High level of data security is a primary concern for any merchant who runs an online business. If store owners don’t protect their websites from hacker attacks and spammers, as well as malicious login attempts, they risk facing data breakage and loss of customer trust. To ensure the safety of sensitive customer data and protect your web store from spam and fraud, you need to install a reliable third-party extension that adds advanced security settings to default Magento 2.
Today, we present you one of such tools – Amasty Security Suite for Magento 2. Amasty provides Magento 2 store owners with a fully fledged security solution that lets to track admin actions, manage user permissions, and add an extra security layer to website login. This way, you can get full control over backend activities on your store and protect your website form both internal and external security threats.
Below, we describe the functionality of the Magento 2 Security Suite module and look at its backend configuration.
Amasty Security Suite combines features of 4 different extensions:
By implementing the Invisible reCaptcha function, you protect your store from bots that can spam your website forms or create fake accounts. Google Captcha is not visible to customers, so it doesn’t harm user experience on your storefront while keeping your website safe. Security tests appear only if suspicious activity is detected, eliminating the need for online shoppers to solve complicated quizzes every time they enter your store.
The Magento 2 module provides three ready-made templates that can be utilized for login and registration, comments and reviews, and subscription forms. Besides, it is possible to customize provided templates and add them to any other form on your site without having special coding skills.
Other features of Amasty Security Suite are related to logging admin activities in the backend. This way, you can monitor all actions of your store administrators from one page in the Magento Admin and view the necessary details on each activity. Besides, the extension provides the ability to track admin sessions in real time and check the history of visits on each page of your website. Thus, you get more control over your website performance and can quickly react to admin mistakes. Furthermore, you can enable email notifications on each login attempt, or configure alerts on suspicious login activity to be fully aware of potential security threats.
With Security Suite for Magento 2, you can place an additional security layer to the admin panel access. The extension allows store owners to implement two-step verification. Its mechanism is based on generating a one-time code that is sent to a user’s mobile phone and should be entered along with login and password. It is also possible to create a list of IP addresses that you trust, so reliable users won’t have to go through the double authentication process.
Another useful feature offered by the Security Suite extension is the management of user permissions. You can assign different roles to your store managers and limit access to selected elements of your store backend administration. For example, you can set the limitation so that a specific admin user will be able to view and modify only particular products or their attributes, categories, CMS pages, store views, websites, and more. Besides, it is possible to restrict access to reports, orders, invoices, shipments, and credit memos per each user. This function is especially useful for websites with multiple store views, as well as multi-vendor stores.
Now, let’s explore the features of the Magento 2 Security Suite extension by Amasty by looking at its backend configuration in more detail.
To configure the general settings of the module, navigate to Stores -> Settings -> Configuration -> Amasty Extensions -> Google Invisible Captcha. Here, you can set the extension configuration in the following tabs: Google Invisible Captcha, Admin Actions Log, and Two-Factor Authentication.
The Google Invisible Captcha tab is divided into 3 sections: General Settings, Invisible Captcha for Amasty Extensions, and Advanced Settings.
In General Settings, you can enable/disable the invisible reCaptcha function on your store. Next, insert your site key and secret key that you will get after registering your website domain on the Google reCaptcha page and set the language for reCaptcha. Here, you can also select the theme (light or dark) and position (bottom right or bottom left) for the Captcha badge.
The next section lets you enable invisible reCaptcha for the supported Amasty extensions if they are installed on your website – FAQ & Product Questions and Custom Form.
In Advanced Settings, you can add Google reCaptcha to any custom form on your web store. In the ‘Urls to enable’ settings, you should enter the URLs where a particular form will be sent. Then, insert the CSS selectors of the form. Next, decide whether to show reCaptcha to guest visitors only or registered users as well and specify IP addresses for which you want to disable the Invisible Captcha feature.
The Admin Actions Log tab is divided into 6 sections: Log Settings, Geolocation, Restore Settings, Email Successful Logins To Admin, Email Unsuccessful Logins To Admin, Email Suspicious Logins To Admin, and Advanced Permissions.
