Skip to main content

Security

Overview​

Security issues for Magento have left a big question mark in the community of online stores. This problem is specially cared when Magento-based stores which own critical information and huge transactional volume can easily become ideal prey for blackhat hackers to attack. To help online stores prevent brutal break-ins, Mageplaza has developed the Security extension.

Magento 2 Security extension gives store owners the ability to detect the IP addresses that are intentionally attacking their store at any given time. Therefore, they have timely measures to prevent this issue such as blocking those IP addresses or sending warning emails to store owners.

Download & Install​

You can download from the following resouces:

How to use​

You can review login records from the dashboard when entering the backend. The log displays the newest 5 logins and you can click on the login name to view the details.

How to configure​

After logging in Magento backend, go to System > Security. We will provide detail guides to these bellow configuration

  • Login Log
  • Checklist

I. Configuration​

1.1. General​

After entering Store > Settings > Configuration > Mageplaza Extensions > Security, expand the General configuration

  • In the Enable field: Choose β€œYes” to turn the Security module on.
  • In the Send warning emails to field:
    • Enter the email address to be able to receive warning emails.
    • You can fill multiple emails separated with commas ,

1.2. Brute Force Protection​

Follow System > Security > Configuration > General > Brute Force Protection

  • In the Enable field: Choose "Yes" to enable this function.
  • In the Maximum number of failed login attempts field:
    • Enter an allowable number of failed logins.
    • Default number of maximum failed login attempts is 5 when you enable Security module.
    • If you leave it blank or enter 0, after a failed login happens, an email will be sent.
  • In the Allowed Duration field:
    • Enter the number of minute(s) which presents the length of a session. During this session, If the Maximum number of failed login attempts is reached, warning emails will be sent.
    • Default number of allowed duration is 10 minutes when you enable Security module.
    • If you leave the field blank or enter 0, no warning emails will be sent even if the maximum number of acceptable logins is reached.
  • In the Locked User Alert field: Select "Yes" to send the alert email when the admin account is locked due to failed login attempts is exceeded.
  • In the Email Template field:
    • Choose the template for the warning email.
    • You can edit/customize one at Marketing > Email Template.

Here’s an example of a warning emails:

1.2. Blacklist/Whitelist IPs​

  • In the Blacklist(s) field:
    • All IP addresses filled in this section will be blocked whenever accessing the admin login page.
    • You are able to block one IP address, multiple IP addresses, an IP address range or multiple IP address ranges. IP addresses are separated with commas ,.
    • You can also block IP addresses as wildcard masks as below:
      • 10.0.0. *
      • 10.0. *. *
      • 10.0.0. * - 123.0.0. *
      • 12.3. *. * - 222.0. *. *
  • The mark * is in the 0 - 255 range.*
  • In the Whitelist(s) field:
    • All IP addresses that are filled in this section will be allowed whenever accessing the admin login page.
    • You can allow one IP address, multiple IP addresses, an IP address range or multiple IP address ranges. IP addresses are separated with commas ,.
    • You can also allow IP addresses as wildcard masks as these follows:
      • 10.0.0. *
      • 10.0. *. *
      • 10.0.0. * - 123.0.0. *
      • 12.3. *. * - 222.0. *. *
  • The mark * is in the 0 - 255 range.*
Blacklist(s) has higher priority than Whitelist(s) which means if a IP address is in the Blacklist, it will be blocked even it's in the Whitelist as well. So please make sure that you add your IP address in the Whitelist only.

II. Checklist​

Checklist is a bunch of outlines pointing out which factor(s) can be the possible vulnarablity for your stores. Go to System > Security > Checklist

  • In the Check admin's username box: Check the name of the admin account, if the default name is too obvious to guess or popular to name, the message will alert the store owner.
  • In the Check captcha box
    • Check if captcha is enabled outside the frontend or in the backend.
    • Notify if store owner has enabled captcha. If not, message will warn store owner to enable captcha.
  • In the Check Magento Version box: Check the version of Magento that the store owner is using. If this is not the latest version, the checklist will alert store owners to update to the latest version.
  • In the Check database prefix box:
    • Check if the store owner has used the database prefix or not. If not, the checklist will alert store owners to use them for database security.
    • If the store owner uses a database prefix, the checklist will notify them that their database is working properly.
For possible low-key factors that are not good for your security, they will be marked a red X. We'd highly recommend you should upgrade Security module to Professional edition to learn the detail way how to fix it throughoutly.

III. Login Log​

From the admin panel, make your way to System > Security > Login Log. All logins and login attempts will be recorded here. Click on the Clear All button to remove all the records of Login Log.

Click View to see login details. Here’s an example:

  • Once an admin account has exceeded the allowed login attempts (which is configured at Store> Settings> Configuration> Advanced> Maximum Login Failures to Lockout Account), there will be a mail notification to the store owner that this account has been lock up. Store owner should review this case again to reset safety settings. You can refer this article to learn how to unlock an admin user account.

