Protect Your Magento Website

Brute Force Attacks: Protect Your Magento Website Before Its Too Late

Brute force attack is a pretty old-school hacking technique that is in-use even today. A hacker tries to guess the username and password to gain access. They try all the possible permutations of the characters used in passwords. Brute force attacks are still popular simply because they are effective and do not require a lot of effort. To execute it, hackers create an algorithm that generates all possible usernames and passwords. In addition to this, there are automated tools and bots that can also be used to perform brute-force attacks on websites.

Brute force attacks are not uncommon.  Statistics suggest that approximately 5% of all hack attacks involve the brute force technique. In 2016, Alibaba, a Chinese-based e-commerce store, was hit by a massive brute force attack. Hackers used a database of 99 million login credentials and successfully compromised 20.6 million accounts. Security experts deduced that weak passwords and brute force attacks led to the success of the hack.

To execute a brute force attack on a Magento website, the hackers will need the following:

  1. Admin panel URL
  2. Username
  3. Password

As part of enhancing security, you need to learn more about brute force attacks. Additionally, you’ll need to know how to protect your Magento store from such attacks in the future. This post will help you do so.

Why Are Brute Force Attacks Popular?

As mentioned earlier, brute force attacks are both convenient and efficient. However, it can be a time-consuming process that takes months or even years. Even then, brute force attacks are beneficial for hackers. They can make a profit out of ads on the website, collect sensitive data, completely ruin the website or the business reputation, throw in malware, and so much more.

The reason why brute force attacks are successful is weak passwords.

Obvious, right?

Source: BetterBuys

Unfortunately, a significant number of people use weak or common passwords. Oftentimes, hackers first use bots to run all the common passwords. Judging by how often people use default or weak passwords, they are very likely to be successful. It is only after this that they go for random permutations.

Source: NordPass

Steps to Protect Your Magento Store from Brute Force Attacks

1.  Edit Admin URL

Admin URL is necessary for a hacker to access your Magento admin account. Now the problem is that most people tend to roll with the default URL, This is a Magento store security concern since it makes your website extremely vulnerable. To change the admin URL:

Go to “Stores” -> Configuration -> Advanced -> Admin -> Custom Admin Path

2. Enable CAPTCHA

CAPTCHA is a type of challenge-response test that is used to distinguish between humans and bots. It is a text-based test that asks the user to identify a word or random combination of letters that are alienated. Bots are not capable of doing so. To enable CAPTCHA:

Go to “Stores” -> Configuration -> Advanced -> Admin -> CAPTCHA


3. Secure Magento Admin Account

First of all, do NOT use ‘admin’ as their first admin account. However, hackers can easily guess this because it is very common to do so. The number of failed login attempts and password reset attempts can be limited to three. In addition to that, a lockout time period can be initiated if anyone exceeds the limited login attempts. This lockout should be for 30 minutes at least.  This way, a brute force attack can be prevented. To make changes in security settings:

Go to “Stores” -> Configuration -> Advanced -> Admin -> Security

4. Enable Two-Factor Authentication

Two-factor authentication makes it harder for hackers to perform a brute force attack. To enable 2FA in Magento you can use multiple authenticators like Google Authenticator or U2F keys. You need to install the two-factor authenticator from the command line and configure it.

5. Use Strong Passwords

There are certain things to keep in mind before creating a password. For example, passwords should definitely contain more than 8 characters. You should also try to incorporate numbers, symbols, and letters in uppercase and lowercase. Regularly changing passwords is also highly recommended. 

6. Activate Security Scanner And Firewall

Enhancing overall security can help prevent brute force attacks. One of the ways to do this is to use a security suite that comes with a firewall and security scanner like Astra. Apart from preventing brute force attacks, such security tools are very useful and will definitely be a good investment.

Conducting store penetration testing is one of the most prominent way to know all the other vulnerabilities &  security issues that can lead to hack.


A brute force attack can be easily executed by hackers. Moreover, it can cause a lot of problems in your Magento store and can hamper your business reputation. Therefore, it is necessary to learn how to prevent them. Protection against such attacks can be implemented easily. This article contains all you need to know about it.

Leave a Comment