Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

URLs on the public internet
 
bigmag
Member
 
Total Posts:  63
Joined:  2009-09-04
 

What is the best practice method for securing the URLs that Magento exposes to the public internet by default?

I was alarmed to see some of the showcase stores are using default admin urls, it all seems a bit unsecure to me. I’ve looked around and can’t see any definitive lockdown guide.

These are the URLs I have found that I would rather not have available on the public internet:

domain.tld/admin
domain
.tld/index.php/admin
domain
.tld/downloader
domain
.tld/api/?wsdl
domain
.tld/api/xmlrpc
domain
.tld/api

There could be others. Please let me know if you know of any.

I have the following two ideas so far based on what I’ve read on forums and blogs:

Option 1: Use basic HTTP auth with a .htaccess on all these, but that’s vulnerable to brute force attack, just like the Magento login is
Option 2: Use Apache LocationMatch directive to limit access based on IP etc.
Option 3: Combination of option 1 and 2

Is there a definitive guide to securing magento?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sonassi
Sr. Member
 
Avatar
Total Posts:  217
Joined:  2009-05-20
Manchester, UK
 

You can always change the admin path, but security though obscurity isn’t security at all.

Your better options are those you have described. If you want to block by IP simply, add this to your virtualhost configuration:

<Location /admin>
    
Order Deny,Allow
    Deny from All
    Allow from 
.domain.com
    Allow from xxx
.xxx.xxx.xxx
  
</Location>
 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top