What is a Brute Force Attack?
A brute force attack is a trial-and-error based method used to acquire information such as a username and password. Attackers frequently use automated software to generate a large number of consecutive guesses. To improve efficiency, an attacker may use a dictionary attack using common or default passwords.
Brute force attacks against a Magento Admin panel require knowing the admin panel URL and guessing a correct combination of a username and password. Merchants are advised to use admin usernames that are not easily guessed, strong passwords, and to regularly audit the admin users in their system.
What Can I Do To Protect and Secure My Store?
There are specific actions you should take to help protect your store from brute force password guessing attacks. We recommend that you review the following approaches with your Solution and Hosting Partners and implement the ones that are best suited to your unique situation.
1. Confirm Admin Panel URL
Merchants should confirm that their admin URL is not set as the default value or other commonly used URL's such as "backend". The admin URL can be changed through the admin panel.
-
For Magento 1.x:
Navigate to System > Configuration > Advanced > Admin > Custom Admin Path -
For Magento 2.x:
Navigate to Stores > Configuration > Advanced > Admin > Custom Admin Path
2. Update Admin Account Security
Merchants should configure their admin panel to limit the number of password reset requests per hour to three (3), as well as the maximum login failures to lockout account. The Lockout Time should be set to a minimum of 30 minutes. These settings can also be configured through the admin panel.
-
For Magento 1.x:
Navigate to System > Configuration > Advanced > Admin > Security -
For Magento 2.x:
Navigate to Stores > Configuration > Advanced > Admin > Security
3. Enable CAPTCHA
CAPCHA is the code combinations of letters and numbers designed to verify human response. Merchants should protect their admin panel against automated brute force attacks by enabling CAPTCHA.
-
For Magento 1.x:
Navigate to Stores > Configuration > Advanced > Admin > CAPTCHA -
For Magento 2.x:
Navigate to Stores > Configuration > Advanced > Admin > CAPTCHA -
By settings the CAPTCHA option “Number of Unsuccessful Attempts to Login” to 0 (zero), the CAPTCHA verification will be required for all admin login attempts.
4. Activate Security Scanning of your Store
Merchants should activate the Magento Security Scan Tool where they can schedule regular scans of all of their domains. This free tool allows merchants to monitor their sites in real-time for security risks including admin panels that may be vulnerable to brute force attacks. The Security Scan Tool also monitors for malware signatures. More information can be found at https://magento.com/security.
5. Prepare for Two-Factor Authentication
Magento has certain controls already built in to minimize and prevent brute force attacks. Two-factor authentication (2FA) which prevents brute force attacks can also be addressed for customers by using one of the extensions in the Marketplace. In addition, we will be adding 2FA to the core application (Magento 2) in late Summer.
-
For Magento 1.x:
-
For Magento 2.x:
What If I Discover That I Have Been Attacked?
If you discover that your site has been attacked, immediately reach out to your Solution Partner, developer, or a security firm to identify and clean your site of all malicious code, install any missing security patches and updating all Admin passwords. If you think that you have found a specific vulnerability in Magento, please report it to security@magento.com.
Take action today to protect your site against Brute Force and other potential vulnerabilities.
NEED HELP TO MIGRATE MAGENTO 1.X TO MAGENTO 2.X?
As you know, Magento 2 uses new approaches and technologies that give merchants an unmatched ability to create innovative shopping experiences and scale to new levels. If you would like to update your site to Magento 2, but be afraid of facing technical difficulties, feel free to contact our custom work department.
