APR 23 2015

Securing Magento /admin/ by admin path change

Default Magento backend URL is set to /admin/ (i.e. http://www.example.com/admin/), it knows everyone, including bots and crackers, who brute-forcing it for weeks according to my logs. Recent Shoplift vulnerability (known by its SUPEE-5344 patch widely announced to public) indicated that Magento Backend should not be accessible / known for anyone except store staff.

Lucky us, changing default /admin/ path to any other random string is easy task for anyone who can edit text in XML files. To change default Magento admin path:

  • navigate to app/etc/ under your Magento root directory
  • open local.xml file
  • search for the following section:
        <admin>
            <routers>
                <adminhtml>
                    <args>
                        <frontName><![CDATA[admin]]></frontName>
                    </args>
                </adminhtml>
            </routers>
        </admin>
    
  • and change “admin” entry under tag to any random string you wish to access your Magento backend with, i.e. I’ve set it to “cocardra”:
        <admin>
            <routers>
                <adminhtml>
                    <args>
                        <frontName><![CDATA[cocardra]]></frontName>
                    </args>
                </adminhtml>
            </routers>
        </admin>
    
  • Flush Magento cache
  • access your backend via new URL, i.e. mine now is https://mystorename.ex/cocardra/
    Changed /admin/ path for my Magento backend
    Changed /admin/ path for my Magento backend
     

 
If you have any difficulties with changing Magento admin URL please let me know in comments, so we can find solution together.

Posted in: Configuration, Magento Maintenance

Securing Magento /admin/ by admin path change
47 votes, 4.85 avg. rating (96% score)
  • Airsea

    Dear Sirs,

    i already did the above security admin path change successfully, but because my store has (Add store code to url) my admin url keep showing the admin word as follows, example: ( https://mystorename.ex/admin/cocardra/ ) would like to have my admin url without the (admin) name, is this possible ? Thank you and best regards

  • BorateBomber

    Until Magento patch SUPEE-6788 is successfully installed AND Admin Router Compatibility is disabled, this is a waste of time as Magento leaks your new secret security by obscurity Admin URL or your Secret Admin URL is completely bypassable to an admin login page Magento throws up on a 3rd party Custom Admin URL.

    It is better to use your posted downloader IP whitelist method to restrict access to your admin WHETHER OR NOT you change the Admin URL until you have SUPEE-6788 successfully installed and ALL your third party modules upgraded so you can turn disable Admin Router Compatibility.

    Also, changing the Admin URL is a waste of time unless you also include some sort of module that puts a login maximum tries lockout so hackers aren’t allowed to sit there all night trying to run a dictionary crack on your admin backend.

    Summarized form of the above, GET SUPEE-6788 INSTALLED, UPGRADE 3RD PARTY MODULES AND TURN OFF ADMIN ROUTER COMPATIBILITY or none of this matters.

    • BorateBomber

      And the scans for systems with SUPEE-6788 not installed or if installed, for admin router compatibility turned on allowing bypassing your custom admin links have started as of today.