Protecting Magento from Brute Force Attacks

E-Commerce websites are targets for such attacks due to the way the default /admin and /downloader installation because they are easily found. Those locations are then used to launch a brute-force attack where random passwords are tried automatically until one succeeds. This is one of the simplest ways to gain access to a website because it requires no additional skill or resources, only patience.

There are a few things that you do within your Magento installation to protect yourself from a Brute Force attack.

Change the name of the back-end panel

Magento 1

  1. The default admin is defined in the file app/etc/local.xml under admin → routers → adminhml → args → frontName. Change it into something you can easily remember, but that is difficult to guess by others. You would not want use control, admin123, or manage.
  2. Flush your cache in the back end through: System → Cache Management. Or run in SSH: magerun cache:flush

Magento 2

This step is not required, as Magento generates an obfuscated back-end name for you during installation.

Secure /downloader and /rss

Magento 1

This version uses the /downloader as a way to install programs via the Magento Connect Manager. This link is a standard Magento URL, making it an easy target for brute-force attacks. Although you will likely never use this folder, its presence is essential for installing (future) patches. So instead of renaming, we recommend installing an IP access control (an IP whitelist). Modify the existing downloader/.htaccess file and add these lines to end:

order deny,allow
deny from all
allow from x.x.x.x

Note: x.x.x.x will be your connecting IP. You can obtain your IP address by visiting:

Dont use admin account

Not using the admin as the account name is another thing that helps to stop brute force attacks. People usually use admin and this is a security issue for your Magento store because it's easy for hackers to guess it. You should consider changing the admin account name to your own account name, nickname or your email address.