You, as a store owner, are expected to be vigilant over the security of your Online Store and take all the necessary steps to ensure it is protected. Apart from the basic security practices, such as using strong login credentials and custom URLs, Magento provides its users with the ability to enhance their website security. We have previously reviewed how to enable Google reCapctha and how to configure Two-Factor Authentication on your Magento Store. In this tutorial, our focus will be on the Admin Security Settings which will allow you to insert secret key to URLs, oblige case-sensitive passwords, control the duration of the Admin sessions and the number of login attempts.
In order to begin, please log in to your Magento Admin Dashboard and navigate through the left menu bar to Stores > Configuration.
Once you access the “Configuration” page, please expand the last “Advanced” section and click on “Admin”.
Now that you are on the right page we can step into the configuration of the security settings.
Please, expand the “Security” section in order to list all the available settings and let’s review them one by one. Note that in order to be able to edit the settings you will have to untick the “Use Default Value” checkbox wherever needed.
The first “Admin Account Sharing” setting will let you control whether admin users are able to log in to their account from multiple devices. The default and recommended option “No” will restrict users’ ability to login to the same account from different devices. If you set it to “Yes” the admin users will be allowed to log in to the same account from multiple devices.
From the “Password Reset Protection Type” dropdown menu you can select the method which will be used to handle password reset requests. The default “By IP and Email” method will allow the admin users to request a password change and update their password online as soon as they submit confirmation of the email notification sent to the admin email address of the user. The second “By IP” will allow the admin users to reset their passwords online with no additional confirmation required. The third “By Email” method will allow the admin users to reset their password upon submitting a confirmation of the email notification sent to the admin email address of the user. The fourth “None” method will allow only the store admin to reset passwords. You can customize the templates used for the password reset email notification by expanding the first “Admin User Emails” section available above on this page.
The following “Recovery Link Expiration Period (hours)” will allow you to determine the period of time (in hours) during which the password recovery link will be functional.
The next “Max Number of Password Reset Requests” setting will allow you to limit the maximum number of password reset requests that could be submitted within an hour.
The “Min Time Between Password Reset Requests” setting will allow you to control the minimum time (in minutes) required between password reset requests.
The “Add Secret Key to URLs” setting is enabled by default, as you will notice. If you leave it enabled, a secret key will be attached to the Admin URL as a preventive measure against exploits.
The following setting is “Login is Case Sensitive” which controls whether the login credentials entered by the user will be considered lower and upper-case sensitive in order to match the credentials stored on file. If you would like to enable it, please make sure to select “Yes” from the dropdown menu.
The “Admin Session Lifetime (seconds)” setting controls the length of the admin session in seconds. Once the time determined here passes, the session will timeout, the user will be automatically logged out and obligated to enter the login credentials in order to gain access again.
The following “Maximum Login Failures to Lockout Account” setting will allow you to determine the maximum number of login attempt failures allowed before the user account is temporarily locked. If you would like to disable this functionality, please make sure to set the value to 0.
The next “Lockout Time (minutes)” setting will allow you to control the period of time (in minutes) while an account blocked due to failed login attempts will remain locked. Once the time defined here passes the user will be able to try and log in again.
The “Password Lifetime (days)” setting allows you to control the period of time (in days) while the Admin password will remain valid. If you would like to disable this feature, please make sure to set the value to 0.
The last “Password” change setting will allow you to control whether users are required to change their password after account creation. If you select the “Forced” option they will be obligated to change their passwords after their accounts are set up. The “Recommended” option will suggest the users change their passwords but they will not be obligated to do so.
Finally, once you are ready, please do not forget to click on the “Save Config” button in order to record your setting preferences.
We hope you have managed to successfully configure your Admin Security settings and you have selected values that will enhance the security of your Magento Admin account. If you happened to experience any difficulties or you have any questions, please do not hesitate to contact our Support Team.
Sebahat is a young and bright person who had become an invaluable part of our team. Started as a Customer Care Representative who quickly evolved into a Tech-savvy well familiar with every support layer of the company. Driven by the aim to constantly improve our customers’ experience she is committed to enhancing the extraordinary support we deliver.