Home

Awesome

Magento 2 Security extension FREE

Security issues for Magento have left a big question mark in the community of online stores. This problem is specially cared when Magento-based stores which own critical information and huge transactional volume can easily become ideal prey for blackhat hackers to attack. To help online stores prevent brutal break-ins, Mageplaza has developed the Security extension.

Magento 2 Security extension by Magpelaza gives store owners the ability to detect the IP addresses that are intentionally attacking their store at any given time. Therefore, they have timely measures to prevent this issue such as blocking those IP addresses or sending warning emails to store owners.

Latest Stable Version Total Downloads

IMPORTANT NOTE: This version of Mageplaza Security extension on Github is free as a contribution to the Magento community from Mageplaza. This package does not include the technical support. Should you need technical support for this extension, you will have to buy a license from Mageplaza. Click here to buy.

1. Security Documentation

2. FAQs

Q: I got error: Mageplaza_Core has been already defined

A: Read solution: https://github.com/mageplaza/module-core/issues/3

3. How to install Magento 2 Security Extension

Install via composer (recommend)

Run the following command in Magento 2 root folder:

composer require mageplaza/module-security
php bin/magento setup:upgrade
php bin/magento setup:static-content:deploy

4. Contribute to Security module

Feel free to Fork and contrinute to this module and create a pull request so we will merge your changes to master branch.

Thanks the contributors


5. Security Suite Introduction

It’s a minor unnoticed fact that Magento 2 doesn’t limit any number of login attempts for vague reasons behind, why this potential danger has not been considered seriously? Displaying frontend, customer knowledge, sale figures and precious transaction database are recorded in the backend thoroughly. For that reason, it’s obvious logic that hackers will try their hard to impact brutal damages to your login in the backend. Consequently, your website can be bullied continuously by many computers at the same time, by any Badguy™ groups silently, in such vulnerable time you don’t notice.

Mageplaza Security extension comes up with various choices to let you have any idea how to massive protect your store firmly. You will be right the second such nonsense endeavors is entering your internal backend.

At the level of a free module, you can explore some fundamental yet indispensable configurations within this lightweight size that you should consider installing it to your store as soon as possible.

Failed login attempt limitation

An overwhelming number of failed logins is the first sign of unwanted attack. A tool a hacker uses will try over and over again until a correct credential is entered; therefore, that would be put in danger if you don’t limit a number of trying in a certain time, to both yourself and outer enemies.

In the backend configuration, there is a field called Maximum number of failed login attempts that is able to restrict the above danger. According to many popular security restrictions, the ideal number of failed login attempts should be limited to be under 5 times, it’s a safe way to follow this reliable figure. Also, the other factor to determine if they’re suspicious logins or not is the amount of time those break-in attempts are taken. For example, 5 failed logins within 10 minutes are undoubtedly unusual actions that store owners have to be aware.

When you enable the module, 5 is the default number of allowed unsuccessful attempts in a 10-minute session If you have no idea how you should set up for the guarding system, you can take advantage of this default settings quickly.

Automatic warning emails

In Magento 2, admins have no idea when the security wall was being reached. To remedy this passive situation, Mageplaza Security module is well integrated with the email engine. The exact helpful point in this function is, all recorded failed logins will be sent over to your email address automatically.

In the warning email, you can check out details in the abusive IP address as well as his login time.

Blacklist/Whitelist IP

Blacklist/Whitelist field is crafted and put in the configuration conveniently.

In the Blacklist field, in order to prevent strange IP addresses from abusing your backend login page, you can list those IPs in this field (multiple IPs or multiple IP ranges at a time). Now store admin can feel peace of mind, those blocked address cannot take further process to your store anymore.

Holding the reserved meaning, Whitelist field is for entering allowed IP addresses detecting which are safety authentications from your team or colleagues.

Login Logs

In case you’re running a store which is managed by several administrators, this tab will be definitely an ideal interface to summary all taken place under logged details. For each of a particular login, you can figure out its ID, Time, User name, IP, Browser Agent, Url and Status (Failed or Successful).

Security Checklist

Another additional function sticked on this module is the security checklist in the backend. The checklist technique will scan your internal gears generally and give some outlines that can be deemed to be a possible security issue. From this trait you can have timely solution to remedy the problem thanks to this convenient suggestions.

Full feature list

6. Security User Guide

How to use Security extension

You can review login records from the dashboard when entering the backend. The log displays the newest 5 logins and you can click on the login name to view the details.

How to use Magento 2 Security extension

How to configure Security Suite

After logging in Magento backend, go to System > Security. We will provide detail guides to these bellow configuration

How to configure Magento 2 Security Suite

I. Security Suite Configuration

1.1. Brute Force Protection Configuration.

Follow Mageplaza > Security > Configuration > General > Brute Force Protection

Magento 2 Brute Force Protection

Here’s an example of a warning emails:

Magento 2 Security Configuration

1.2. Blacklist/Whitelist IPs Configuration.

Magento 2 Blacklist and Whitelist IPs

Blacklist(s) has higher priority than Whitelist(s) which means if a IP address is in the Blacklist, it will be blocked even it's in the Whitelist as well. So please make sure that you've added your IP address in the Whitelist only. 

II. Security Checklist Configuration.

Checklist is a bunch of outlines pointing out which factor(s) can be the possible vulnarablity for your stores. Go to System > Security > Checklist

Magento 2 Security Checklist

For possible low-key factors that are not good for your security, they will be marked a red X. We'd highly recommend you should upgrade Security module to Professional edition to learn the detail way how to fix it throughoutly. 

III. Login Log Configuration.

From the admin panel, make your way to Mageplaza > Security > Login Log. All logins and login attempts will be recorded here.

magento 2 secure login

Click View to see login details. Here’s an example:

magento 2 Login Log

Once an admin account has exceeded the allowed login attempts (which is configured at Store> Settings> Configuration> Advanced> Maximum Login Failures to Lockout Account), there will be a mail notification to the store owner that this account has been lock up. Store owner should review this case again to reset safety settings.

magento 2 Login Logs

Also, store owners can check the last login of a specific administratore. You can follow System > Permissions > All Users

magento 2 security Login Log

Reset Command line

bin/magento security:reset blacklist 

Next, run this command line:

bin/magento cache:flush
bin/magento security:reset whitelist
bin/magento cache:flush

People also search: