Magento 2 can be compared to a fortress when it comes to security, but there is still a room for improvement. Thus, you can enhance Magento 2 admin security, so malefactors will never still precise information about your ecommerce website and customers. The following post sheds light on vital improvements based on third-party Magento 2 security extensions which add extra protection layers to a default admin processes. If you also think that the default Magento 2 security must be enhanced, you’ve come to the right place.
Table of contents
Advanced Permissions for Magento 2 by Amasty is a must have solution for every Magento 2 store owner who wants to keep an ecommerce website over control. This Magento 2 security extension provides the ability to manage sub-administrators in an absolutely new way: with the aid of the module, you provide them with the ability to see and edit only particular data. Consequently, every administrator gets own products, categories, store views and even pages he can see and edit.
If you are looking for a tool which implements admin roles for Magento 2, custom sets of permissions are a mandatory requirement, and limited access to backend tabs for certain managers is another strict condition, then give Advanced Permissions for Magento 2 a go.
This Magento 2 admin security extension enables you to limit the access to the following data:
- Store views;
- Various CMS elements;
- Dashboard stats and reports.
As a super-admin, you can choose which products can be edited for a particular store view; get the ability to provide specific admin users with access to certain categories only (alternatively, users can see all categories, but only specified are editable); get an option which allows or restricts the actions of admins by store-view; can limit the access to reports on the basis of various factors; and take a full control over particular CMS elements in various admin roles.
With the help of this Magento 2 security module, you will be able to take full control over your administrators. The Magento 2 admin actions log extension is designed to create a full log of all actions, performed by your backend managers.
All logged actions are gathered in the following grid:
As for login attempts, you can view them here:
There is also a grid with user visit history:
It is obvious that password is not enough to protect your Magento 2 backend against unauthorized logins and frauds. Literally everyone can log into your admin and download all your sensitive data, until you enhance the security of your Magento 2 admin with the Two-Factor Authentication. That’s why we recommend you to install the appropriate Two-Factor Authentication Magento 2 extension by XTENTO.
The module changes the way your admins log into the backend of your store – new security information is required. In addition to a username and a password, the system begs a one-time OTP password, generated by a smartphone.The password is valid for 30 seconds and can be used only once.
As for compatible devices, they are:
- iPhone (iOS 7+), iPad, and iPod touch;
- various Android smartphones and tablets;
- BlackBerry smartphones.
Since the Two-Factor Authentication Magento 2 extension relies on the Google Authenticator app, make sure your mobile device is compatible with this application. For Android, open the Google Play market and search for the Google Authenticator application. For iOS devices, perform the same action on the App Store. If you are a BlackBerry owner, visit http://m.google.com/authenticator on your device.
Besides, there is one more Magento 2 two-factor authentication extension that essentially improves the default Magento 2 security. The Amasty’s tool works on the same principle: you install the module and it provides the second authentication step based on a smartphone application. In order to increase Magento 2 safety, your admins will have to pass the following procedure:
Also note that the Magento 2 two-factor authentication module has extremely easy configuration. The following gif illustrates parameters that can be changed:
Note that it is possible to create a white list of users who will pass through the standard login procedure even if the Amasty Two-Factor Authentication Magento 2 extension is enabled:
For further information, follow this link:
Admin Logger by Boost my Shop
If the Two-Factor Authentication enhancement is not enough for you, then you can implement even more precise security improvement available with the Admin Logger Magento 2 extension. The module provides the ability to supervise admin logins and track all actions made in the Magento 2 admin. As a result, you can easily identify who is responsible for changes by reviewing user navigation history and track all backend logins. Install the Admin Logger Magento 2 extension and always know who is logged and who has been logged into the Magento 2 backend; who is responsible for modifying certain data; and which admin page is currently viewed by whom.
This Magento 2 admin security extension always keeps track of all logins including failed attempts. For failed attempts, the module provides IP address and user’s login information. As for data modifications – creation, updates, removal – Admin Logger stores such information as a particular username, IP address, date, and the modified information.
Thus, having installed the Admin Logger Magento 2 extension, you always know:
- Who and when updates a specific customer data?
- Who and when modifies specifies store data?
In case you are looking for a full-featured Amasty security solution for your Magento 2 backend security, pay attention to the Amasty Security Suite module. Its first version combines the functionality of 4 extensions:
Backend Activities (to improve Magento 2 security by controlling all actions of your admins)
Admin Permissions (to enhance Magento 2 security by providing different administrators with different permissions)
Backups (to get an absolutely new Magento security level by creating backups of the whole ecommerce store)
Protection From Malicious Login Attempts (to enhance Magento 2 backend security by adding two-factor authentication)
Note that the module is available for Magento 1, so we are waiting for its 2.x version that will improve Magento 2 security in multiple areas simultaneously.