Brute force attack is becoming more and more frequent with every passing day. Almost every website is vulnerable to such attacks. If you check the login activities of your Magento store, it is highly likely that you will find a number of failed login attempts using keywords like ‘admin’, ‘root’, or ‘administrator’.
Brute force attack can be seen as ten or more successive failed login attempts in less than a minute or more than 100 attempts in a 24-hour period. In this technique, hackers use the hit and trial method to guess the correct combination of username and password. These attacks are typically carried out via bots or scripts. If you think your password-protected information is safe from these attacks, you might want to think again.
A report by ArsTechnica states that even your 8 character password is crackable within 6 hours. And this was way back in 2012 when the technology was still under development.
There are multiple instances where Magento stores were hacked via brute-force attacks and personal details were stolen. For example, take a look at the image below.
Attack on Magento stores
Brute-force attacks, like any other attack, is a result of security negligence. Through this article, we will try to discuss some tips and tricks to mitigate the security risks to your Magento store. But before that, let’s see how to detect attacks in your Magento store.
Check out this detailed Magento security guide for overall Magento security.
How to detect brute force attacks?
You can detect brute-force attacks on your website if you have an Astra firewall installed in your Magento store. All you have to do is:
- Sign in to your Astra dashboard.
- Go to the ‘Login Protection’ tab.
- And, review your login activity.
Source: Astra Security
If you do not have a firewall installed to monitor your website’s activities, get the Astra firewall now, and check your login activities.
5 Steps to prevent brute force attack in Magento stores
1. Customize admin path
The default backend URL of a Magento store is ‘yourdomain.com/admin’. Hackers can exploit the URL vulnerability of your website and gain access to your admin account. To edit the admin path of your store, follow these steps:
- For Magento 1.x: Navigate to System >> Configuration >> Advanced >> Admin >> Custom Admin Path.
- For Magento 2.x: Navigate to Stores >> Configuration >> Advanced >>Admin >> Custom Admin Path.
Source: Magento docs
2. Set Password Protection
Passwords are the first line of defense against any form of attack. Weak passwords increase the risk that your store faces against brute-force attacks. Hence, it is recommended to use strong passwords. A combination of alphabets (both uppercase and lowercase letters), numbers, and special characters should do the trick. You can take these steps to protect the password of your admin account:
- From the Admin panel, go to Settings >> Configuration.
- Navigate to the Admin menu.
- Set the password protection to IP and the email.
- Set the Admin account sharing to ‘No’.
- Limit the lifetime of your passwords.
3. Enable CAPTCHA
CAPTCHA adds an extra line of defense against brute-force attacks. These attacks are generally carried out by bots or scripts. CAPTCHA is essentially used to differentiate between a human and a bot. A CAPTCHA will allow only legitimate users to go ahead with the login procedures. To activate, CAPTCHA feature in your Magento store, follow these steps:
- For both Magento 1.x and Magento 2.x: Navigate to Stores >> Configuration >> Advanced >> Admin >> CAPTCHA.
Source: CAPTCHA Sample
You can also limit the number of unsuccessful attempts to log in to 0. This will make a CAPTCHA compulsory for each login attempt.
4. Keep your Magento store updated
Whenever a new update is in the market, the vulnerabilities of the outdated version are out in public for anyone to look at. A hacker can use this opportunity to exploit those vulnerabilities and hack your website. Using the updated version of Magento is always a good security practice to implement. The same goes for all the themes and extensions in your store.
5. Using a rock-solid firewall
A firewall not only protects your store from brute-force attacks but it will also protect your store from other forms of attacks such as SQLi, XSS, CSRF, RMI, etc. The Astra Firewall has additional features like IP & Country blocking, threat analytics, attacker profiling, bad bot protection, blacklist monitoring, spam blocking, etc.
Source: Astra Security
Securing a website can be a hectic task when one doesn’t know how to do it but it is not impossible. You can protect your Magento store from a brute force attack by following the mentioned steps. Hopefully, we have listed all the necessary steps to protect a Magento store from a brute force attack. If we have missed some, feel free to remind us in the comments.