In Log Settings, you can enable/disable page visit history and actions log for all or specified admin users. Here, you also enter values for the period after which the actions log, login attempts, and page history should be cleaned.
In Geolocation, you can enable or disable the Geo IP function for automatic detection of admin location.
The Restore Settings section lets you create a text for the warning message.
Next, you can enable email notifications on successful, unsuccessful, and suspicious login attempts to the admin panel. For each type of alert, select an email template and enter email addresses of the recipients.
The last section of the Admin Actions Log tab shows if the Amasty Advanced Permissions extension is installed on your store.
In the Two-Factor Authentication tab, you enable/disable the appropriate feature on your website, specify the discrepancy that defines an interval for the generation of verification codes, and list IP addresses that do not require additional verification layer.
Under System -> Permissions -> All Users, you can enable two-factor authentication per each user and generate security codes.
As for user roles, you can view and edit them, as well as create new ones on the Roles grid page under System -> Permissions -> User Roles.
When adding a new role, you will need to set its options in 8 tabs: Role Info; Role Resources; Role Users; Advanced: Scope; Advanced: Categories; Advanced: Products; Advanced: Product Attributes; Advanced: Admin User Role.
In Role Info, create a name of the new role and enter the password for user identity verification.
In Role Resources, set Resource Access to custom and select items from the resources tree to which you want to grant access for the configured admin role.
Next, click the “Save Role” button to open the Role Users tab. You will see a grid listing all existing users that you can select to assign the new role.
Next, Security Suite for Magento 2 provides advanced settings for admin permissions. In the Scope settings, you can limit access to the specified websites or store views, as well as orders, invoices and transactions, shipments, and credit memos.
If you want this user role to have access to selected categories only, you can choose required ones in a category tree under the Advanced: Categories tab.
In the same way, you can limit access to particular products from your catalog. In the advanced product settings, you decide whether to allow access to all products, selected products, own created products, or users in the same role. If you pick Selected Products, you will be able to choose the necessary items manually on the grid.
In the Product Attributes settings, you can specify product attributes to which you want to grant access.
In the last settings tab, you can select roles within which a current user will be able to create new admin users.
The Magento 2 advanced security module also allows adding sub-admins and granting specific roles to them. You can do it under System -> Permissions -> All Users.
It is also possible to change a product owner on the product level.
A grid with logged actions of the admin users that you specified in the general configuration is located under System -> Other Settings -> Admin Actions Log -> Actions Log. The Actions Log grid consists of 8 columns:
- Full Name;
- Action Type;
- Store View;
- Actions (Preview Changes and View Details).
By clicking “Preview Changes” in the Action column, you will open a window with more details on the admin action.
The View Details action opens a new page where you can see detailed info on each activity performed by admin users and modifications breakdown, as well as restore changes with one button click.
As for tracking admin actions in real time, they are available on the Active Sessions screen. The grid contains the following columns:
- Full Name
- Logged In At;
- IP Address;
- Recent Activity;
- Actions (you can terminate a session from here).
Another grid displays details on all login attempts:
- Full Name;
- IP Address;
- User Agent;
- Status (Success, Logout, Failed)
The Magento 2 Security Suite extension allows checking the history of page visits by the store admins on a separate screen as well. The Visit History grid contains information in the following columns:
- Full Name;
- Session Start;
- Session End;
- IP Address;
Amasty Security Suite for Magento 2 is a robust extension that brings all necessary tools for equipping your online store with complete security control. With the module, you will be able to efficiently manage admin roles, view all backend activities, timely prevent suspicious actions, and add extra protection from spammers and fraudsters. This way, you will streamline your backend routine and ensure that your website visitors have a seamless experience on your storefront. As a result, you will improve your store performance, win customers’ trust, and get higher conversions.
You can buy Amasty Security Suite for Magento 2 for $349, which is a very reasonable price for such a valuable solution.'