Default Magento backend URL is set to
/admin/ (i.e. http://www.example.com/admin/), it knows everyone, including bots and crackers, who brute-forcing it for weeks according to my logs. Recent Shoplift vulnerability (known by its SUPEE-5344 patch widely announced to public) indicated that Magento Backend should not be accessible / known for anyone except store staff.
Lucky us, changing default /admin/ path to any other random string is easy task for anyone who can edit text in XML files. To change default Magento admin path:
- navigate to
app/etc/under your Magento root directory
- search for the following section:
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[admin]]></frontName> </args> </adminhtml> </routers> </admin>
- and change “admin” entry under
tag to any random string you wish to access your Magento backend with, i.e. I’ve set it to “cocardra”:
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[cocardra]]></frontName> </args> </adminhtml> </routers> </admin>
- Flush Magento cache
- access your backend via new URL, i.e. mine now is https://mystorename.ex/cocardra/
- Make sure to install SUPEE-6788 patch, check it with patch tester and disable Admin Router Compatibility. As described by BorateBomber in comments below, none of this matters if your store is unpatched.