Published: April 23, 2015
Last updated:

Securing Magento /admin/ by admin path change

Default Magento backend URL is set to /admin/ (i.e. http://www.example.com/admin/), it knows everyone, including bots and crackers, who brute-forcing it for weeks according to my logs. Recent Shoplift vulnerability (known by its SUPEE-5344 patch widely announced to public) indicated that Magento Backend should not be accessible / known for anyone except store staff. Lucky us, changing default /admin/ path to any other random string is easy task for anyone who can edit text in XML files. To change default Magento admin path:

  • navigate to app/etc/ under your Magento root directory
  • open local.xml file
  • search for the following section:
        <admin>
            <routers>
                <adminhtml>
                    <args>
                        <frontName><![CDATA[admin]]></frontName>
                    </args>
                </adminhtml>
            </routers>
        </admin>
    
  • and change “admin” entry under tag to any random string you wish to access your Magento backend with, i.e. I’ve set it to “cocardra”:
        <admin>
            <routers>
                <adminhtml>
                    <args>
                        <frontName><![CDATA[cocardra]]></frontName>
                    </args>
                </adminhtml>
            </routers>
        </admin>
    
  • Flush Magento cache
  • access your backend via new URL, i.e. mine now is https://mystorename.ex/cocardra/
    Changed /admin/ path for my Magento backend
    Changed /admin/ path for my Magento backend
     
  • Make sure to install SUPEE-6788 patch, check it with patch tester and disable Admin Router Compatibility. As described by BorateBomber in comments below, none of this matters if your store is unpatched.

Known Issues

Magedev/Productposition extension can not work with custom admin backend path. When you go to Catalog > Manage Categories and switch to Update Product Position, you are not able to see more than 20 products at a time or change to the next page as it just redirects you to the beginning of the Manage Category page again. Make sure to update the extension accordingly (in app/code/local/Magedev/Productposition/etc/config.xml) or request a fixed version from the extension developers.
  If you have any difficulties with changing Magento admin URL please let me know in comments, so we can find solution together.

Posted in: Configuration, Magento Maintenance

120 votes, 4.77 avg. rating (95% score)