How to prevent Brute Force Attacks for Magento website?


Nowadays, Magento users commonly meet Brute force attacks. Their websites are vulnerable to these attacks and they might be abused when hackers find them and launch a brute force attack.

If you use Magento, there are by default located at /admin and /downloader and can be abused in several ways. Hackers can easily find them and launch a brute-force attack. In such an attack, random passwords are tried automatically, until one succeeds.

We are recommend the following best practices

To Stop Brute Force Attacks in Magento:

1. Custom admin path.

2. Secure your Magento admin account.

3. Protect /downloader folder.

4. Protect local.xml file

5. Secure .git folder.

6. Up to date your store.

7. Enable HTTPS for admin panel.


1. Custom admin path

The default backend URL in Magento 1 is because the default Magento backend URL is common knowledge in brute-force suites.

Custom your current admin path as the following:

Edit file /app/etc/local.xml XML Path: admin -> routers -> adminhml -> args -> frontName

You can see <![CDATA[admin]]>, now change it to your own admin url, e.g: backendpanel or as you wish

Now flush Magento cache to take effect: System -> Cache Management -> Flush Magento Cache.

2. Secure your Magento admin account

1. Don’t use admin account

People usually use admin as first admin account. This is security issue for your Magento store. Because hackers can guest it easily. We recommend you should change admin account name to your own account name, nickname or your email address.

2. Keep strong password

A strong password is the safest way to protect your website from those who want to guess your password and access to your account. Your password should be set more than 8 symbols length and combine number and Lowercase and Uppercase character or sometimes include symbols.

3. Protect /downloader folder
In Magento 1, it use /downloader called Magento Connect Manager folder to install extension from Magento Connect. This is default path, it is easy for hacker to attack your Magento website. You can rename it but there is a effect way to protect the downloader folder, it is IP white list


You have to edit file downloader/.htaccess, and then enter line below to the end:

order deny,allow
deny from all
allow from x.x.x.x

x.x.x.x is your white list IP v4 address.


Open configuration file of your Magento website. E.g: /etc/nginx/conf/mywebsite.conf

Add the following block of lines:

location /downloader/ {
allow x.x.x.x;
deny all;

location ~ \.php$ {
echo_exec @phpfpm;

4. Protect local.xml file

local.xml file is very sensitive data that contain database information, admin path or crypt key. If this information is leak to public you will get problem.

Check it now, navigate your browser to If it cannot access to the data, your website is safe. Other while, you can follow the Protect /downloader folder in previously to disable that.

5. Secure .git folder

Git is now popular nowadays, every store using Git as version control of its store. Git folder contain many important information such as repo url, code files …

You can follow the Protect /downloader folder in previously to disable that.

6. Update latest Magento as well as security version

You should install the latest version for your website because there are many improvements added in this version that help your website run and save well

7. Enable HTTPs for admin panel

The data in your website is very sensitive and crucial. So, all the login details have to pass through a secure connection to ignore stealing. You just have to do like System→ Configuration→ Website.

Go to System > Configuration > Website