Magento 2 Admin Security Settings
May 10, 2017 Comments 0 303 Views

Magento 2 Admin Security Settings

Adding correct security to admin section of your Magento 2 will ensure that no unwanted login should happen in admin and your admin section will stay protected. To help and understand how it can be managed we have created below steps with description and screen. Go through it and make the settings as per your requirement.

Step 1:

Login to admin area and Go to Stores => Configuration => Advanced => Admin => Security.

On the Admin sidebar, click Stores > Settings > Configuration. In the panel on the left, choose Advanced > Admin > Security.

Step 2:

Set options for the Security section. Below is the description for each section.

Password reset protection type : You can keep this IP & Email or only Email. This will check while reset of password that reset request and password reset is happening from same IP address.

Recovery Link Expiry Period : Here you can add number which will consider as Hours. So if you add 2 then after 2 Hours the password reset link will not work.

Max number of Password Reset Request : You can limit on how many password request can be placed on system by all the user per hour. This will prevent the spamming. You can keep this number by analyzing the amount of visitors come on your website.

Min Time Between Password Reset Request : You can delay the time so after one request you can add interval of time required for second request. Time will be in Minutes.

Add Secret Key to URL : In the Add Secret Key to URLs field, leave “Yes” as in default to enable a secret key to Admin URLs or choose “No” to disable it. Because Secret Key is useful for preventing CSRF (Cross-site request forgery) Attack, It is recommended to be activated.

Login is Case Sensitive : In the Login is Case Sensitive field, select “Yes” to recognize the difference between upper and lowercase characters then demand the user to login with the exact account name and password.

Admin Session Lifetime : In the Admin Session Lifetime (seconds) field, enter a number which is required to be greater than 60 to determine the time that a user is allowed to not have any action in a session before the system auto-logout the account. To skip this setting, leave the field blank.

Maximum Login Failures to Lockout : In the Maximum Login Failures to Lockout Account field, set a number to decide how many time a user can type the wrong password before their accounts are locked.

Lockout Time : In the Lockout Time (minutes) field, enter the number of minutes to lock an account before the user can login again.

Password Lifetime : In the Password Lifetime (days) field, set the number of days a password can be used before it expires. Leave the field blank if you do not want to activate this feature.

Password Change : In the Password Change field, select “Forced” to require the user to change their password before it expires or choose “Recommended” to give advice about password resetting.

Step 3: Save the customization.

Click Save config button in the upper-right corner when you are done and clear your Configuration and Full Page cache for changes to take effect.

Refer below screen for reference on security tab.

Hope this explanation will help to secure your Magento 2 admin.

Previous Post data to third party site using PHP CURL
Next Working With PHP & Databases

About author

Rio 37 posts

Expert web developer working in PHP, Wordpress, Joomla, Magento, Javascript etc.

You might also like

Magento 0 Comments

Magento 2 Indexing Management Using Magento CLI Command

While working with Magento 2.1 we notice that the Re Index button was missing in Index Management ? So for the people who was using this button now have to

Magento 0 Comments

Magento 2 Cache Management Using Magento CLI Command.

Magento 2 Cache can be clean or flush from the Magento admin too. But below is the method to do the same using Command Prompt Magento CLI. Flush / Clean

Magento 0 Comments

Magento 2 Forgot Password Says Too many password reset requests.

Magento 2 “Forgot Password” give error to users saying ( Too many password reset requests. Please wait and try again or contact ) This problem generally occur when you