Shopping cart

5 Steps to Restrict Access to Magento 2 Admin: IP, Location

Recently, the number of Magento related security incidents are rising significantly. Therefore, restricting access to the Magento admin area has become increasingly essential. And the easiest way to protect the backend of Magento from password guessing attacks is only enable trusted IP addresses to access.

In this instruction, I will show you the two ways for restricting access to the Magento admin area. You can drastically minimize the security risk within a couple of minutes to configure.

Restrict access to Magento 2 admin

Restrict IP addresses in Apache

  • Step 1: Through cPanel/FTP/SSH, login to your server. Then navigate to your Magento installation root.

  • Step 2: In this step, you can open the .htaccess file in your text editor. Next, add the following code to the file.

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC]
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.12
RewriteRule .* - [F,L]
  • Step 3: If your admin URL has been changed, you can update it in the first line of the code above. For example, if you change it to backoffice, the first line will be turned into:
RewriteCond %{REQUEST_URI} ^/(index.php/)?backoffice(.*) [NC]
  • Step 4: With all the IP address or range which should have the ability to access the Admin area, you can add this line after replacing the sample IP:
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
  • Step 5: In this final step, you need to save the .htaccess file and the changes need to be verified. You can do it by accessing the Magento Admin area from your browser.

Restrict IP addresses in Nginx

  • Step 1: Through cPanel/FTP/SSH, login to your server. Then navigate to the path called nginx.conf. It will depend on your configuration but normally it is /usr/local/nginx/.

  • Step 2: In this step, open the nginx.conf file which is in your text editor. After that, add the following code to the file:

location ~* ^/(index\.php/admin|admin) {
    allow 1.1.1.1;

    try_files $uri $uri/ /index.php?$args;
    location ~* \.php$ { try_files /dummy @proxy; }
    deny all;
}
  • Step 3: If your admin URL has been changed, you can update it in the first line of the code above. For example, if you change it to backoffice, the first line will be turned into:
location ~* ^/(index\.php/backoffice|backoffice) {
  • Step 4: With all the IP address or range which should have the ability to access the Admin area, you can add this line after replacing the sample IP:
allow 1.1.1.1;
  • Step 5: Finally, the last thing you have to do is saving the nginx.conf file and reload the config file with this command:
# /usr/local/nginx/sbin/nginx -s reload

Conclusion

In conclusion, through the above guide, I have explained you the methods to ensure that only whitelist IP addresses can have the ability to access the Magento admin area on your Apache or Nginx web server. I hope you would found it helpful when managing Magento store’s security.

It comes to the end of the tutorial: 5 Steps to Restrict Access to Magento 2 Admin: IP, Location.

Posted by Sam Thomas in Manage Store. April 19, 2019

Please leave comments if you have any questions, feedbacks.

Comments for 5 Steps to Restrict Access to Magento 2 Admin: IP, Location