With the constant updates to firewalls and security software, online merchants can grow to feel that their IT coordinators are keeping them safe. Unfortunately, several common vulnerable areas are directly in the Magento administrator’s control.
We are used to thinking about and protecting against viruses or other automated, large-scale threats. The concept of a hacker, an individual sitting in a chair somewhere, may seem quaint, but the threat is as prevalent as ever and requires vigilance.
Hackers use automated tools that search for common names frequently used for administration panels. After locating an administration login on a website, they’ll repeatedly try to gain access by using software that can guess thousands of possible username/password combinations. To help make your Magento Store more secure, follow these two simple pieces of advice.
Disguise Your Admin
The Magento default administration console is called “admin” but it can be changed easily. You need to use an FTP program to access your site. In the app/etc/ folder you’ll see a file named “local.xml”.
Locate the following code near the bottom of the file:
<admin>
<routers>
<adminhtml>
<args>
<frontName><![CDATA[admin]]></frontName>
</args>
</adminhtml>
</routers>
</admin>
You’ll notice in the frontName tag there’s the current path to your administration console. In this example and by default, it is named “admin”.
Change it to something that you’ll remember but that no one else will guess – the important point is that it is no longer “admin”. In this example, we’ll rename it from “admin” to “interactone”.
<frontName><![CDATA[interactone]]></frontName>
Pay attention to what you edit. Only replace the word “admin” and don’t change anything else on the line. Your finished code will look like this:
<admin>
<routers>
<adminhtml>
<args>
<frontName><![CDATA[interactone]]></frontName>
</args>
</adminhtml>
</routers>
</admin>
Save the file and upload it to app/etc. You will now be able to access your store’s admin by going to /interactone instead of /admin. Going to /admin will result in a 404 error (or “page not found”), both for you and for the hapless hacker!
B3 C@refu1
The second tip should be used with anything that you do online: don’t use an easy-to-guess password! Hackers are already on to using numbers instead of letters, so don’t think for a second that “4dm1n” is a clever or secure password. Even “P4ssw0rd” is already on most brute-force lists that hackers use to guess passwords. A truly secure password should contain at least one capital letter, one symbol and one number. It should also be at least 8 characters long. An example of a strong password would be “Z5ydK#v!Sg”. It may be difficult to type, but no one will guess it, plus you can employ a password manager (RoboForm is one we like) to remember even the strongest passwords and give you secure access.