Configuring Security In Magento 2 Admin Panel is an important work. The first thing you have to do after installed Magento on the server implements a custom admin URL. In the default installation of Magento, the admin password must be seven or more characters long including uppercase, lowercase, numbers, and symbols.
For higher security, you can implement two-factor authentication that generates a token on the mobile device.
The Admin Security Configuration allows store administrators to add a secret key to URLs, require a password to be case sensitive, restrict admin sessions length, the lifetime of the password, the number of login attempts before the system lock admin user account. For additional security, the Admin login can require a CAPTCHA.
Follow these steps to configure Admin security:
- On the admin sidebar, click Stores. Under Settings, click Configuration.
- On the left of the panel under Advanced, click Admin.
- Open the Security tab and do these steps:
- Set Admin Account Sharing to “No” so admin cannot login from the same account on different devices.
- To set the method that is used to manage password reset requests, set Password Reset Protection Type:
|By IP and Email||You can reset the password online after received a response from the notification is sent to the email address integrated with the Admin account.|
|By IP||You can reset the password online without additional confirmation.|
|By Email||You can reset the password only by responding by email to the notification that is sent to the email address integrated with the Admin account.|
|None||Only the store administrator can reset the password.|
- Recovery Link Expiration Period (hours): enter the number of hours a password recovery link remains valid.
- Max Number of Password Reset Requests: determine the maximum number of password requests that can be submitted per hour.
- Min Time Between Password Reset Requests field: enter the minimum number of minutes that must pass between password reset requests.
- Add Secret Key to URL: Append a secret key to the Admin URL as a precaution against exploits, set to “Yes.”
- Set Login is Case Sensitive to “Yes” to require that the use of uppercase and lowercase characters in any login processes entered match what is stored in the system.
- Admin Session Lifetime (seconds): determine the length of an Admin session before it times out, the value must be 60 seconds or higher.
- Maximum Login Failures to Lockout Account: Enter the number of times a user can log in to the Admin account before it is locked. In the default installation, six attempts are allowed. Empty the field for unlimited login attempts.
- Lockout Time (minutes) field: enter the minutes that an Admin account is locked when reached the maximum number of attempts.
- Password Lifetime (days): Enter the number of days a password is valid to limit the lifetime of Admin passwords. For an unlimited lifetime, leave the field blank.
- Set Password Change to one of these options:
|Forced||Requires to change Admin users passwords after the account is set up.|
|Recommended||Recommends changing Admin users passwords after the account is set up.|
- Click Save Config
Admin Password Requirements
|Password||An Admin password must be at least seven characters long including uppercase, lowercase, numbers and symbols.|