How to Prevent Magento Brute Force Attack

How to Prevent Magento Brute Force Attack

A brute force attack is a form of cyberattack technique used to acquire login credentials. Hackers use brute-force attacks to gain admin access to the Magento websites.

Hundreds of malicious login attempts are made on Magento. In 2018, thousands of Magento websites were targeted via brute force attacks.

This attempt was made to steal credit card data and install crypto-mining malware. All accounts identified were on Magento Open Source Edition.

Though Magento itself has several built-in security features, there is still more you can do to strengthen Magento security.

In this article, we list the preventive measures to protect your Magento store from brute force attacks.

What is a Brute Force Attack?

Overview of Brute Force Attacks

A brute force attack, or exhaustive search, is a cryptographic hack. It uses a trial and error method used to decode sensitive data.

Automated software is used to generate a large number of consecutive guesses.

To improve efficiency, hackers may use a dictionary attack using common or default passwords.

A brute force attack in Magento is a cyberattack technique to get into a website. It requires knowing the Magento Admin Panel URL.

Hackers work through all possible combinations of a username and password. The login details will be used to breach your Magento store.

Brute force attack aims to:

  • Steal or expose users’ personal information
  • Harvest credentials for sale to third parties
  • Steal system resources
  • Spread malware or spam content
  • Redirect domains to malicious content
  • Damage the reputation of the organization

Most Common Tips to Prevent Magento Brute Force Attack

1. Restrict Access to Backend by IP

Restrict Access to Magento Backend - Prevent Magento Brute Force Attack

Restrict access to the Magento admin area to prevent brute force attacks.

Protect the backend of Magento via VPN. It allows only trusted IP addresses to access the Admin account.

Configure a VPN. Scope that VPN’s range so that only those users may access sensitive service ports.

2. Change the Standard Admin Panel URL Path

Change the Admin Panel URL path - Prevent Magento Brute Force Attacks

Default Magento URL is Most of the time, the default admin path is unchanged.

Merchants should confirm that their admin URL is not set as the default value. It should also not be set as other commonly used URLs such as “backend”.

The admin URL can be changed through the admin panel.

For Magento 1:

Navigate to System > Configuration > Advanced > Admin > Custom Admin Path.

For Magento 2:

Navigate to Stores > Configuration > Advanced > Admin > Custom Admin Path.

3. Keep Changing Admin Account Frequently

Rotate Admin Account Passwords - Prevent Magento Brute Force Attacks

Password rotation refers to the changing of a password.

Limiting the lifespan of a password reduces the risk of brute force attacks.

The frequency of rotation varies based on security importance.

For instance, a password for a Magento admin account should be frequently rotated within a span of 30 days.

Implement a strong password to your admin account. Ensure it is unique and never be reused.

4. Activate Security Scanning

Activate Security Scanning - Tips to Prevent Magento Brute Force Attack

Merchants should activate the Magento Security Scan Tool.

This free tool is used to schedule regular scans and monitor websites in real-time.

The Security Scan Tool monitors admin panels that may be vulnerable to brute force attacks. It also monitors for malware signatures.

5. Enable Two-Factor Authentication

Enable Two-Factor Authentication - Prevent Magento Brute Force Attack

Another effective way to prevent brute force attacks is to employ Two-Factor Authentication (2FA). It is used to limit login attempts.

Magento Two-Factor Authentication is a two-step verification process. It adds an additional security layer to access the Admin UI from all devices.

Two-Factor Authentication can be installed from the command line.

6. Update Magento to Latest Version

Update Magento to the Latest Version - How to Prevent Magento Brute Force Attack

Magento aims to improve your security through updates.

The latest Magento versions have security fixes. It includes all security patches from previous updates.

You can protect your Magento store from brute force attacks with the latest security patches.

If you are on Magento 1, consider migrating to Magento 2. Update all extensions and themes on your Magento website.

Frequently updating your Magento helps prevent cyber attacks.

7. Monitor Your Server Logs

Monitor Magento Server Logs - Prevent Magento Brute Force Attack

Admins know that log files are essential for maintaining a system. Be sure to analyze your log files diligently.

As they are an essential data source for recognizing diverse patterns of brute force attacks.

Based on these logs, you can gain insights to ensure network security.

8. Enable CAPTCHA Function

Enable CAPTCHA to prevent Magento Brute Force Attack

CAPTCHA is the code combinations of letters and numbers. It is designed to verify a human action from that of a bot.

Multiple login attempts by Brute-force in Magento can be stopped by using CAPTCHAs.

Merchants should protect their admin panel against automated brute force attacks by enabling CAPTCHA.

You can activate this feature in Magento through following steps: 1. For Magento 1:

Go to “Stores” -> Configuration -> Advanced -> Admin -> CAPTCHA.

For Magento 2:

Go to “Stores” -> Configuration -> Advanced -> Admin -> CAPTCHA.

2. By setting the CAPTCHA option “Number of Unsuccessful Attempts to Login” to 0 (zero).

The CAPTCHA verification will be required for all admin login attempts.


A Brute Force Attack is the simplest method to gain access to a site or server.

The tips mentioned above will help you protect your website against Brute Force attacks.

Increasing the security of your network and admin account.

Install any missing security patches and keep updating all Admin passwords.

Magento Security Team recommends you consult with your Magento hosting providers before implementing methods that are best suited to you.

Stay up to date on Magento security alerts, releases, and best practices.

For more information on Magento store security, check the Web Application Firewall.

Shraddha S.
Shraddha S.
Head of Content

Shraddha Singh has a lot of thoughts about Technology and the Cloud Services Industry. An Indian native and a professional Technical writer, she gets her management skills from IIT-B.

Get the fastest Magento Hosting! Get Started