Secure Magento administrator interface in few easy steps. Whether you have changed default admin URL or not, it is still exposed to the web. Best thing you can do about this, is to limit access to it using IP restrictions.
Let’s restrict access to Magento admin to a set of trusted IPs.
Step 1. Create configuration file with trusted IP addresses
Create file /etc/nginx/allowed-ips-only.conf
and put these contents:
allow 1.1.1.1; # My Home IP
allow 2.2.2.2; # My Work IP
allow 3.3.3.3; # Developer 1
deny all;
Step 2. Update your Magento nginx config
Now let’s update Nginx server block with few more location blocks to protect admin interface:
location ~ ^/(index\.php/)?admin/? {
include allowed-ips-only.conf;
try_files $uri $uri/ @handler;
}
location ~ ^/downloader/? {
include allowed-ips-only.conf;
}
Lastly, if you are using WordPress integration (via FishPig plugin), add the following location block to protect WordPress admin interface too:
location ~ ^/wp/(wp-admin|wp-login\.php) {
include allowed-ips-only.conf;
try_files $uri $uri/ /wp/index.php;
if (!-e $request_filename) { rewrite / /wp/index.php?$args last; } ## Catch 404s that try_files miss
expires off; ## Do not cache dynamic content
fastcgi_read_timeout 360;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
client_max_body_size 32M;
include fastcgi_params;
}
Not only it secures your Magento store, but also you save extra CPU time that would otherwise be spent on serving those malicious hacker initiated requests!