Admin Security is a very important stage when setting up your Magento 2 store. Magento experts recommend doing a multifaceted set up to protect the security of your store. In the post, I will guide you on How To Configure Admin Security In Magento 2.
In addition, You can use a custom Admin URL that is not easy to guess. Use a strong admin password consists of a combination of letters, numbers, and symbols. Consider implementing two-factor authentication to verify users’ identity with a one-time password that is generated on a separate device.
Security Configuration for Admin provides you with many effective security features. Let me find out about those features.
Configure Admin Security In Magento 2
Step 1: On the Admin Panel sidebar, go to Stores > Settings > Configuration.
Step 2: In the left panel, choose Advance > Admin.
Step 3: Expand the Security section.
Step 4: To prevent Admin users from logging in from the same account on different devices, set Admin Account Sharing to No.
Step 5: To determine the method that is used to manage password reset requests, set Password Reset Protection Type to one of the following:
- By IP and Email — The password can be reset online after a response is received from the notification is sent to the email address associated with the Admin account.
- By IP — The password can be reset online without additional confirmation.
- By Email — The password can be reset only by responding by email to the notification that is sent to the email address associated with the Admin account.
- None — The password can be reset only by the store administrator.
Step 6: Set login security options:
- Recovery Link Expiration Period (hours): Enter the number of hours a password recovery link remains valid.
- To determine the maximum number of password requests that can be submitted per hour, enter the Max Number of Password Reset Requests.
- Min Time Between Password Reset Requests: Enter the minimum number of minutes that must pass between password reset requests.
- Set Add Secret Key to URLs to
Yesto append a secret key to the Admin URL as a precaution against exploits. This setting is enabled by default.
- Set Login is Case Sensitive to Yes to require that the use of upper- and lowercase characters in any login credentials entered match what is stored in the system.
- To determine the length of an Admin session before it times out, enter the duration of the session in seconds, in the Admin Session Lifetime (seconds) field. The value must be 60 seconds or greater.
- Maximum Login Failures to Lockout Account: Enter the number of times a user can try to log in to the Admin before the account is locked. By default, six attempts are allowed. Leave the field empty for unlimited login attempts.
- Lockout Time (minutes): Enter the number of minutes that an Admin account is locked when the maximum number of attempts is met.
Step 7: Set password options:
- To limit the lifetime of Admin passwords, enter the number of days a password is valid in the Password Lifetime (days) field. For an unlimited lifetime, leave the field blank.
- Set Password Change to one of the following:
- Forced — Requires that Admin users change their passwords after the account setup.
- Recommended — Recommends that Admin users change their passwords after the account setup.
Step 8: Click Save Config button when complete.
This is the end of the How To Configure Admin Security In Magento 2.
Follow us for the more helpful posts!
We hope this is a useful post for you.
Thank you for reading!