  • Also, store owners can check the last login of a specific administratore. You can follow System > Permissions > All Users

  • The Last login column records the newest recent login attempt of an admin.
  • The IP Address column records the IP address corresponding to the newest recent login attempt of an admin. Clicking on an IP address, it will redirect to the Traceip page.

Reset Command line​

  • If store admins mistakenly enter their IP addresses in the Blacklist, this following command lines can be run first: 
bin/magento security:reset blacklist

Next, run this command line:

bin/magento cache:flush
  • After you have finished running those above command lines which reset the Blacklist(s) field, you will be able to access the admin page again. Note that the Blacklist(s) field is reset now so don’t forget to reenter the blacklist IPs.
  • Similarly, the Whitelist(s) can be reset using these command lines: 
bin/magento security:reset whitelist
bin/magento cache:flush
  • If you run the command bin/magento security:reset, both Blacklist(s) and Whitelist(s) will be reset.

How to Configure Two-Factor Authentication​

1. Configuration​

From Admin panel, go to Stores > Configuration > Mageplaza > Two factor Authentication

  • Enable: Select Yes to activate the module

  • Force Using 2FA:

    • Choose Yes to force all admin users to register Two-Factor Authentication (2FA). If the account logged in has not yet installed 2FA in the account setting, it will be linked to the Account setting page for installation
    • When 2FA is enable, all admin users who have not registered 2FA must go to My Account page to set it up. After that, they can access others admin pages

  • Enable Trusted Device:

    • Select Yes to enable saving the trusted devices. In a certain period of time, when logging in with this device, admin users do not need to authenticate the two factors
    • This certain period is configured at Trusted Time field

  • Trusted Time:

    • During the time period set in this section, when logging in with this device, the admin users do not need to authenticate two factors.
    • When changing Trust time, the previously saved devices also change the trust time accordingly
    • Time is set by day

  • Whitelist(s):

    • Only the IP addresses filled in this section can access the Dashboard page without 2FA (even if not in the Trust Device List)
    • It is possible to allow 1 IP address, multiple IP addresses, 1 range of IP addresses or multiple IP address ranges to have access to admin. IP addresses are separated by commas
    • The owner can also allow IP addresses to be accessible to admin pages without authenticating 2FA in the following form: 10.0.0.10, 10.0.0. , 10.0. . , 10.0.0. - 123.0.0. , 12.3. . - 222.0. . Symbol "" in range 0 - 255

2. My Account Admin​

Admins need to go to Account Setting to set QR/Pin code

Register 2FA:​

  • After enabling 2FA, admins need to use the Authy app or Google Authenticator on the phone to scan the QR code or enter the Key into the app to get the confirmation code.
  • After QR code is saved in the app, it automatically generates confirmation code. Admin needs to get that code and enter the it to register
  • After registering, from the next login, admins need to get the code from the app to verify so that they can access the dashboard
  • The confirmation code created by the app after being replaced 30s still works for verification
  • When Force using 2FA is enabled, the admin user cannot disable 2FA here

Check and remove Trusted Devices:​

  • Log the browser on the machine with certain IPs that can be trusted and the last time the user logs in with this browser
  • When the enable trust device, in the trust time period, the devices saved here will not need to enter the confirmation code to log on.
  • Over time of trust time, device will be automatically removed from the list
  • User admin can also remove that period by clicking the Remove button

3. Disable login with 2FA by command​

In case you cannot get the confirmation code to log in with 2FA, you can use the following command to disable this feature with your account.

php bin/magento mageplaza-2fa:reset{{admin_username}}

For example, if your admin account has an admin username, then you need to run the command: php bin/magento mageplaza-2fa:reset admin

After running this command, the 2FA feature will be disabled. If you want to re-enable the feature, you can go to Account Settings to reinstall it according to the instructions in section 2.

4. Frontend & Backend​

When logging in the backend, admin users need to fill in the authentication factors

When turn on Trusted Device, authentication request page looks like this:

How to Configure Google reCaptcha​

Configuration​

General Configuration​

  • Enable: Choose Yes to enable this module
  • Language Code: Choose the language displaying the reCAPTCHA on the frontend and in the backend
  • Invisible

Note: Apply for the frontend

  • Google API Key: Enter the Key Invisible reCAPTCHA

  • Google API Secret Key: Enter the Secret Key

  • How to create reCAPTCHA: Can be found here

  • Visible

Note: Apply for the backend and frontend

  • Google API Key: Enter the Key Visible reCAPTCHA
  • Google API Secret Key: Enter the Secret Key
  • How to create reCAPTCHA: Can be found here

Backend Configuration​

  • Enable: Choose Yes to enable reCAPTCHA when accessing the admin panel
  • Forms: Choose a place displaying the reCAPTCHA. Store owners can allow reCAPTCHA to display in 2 forms:
    • Forms = Admin Login: reCAPTCHA will display in the Admin Login Form when store owners log into the admin page
    • Forms = Admin Forgot Password: reCAPTCHA will display in the Admin Forgot Password Form when store owners access on the Admin Forgot Password page
  • Size: Choose the size to show the reCAPTCHA

