Today, we’re going to teach you guys how to block brute force attacks in Magento 2 store.
Brute force attacks have become very common nowadays.
And the worst part is, most of the websites on the world wide web is vulnerable to such attacks.
Online stores, especially, are at the highest risk since these attacks could lose millions and even a billion dollars because of this.
What is a Brute Force Attack?
Brute Force Attack is basically one of the simplest methods to gain access to a website. In simple terms, the hacker basically tries to hundreds of thousands of password combinations in order to eventually identify the right password.
So, what can you do to prevent brute force attacks on your online store?
If you use Magento, we have good news for you.
There are a total of 5 different solutions you can use to block all kinds of brute force attacks on your Magento 2 store.
In the tutorial, we will show you how to use all 5 solutions to block brute force attacks in your Magento 2 store.
5 Solutions to Block Brute Force Attacks in Magento 2
Below, we’ve explained each solution to block brute force attacks in detail.
Let’s start with the basic one…
Solution #1 - Customize Your Admin Path
By default, the admin path of your Magento 2 store will be something like - https://www.your-store-domain.com/admin
Now, since almost all hackers know the default Magento admin URL, they can easily execute the brute force attack for break-in.
However, if you customize/change the default Magento admin URL of your store, you can prevent the brute force attacks to a great extent.
For example, you can change the default Magento admin URL from https://www.your-store-domain.com/admin into something like https://www.your-store-domain.com/black-box or https://www.your-store-domain.com/my-user.
To change the default Magento admin URL, just edit it in the file /app/etc/local.xml
XML Path - admin > routers > adminhml > args > frontName
Lastly, flush Magento cache from System > Cache Management > Flush Magento Cache and it’s done.
Solution #2 - Change Admin Username & Password
After changing the default Magento admin URL, the next important solution you can use to block brute force attacks is to change the default admin username and use a strong password.
For example, the default admin username is “admin” itself, which as you can probably see is not really hard to guess.
So, it’s highly recommended to change the default admin account username into either your own name, a nickname or your email address.
As for the password, the best way to protect your online store from brute force attacks is to use a strong password with a combination of the following:
- Must have at least 8 characters
- Includes a symbol
- Includes both uppercase and lowercase
- Includes number(s)
Solution #3 - Secure your .git Folder
The next solution to protect your Magento 2 store from brute force attacks is to secure your .git folder.
Github, as you might already know, is a popular hosting provider for software development and version control. In fact, today every online store uses it mainly for version control.
And by any chance, if you’re using Github for version control too, then you already know that its .git folder contains extremely important information of your online store like code files, repo url, etc.
So, what you need to do is just go to the Protect /downloader folder and disable it to prevent brute force attacks.
Solution #4 - Update Magento
This is a very simple and basic solution you can use to further protect your online store from brute force attacks.
All you need to do is first update your Magento to the latest version available to ensure your online store is healthy.
Next, you also need to apply the latest security patches that Magento regularly releases here.
Solution #5 - Enable HTTPS for Admin Panel
The last solution for protecting your Magento 2 store from brute force attacks is to enable the HTTPS for your admin panel or backend.
To enable HTTPS, login to your admin panel and navigate to Stores > Configuration > Web. 
As shown in the above screenshot, first add the HTTPS:// to your domain URL and select “YES” in the Use Secure URLs in Admin field.
That’s it!
Final Thoughts
These are the 5 different solutions you can apply to block brute force attacks in your Magento 2 store.
We hope that you found this tutorial helpful. If you’ve any questions, please ask them in the comments below.
And if you need our professional assistance, feel free to contact us at any time.
