How do I secure the Magento admin panel?

Secure Magento Admin Panel

1. Change the Default Admin URL

  1. Log in to Your Magento Admin Panel:
    • Navigate to your Magento admin URL and log in with your admin credentials.
  2. Navigate to the Admin Configuration:
    • Go to Stores > Configuration > Advanced > Admin.
  3. Change the Admin URL:
    • Expand the Admin Base URL section.
    • Set Use Custom Admin URL to "Yes".
    • Enter a custom admin URL in the Custom Admin URL field (e.g.,
  4. Save Configuration:
    • Click the Save Config button at the top right.

2. Use a Strong Admin Username and Password

  1. Create a Unique Username:
    • Avoid using common usernames like "admin" or "administrator".
    • Create a unique admin username.
  2. Use a Strong Password:
    • Ensure your password is complex, combining upper and lower case letters, numbers, and special characters.
    • Consider using a password manager to generate and store strong passwords.

3. Enable Two-Factor Authentication (2FA)

  1. Install 2FA Extension:
    • Magento 2.4.x has built-in 2FA. Ensure it's enabled by default.
    • Navigate to Stores > Configuration > Security > Two Factor Auth.
  2. Configure 2FA Providers:
    • Select and configure 2FA providers such as Google Authenticator, Duo Security, Authy, etc.
    • Follow the on-screen instructions to set up and enforce 2FA for all admin users.

4. Limit Admin Access by IP Address

  1. Configure IP Whitelisting:
    • Edit the .htaccess or nginx.conf file on your server to restrict access to the admin panel by IP address.
  2. Example for .htaccess (Apache):
    <Files "admin">
        Order Deny,Allow
        Deny from all
        Allow from
        Allow from
  3. Example for nginx.conf (Nginx):
    location /admin {
        deny all;

5. Use HTTPS for Admin Access

  1. Obtain and Install an SSL Certificate:
    • Purchase an SSL certificate and install it on your server.
  2. Configure Magento to Use HTTPS:
    • Go to Stores > Configuration > General > Web.
    • Set Use Secure URLs in Admin to "Yes".
    • Ensure your Base URL for Admin starts with https://.

6. Enable CAPTCHA on Admin Login

  1. Navigate to CAPTCHA Settings:
    • Go