Default Magento backend URL is set to
/admin/ (i.e. http://www.example.com/admin/), it knows everyone, including bots and crackers, who brute-forcing it for weeks according to my logs. Recent Shoplift vulnerability (known by its SUPEE-5344 patch widely announced to public) indicated that Magento Backend should not be accessible / known for anyone except store staff.
Lucky us, changing default /admin/ path to any other random string is easy task for anyone who can edit text in XML files. To change default Magento admin path:
- navigate to
app/etc/under your Magento root directory
- search for the following section:
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[admin]]></frontName> </args> </adminhtml> </routers> </admin>
- and change “admin” entry under
tag to any random string you wish to access your Magento backend with, i.e. I’ve set it to “cocardra”:
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[cocardra]]></frontName> </args> </adminhtml> </routers> </admin>
- Flush Magento cache
- access your backend via new URL, i.e. mine now is https://mystorename.ex/cocardra/
- Make sure to install SUPEE-6788 patch, check it with patch tester and disable Admin Router Compatibility. As described by BorateBomber in comments below, none of this matters if your store is unpatched.
Known IssuesMagedev/Productposition extension can not work with custom admin backend path. When you go to Catalog > Manage Categories and switch to Update Product Position, you are not able to see more than 20 products at a time or change to the next page as it just redirects you to the beginning of the Manage Category page again. Make sure to update the extension accordingly (in
app/code/local/Magedev/Productposition/etc/config.xml) or request a fixed version from the extension developers.
If you have any difficulties with changing Magento admin URL please let me know in comments, so we can find solution together.