  • Size = Compact: reCAPTCHA will display as the following image:

  • Size = Normal: reCAPTCHA will display as the following:

  • Theme

  • Theme = Light: reCAPTCHA will display the light color
  • Theme = Dark: reCAPTCHA will display the dark color

Frontend Configuration​

  • Enable: Select Yes to display reCAPTCHA on the frontend
  • Recaptcha Type: Show Recaptcha at Frontend with 2 types:
    • Visible: Show Visible Recaptcha at Frontend
    • Invisible: Show Invisible raCapcha at Frontend
  • Forms: Choose a place displaying reCAPTCHA on the frontend. Store owners can allow reCAPTCHA to display in all forms.
    • Forms = Login: reCAPTCHA will show in the Login Form when visitors login to the website
    • Forms = Create User: reCAPTCHA will show in the Create User Forms when visitors create an account
    • Forms = Forgot Password: reCAPTCHA will show in the Forgot Password Form when customers access the website to get their password
    • Forms = Contact Us: reCAPTCHA will display in the Contact Us Form
    • Forms = Change Password: reCAPTCHA will show in the Change Password Form
    • Forms = Product ReView: reCAPTCHA will display when visitors access the product page to review
  • Google Recaptcha is totally compatible with Better Product Reviews extension which supports customers to leave reviews to your product pages easily and accurately. Recaptcha will be shown when you click to Write a review button.

  • Age Verification: Only show this feature configuration when installing Mageplaza Age Verification extension which supports your store to show reCaptcha at age verification popup.

  • Badge Position: Show this field when choosing Invisible reCaptcha

  • Badge Position = Inline: Recaptcha will display in the selected form on the frontend
  • Badge Position = Bottom Right: Recaptcha will display at the bottom right of the page
  • Badge Position = Bottom Left: Recaptcha will display at the bottom left of the page
  • Size: Show this field when choosing Visible reCaptcha
    • Normal: Show reCaptcha at Frontend as in the following image:
    • Compact: Recaptcha is shown at Frontend like this:
  • Theme

  • Theme = Light: reCAPTCHA will display the light color

  • Theme = Dark: reCAPTCHA will display the dark color

  • Custom Form Position: Use this feature to add reCAPTCHA into any form on your store

  • Form Post Paths
    • Enter the path (url) where will process your form information For example: newsletter/subscriber/new/, display reCAPTCHA in the email address field on the website.

Below are some detailed steps:

  • Step 1: Login to your website
  • Step 2: Choose Form that you want to display reCAPTCHA and open the Test window
  • Step 3: After that, choose Element tab, then choose the form that contains the field you want to add reCAPTCHA

  • Step 4: In the Subscriber Form in the Action field, copy the URL path. (In this example, the URL is "newsletter/subscriber/new/")

  • Step 5: Paste the URL into the Form Post Paths field

    • The paths are separated by down stream.

    • If you this field is empty and you fill in the information in the CSS Selectors field, reCAPTCHA still displays on the form that you fill in the information CSS Selectors, but it doesn't still work on that form.

  • CSS Selectors
    • You need to take CSS Selector of the form. At our example, we will take ID of the form. For example: #newsletter-validate-detail, display reCAPTCHA in the Subscriber
    • The IDs are separated by down stream.
    • If you leave this field blank while filling in the information in Form Post Paths field, reCAPTCHA won't display on the form you want.

Note:

  • In the Custom Form Position field, if you want to show reCAPTCHA on the form you want, you have to fill in all information of 2 fields: Form Post Paths and CSS Selectors.
  • Using the invisible CAPTCHA system outside the frontend, most users won't see CAPTCHAs at all, not even the "I'm not a robot" checkbox. If you are flagged as "suspicious" by the system, then it will display the usual challenges. Hence, If you want to check it you can try to click the Create an Account button many times.
  • Need to download the library of Google Recaptcha so that when you run this extension, there's no error occur
  • When you cannot access to the admin panel while reCAPTCHA enables, you can use the following command to disable the module via composer as well as can access the admin page as usual.

php bin/magento module:disable Mageplaza_Recaptcha

Or you also disable the configuration by the command below:

php bin/magento mageplaza:core:disable Mageplaza_Recaptcha

Refer the guide to download the library​

  • Create the folder: lib/internal/Mageplaza
  • Go to the path to download the library of Google Recaptcha here
  • Extract magento-2-google-recaptcha-library.zip into lib/internal/Mageplaza, then change the name of the file that you have just extracted, Recaptcha

  • Run the following command to install: php bin/magento setup:upgrade

The display of reCAPTCHA on the frontend​

The display of reCAPTCHA in the backend​

Command line​

Run the following command to enable or disable google recaptcha display in the backend:

php bin/magento mpgooglerecaptcha:backend:enable

php bin/magento mpgooglerecaptcha:backend:disable

Must-have extensions for your Magento stores​