What is the best practice method for securing the URLs that Magento exposes to the public internet by default?
I was alarmed to see some of the showcase stores are using default admin urls, it all seems a bit unsecure to me. I’ve looked around and can’t see any definitive lockdown guide.
These are the URLs I have found that I would rather not have available on the public internet:
There could be others. Please let me know if you know of any.
I have the following two ideas so far based on what I’ve read on forums and blogs:
Option 1: Use basic HTTP auth with a .htaccess on all these, but that’s vulnerable to brute force attack, just like the Magento login is
Option 2: Use Apache LocationMatch directive to limit access based on IP etc.
Option 3: Combination of option 1 and 2
Is there a definitive guide to securing magento?