---
title: "10 Magento Security Tips"
description: "It is important to stay on top of Magento security practices to protect your website and customer data against cyber intrusions. Below we’ll cover some tips for hardening your Magento website..."
url: https://www.inmotionhosting.com/support/edu/magento/magento-security-tips/
date: 2022-03-24
modified: 2023-11-03
author: "InMotion Hosting Contributor"
categories: ["Magento"]
type: post
lang: en
---

# 10 Magento Security Tips

![10 Tips to Improve Magento Security Hero Image](https://www.inmotionhosting.com/support/wp-content/uploads/2023/11/Magento-Security-Tips-1024x538.png)

It is important to stay on top of Magento security practices to protect your website and customer data against cyber intrusions. Below we’ll cover some tips for hardening your [Magento website hosting](https://www.inmotionhosting.com/magento-hosting) and web server.

- [Initial Setup](#setup)
  - [Create an Unique Admin Panel URL](#panel)
  - [Install an SSL Certificate](#ssl)
- [Hardening Magento Security](#maintain)
  - [Magento Security Extensions and Backups](#security)
  - [Magento Server Hosting](#hosting)

## Initial Setup

The following tips should be done during the Magento installation. However, there are still ways to implement them on existing online stores.

### Create an Unique Admin Panel URL

During Magento installation you will specify an URL for the backend dashboard. Softaculous will use the admin path “admin123” by default. Change this to something longer and harder to guess. Experienced system administrators can password protect the admin directory with [cPanel](https://www.inmotionhosting.com/support/edu/cpanel/password-protect-directory-cpanel/) or a .htpasswd file. To change the admin URL in Magento 2.4:

Although this is the recommended method, it may cause issues as it did during our testing in version 2.4.2-p2 version. Only proceed during slow customer activity and if you have SSH access to troubleshoot possible issues. Otherwise, contact live support for further assistance.

1. Select **Stores** > **Configuration**.
2. Under **Advanced**, select **Admin**.
3. Select **Admin Base URL** to show custom admin URL options.
4. Deselect **Use system value** for **Use Custom Admin URL**. Select **No** to view the drop-down menu and select **Yes**. Deselect **Use system value** for **Custom Admin URL** and type the full Magento admin base URL with a trailing slash (e.g. https://example.com/supersecreturl/).![Magento 2 Custom Admin URL](https://www.inmotionhosting.com/support/wp-content/uploads/2022/03/magento-2-custom-admin-url-1024x349.png)
5. Deselect **Use system value** for **Use Custom Admin Path**. Select **No** to view the drop-down menu and select **Yes**. Deselect **Use system value** for **Custom Admin Path** and type a file path.![Magento 2 Custom Admin Path](https://www.inmotionhosting.com/support/wp-content/uploads/2022/03/magento-2-custom-admin-path.png)
6. Select **Save Config** at the top. You’ll be redirected to the new admin URL.

### Install an SSL Certificate

Many site owners want customers to be able to access their Magento catalog via HTTP protocol but switch over to HTTPS (secure) for cart checkouts. However, it is highly recommended to install an SSL on Magento and force site-wide encrypted connections.

cPanel and Softaculous make it extremely easy to ensure there’s a valid SSL installed. Unmanaged server users can use [Certbot](https://www.inmotionhosting.com/support/website/ssl/lets-encrypt-ssl-ubuntu-with-certbot/) to install a free SSL.

1. After installing an SSL on your web server, log into the admin dashboard.
2. Select **Stores**, **Settings**, and **Configuration**.
3. Under **General**, select **Web**.
4. Change the unsecure base URL to “https” and select **Save Config.** You may need to edit the .htaccess or other web server configuration file and redirect the unsecure URL to “https.”

## Hardening Magento Security

There are plenty of security improvements to be made on existing eCommerce sites, starting with user credentials. 

Anyone can create a unique username and password. “Admin” and “Root” are too common. Switch it up. Adding numbers and additional letters in your username can derail user enumeration efforts by potential cyber attackers.

Instead of a password, use a strong passphrase with over a dozen alphanumeric and special characters. Save the user credentials in a solid password manager like [KeePass](https://www.inmotionhosting.com/support/security/keepass-for-windows-user-guide/) or LastPass, not your web browser.

Two or multi-factor authentication (TFA/MFA) makes brute force password attacks more difficult as hackers also need access to your email address or mobile device to access your account. Within Magento:

1. Select **Stores** > **Settings** > **Configuration**.
2. On the left, select **Security** and **2FA**.
3. Select an authentication app: Google, Duo, Authy, or U2F Devices (Yubikey and others).

You can install the Bypass 2FA extension by PHP Studios if you need to whitelist users without a smartphone.

### Magento Security Extensions and Backups

Stay up to date with Magento security updates. Remember to create and verify a website backup before upgrades.There are official Magento backup extensions available but they cost a lot. Check with your web hosting provider to learn how to backup Magento with server software – cPanel, Control Web Panel (CWP), etc. If you’re comfortable with the command-line interface (CLI), you can use [cron job](https://www.inmotionhosting.com/support/edu/cpanel/how-to-run-a-cron-job/) to schedule zip or tar backups.

### Magento Server Hosting 

There are no official Magento firewall extensions at this time. However, your web hosting plan likely includes a server-side web application firewall (WAF). VPS administrators can choose between many reputable, free WAFs such as ModSecurity, Fail2ban, and ConfigServer Security & Firewall (CSF).

Magento works best on VPS or dedicated server hosting where more system resources are available compared to shared hosting plans. Integrating a cloud-based WAF like Cloudflare or Sucuri can further protect your data against denial of service (DoS) attacks.

Security HTTP headers prevent malicious code from displaying on your website. The CSP & Security Headers extension can help you generate a Content Security Policy (CSP). Advanced users can develop HTTP Strict Transport Security (HSTS) and Permissions Policy headers within their web server configuration file. We have articles explaining how to create these headers in Apache and NGINX.

An insecure web server can undercut best security practices within your Magento store. Contact your hosting provider for additional options that may not be mentioned above.

Let us know if you have additional questions about Magento security.

![Secure VPS Hosting](https://design.inmotionhosting.com/assets/icons/custom/security.svg)Enjoy high-performance, lightning-fast servers with increased security and maximum up-time with our [Secure VPS Hosting](https://www.inmotionhosting.com/vps-hosting)!

![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)Linux VPS ![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)cPanel or Control Web Panel ![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)Scalable ![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)Website Migration Assistance

[Linux VPS Hosting](https://www.inmotionhosting.com/vps-hosting/linux-vps)
