Secure Your Site From Brute force attacks

Magento is seeing an increase in brute force attacks that have even resulted in unauthorized admin panel access. Magento strongly recommends securing your site from these attacks.

Before you can begin the security process, you must identify all the access points to site that can potentially be used by any brute force password guesser. You can scan your site with HTTP://MAGEREPORT.COM to locate all of them.

The first step to protect from password guessing is IP white listing, which enables access only for users coming from a specified IP address or network. This protects access to admin and downloader locations. To find your IP address you can use Google: HTTPS://WWW.GOOGLE.COM/SEARCH?Q=WHAT+IS+MY+IP. It should show an address like 111.222.333.444 . However, this solution only works best if you always access the store backend from the same location and computers.  If you are using dynamic IP addresses or accessing the backend through a mobile device or your company has a remote workforce, it is important to add their IP addresses as well so they can have access to the network.

White listing the admin panel and RSS feeds is a bit different.  It is done by redirecting requests coming from unknown IP addresses to the main page. To do this you must edit the .htaccess file in the root Magento folder right after the rewrite rules for mobile user agents, located just before a section called “always send 404 on missing files in these folders”.

  • For an admin panel, add the following rule in root .htaccess file (inside <IfModule mod_rewrite.c> ):

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx

RewriteRule ^(index.php/)?admin/ – [L,R=403]


  • For the RSS feed, add the following rule in the root .htaccess file (inside <IfModule mod_rewrite.c>):

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx

RewriteRule ^(index.php/?)?rss/ – [L,R=403]


  • For the downloader application, add the following rule in ./downloader/.htaccess file:

order deny,allow

deny from all

allow from xx.xx.xx.xx


You shouldn’t need to work with your hosting provider to restrict access to the admin, downloader and RSS locations, if however you have full access to your server, you can modify the Nginx configuration yourself, following instructions posted at HTTPS://WWW.NGINX.COM/RESOURCES/ADMIN-GUIDE/RESTRICTING-ACCESS/

If you are not planning to use the RSS feed or downloader, it is best to completely block or remove them. You can delete the whole download folder or alternatively block access. You can block it through the following commands:

  • For downloader application, add the following rule to downloader/.htaccess file:
    deny from all
  • For the to the RSS feed, add the following rule in the root .htaccess file (inside <IfModule mod_rewrite.c>):

RewriteRule ^(index.php/?)?rss/ – [L,R=403]


In addition to White listing, you can change the location of the admin panel and downloader; this will reduce the likelihood of being targeted by a generic attack. However, it does not protect against targeted attacks which try to guess the location with multiple requests.

Before making these changes make sure there are no conflicting security rules that apply to default locations. If you need any assistance, you can reach us either by filling out our contact us form, emailing us at info@121ecommerce, or calling us directly at 216-586-6656.