Is your Magento admin panel secure?
I’m going to say the acronym and then not refer to it again, because your customer data security should matter regardless…. GDPR (I’m glad we got that out of the way).
The Magento Admin panel is an essential part of any Magento store. It can be used to view customers and their orders, add products and change their pricing. Basically it’s the mechanism by which the merchant perhaps with the help of a supporting agency, follow, perform and tweak day-to-day business. It can also be a way for hackers to gain valuable information for spam campaigns or change the payment page to enable capture of credit card details for fraudulent purposes, amongst other things.
A breach of the admin area can be difficult and costly to resolve and can result in large fines which may even force a site to cease trading. For this reason there is password protection and the option to have the admin area on a non-standard website URL - but is this enough?
For some reason which I can’t remember, a few days ago I found myself reading an article on Magento RSS/Admin brute forcing. I’ve seen this happen first-hand and been part of the follow up tasks - it’s never a pleasant experience. So I posted a tweet which got some traction and has hopefully prompted action.
I kind of wish I’d stopped there, but unfortunately I had a discussion with a developer friend who said “Changing your admin URL […] makes things harder for those trying to reach it”. I don’t necessarily disagree with this, but I stand by my statement that it’s not a true security measure. It made me wonder if there were other ways of finding admin panels which weren’t on the standard admin URLs.
The unfortunate answer is yes. In some cases search engines know your admin URL allowing it to be found with a very simple web search. There are a few reasons this can happen but ultimately they boil down to the admin URL becoming visible in the frontend and a search engine following the link. Unfortunately the admin area doesn’t have a “NOINDEX, NOFOLLOW” meta tag so the page is indexed for search.
Three days after my initial thoughts on this topic I’ve submitted a pull request to Magento to change this, sent nearly 100 emails to Magento 1 and Magento 2 merchants, and reached out to a number of eCommerce Manager-level people on LinkedIn.
Email: “A search engine knows your Magento Admin URL” (containing the admin URL, just in case they didn’t believe me)
- 50% open rate
- 30% click rate
- 1 response
(and thanks to "Yet Another Mail Merge" I didn’t have to click send on 100 emails or use a paid service.)
If you value your customer’s privacy, which you should, you should take every measure possible to protect access to this data. Obscuring the admin URL isn’t enough. Two Factor authentication modules are available which require your password and something else to log in (perhaps a Google authenticator key), you can secure the admin so it can only be accessed from specific locations (IP addresses). I also reccomend that in Magento Commerce/Enterprise you review the admin logs periodically to ensure no suspicious login activity is happening.
Further reading from Magento is available at "Protect your Magento Installation from Password Guessing" (2016).
Concerned by anything raised in this blog post? Pease feel free to contact one of our certified Magento specialists via email@example.com.