?
- Cloudflare WordPress setup for your CDN solution
- Cloudflare SSL with Cloudflare origin certificate