New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

5 Immediate Actions to Protect against Brute Force attacks

April 8, 2018

At Magento, security is at the center of everything we do and we want to ensure that every merchant remains vigilant and up-to-date in protecting their store and their customers 24x7x365. Recently, we’ve seen that cybercriminals continue to use brute force password guessing attacks against our open source user accounts to try and gain access to their account. Merchants need to take these threats seriously, and can prevent future issues if they follow best practices and adopt use of the latest security releases.

What is a brute force attack?

A brute force attack is a trial-and-error based method used to acquire information such as a username and password. Attackers frequently use automated software to generate a large number of consecutive guesses. To improve efficiency, an attacker may use a dictionary attack using common or default passwords.

Brute force attacks against a Magento Admin panel require knowing the admin panel URL and guessing a correct combination of a username and password. Merchants are advised to use admin usernames that are not easily guessed, strong passwords, and to regularly audit the admin users in their system. 

What can I do to protect and secure my store?

There are specific actions you should take to help protect your store from brute force password guessing attacks. We recommend that you review the following approaches with your Solution and Hosting Partners and implement the ones that are best suited to your unique situation.

1. Confirm Admin Panel URL

Merchants should confirm that their admin URL is not set as the default value or other commonly used URL’s such as “backend”. The admin URL can be changed through the admin panel.

  • For Magento 1.x:
    Navigate to System > Configuration > Advanced > Admin > Custom Admin Path

  • For Magento 2.x:
    Navigate to Stores > Configuration > Advanced > Admin > Custom Admin Path

2. Update Admin Account Security

Merchants should configure their admin panel to limit the number of password reset requests per hour to three (3), as well as the maximum login failures to lockout account. The Lockout Time should be set to a minimum of 30 minutes. These settings can also be configured through the admin panel.

  • For Magento 1.x:
    Navigate to System > Configuration > Advanced > Admin > Security

  • For Magento 2.x:
    Navigate to Stores > Configuration > Advanced > Admin > Security

3. Enable CAPTCHA

CAPCHA is the code combinations of letters and numbers designed to verify human response. Merchants should protect their admin panel against automated brute force attacks by enabling CAPTCHA. 

  • For Magento 1.x:
    Navigate to Stores > Configuration > Advanced > Admin > CAPTCHA

  • For Magento 2.x:
    Navigate to Stores > Configuration > Advanced > Admin > CAPTCHA

  • By settings the CAPTCHA option “Number of Unsuccessful Attempts to Login” to 0 (zero), the CAPTCHA verification will be required for all admin login attempts.

4. Activate Security Scanning of your Store

Merchants should activate the Magento Security Scan Tool where they can schedule regular scans of all of their domains. This free tool allows merchants to monitor their sites in real-time for security risks including admin panels that may be vulnerable to brute force attacks. The Security Scan Tool also monitors for malware signatures. More information can be found at  https://magento.com/security

5. Prepare for Two-Factor Authentication

Magento has certain controls already built in to minimize and prevent brute force attacks. Two-factor authentication (2FA) which prevents brute force attacks can also be addressed for customers by using one of the extensions in the Marketplace. In addition, we will be adding 2FA to the core application (Magento 2) in late Summer.  

What if I discover that I have been attacked?

If you discover that your eCommece website has been attacked, immediately reach out to your Solution Partner, developer, or a security firm to identify and clean your site of all malicious code, install any missing security patches and updating all Admin passwords. If you think that you have found a specific vulnerability in Magento and can provide more technical details, please report it to security@magento.com.

Protecting your site from malware requires building the “security muscle” in your organization. Take the time to develop a plan and train your team so that security becomes a natural part of your daily business processes.

Take action today to protect your site against Brute Force and other potential vulnerabilities.

To stay ahead of cybercriminals, frequent our Security Center to stay up to date on security alerts, releases, and best practices at https://magento.com/security.