How To Configure An Admin CAPTCHA In Magento 2 Admin Panel

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a verification method that makes sure that a human being is interacting with websites. It can be used for admin login and customer logins.

You can click the Reload button to reload the CAPTCHA. The CAPTCHA is configurable and can be set to display every time or only after some failed login attempts.


CAPTCHA can be added to the admin login box. Administrators can reload CAPTCHA by clicking the Reload icon

To configure an admin captcha, follow these steps:

Stores > Configuration > On the left of the panel, under Advanced, click Admin > Set Store View to “Default.” > Open the CAPTCHA tab and follow these steps:

  • Set Enable CAPTCHA in Admin to “Yes.”
  • Enter the Font for the CAPTCHA symbols. Default font: LinLibertine.
  • You can add your font by putting the font file in the same directory as your Magento instance, declare in the config.xml file of the Captcha module at app/code/Magento/Captcha/etc.
  • Select the Forms where the CAPTCHA is to be used:

Admin Login

Admin Forgot Password

  • Set Displaying Mode to one of these options:
Always CAPTCHA is always required to log in the Admin.
After a number of attempts to login In the field Number of Unsuccessful Attempts to Login, enter the number of login attempts allowed. Input 0 to Displaying Mode to Always. This option does not cover the Forgot Password form. If CAPTCHA is enabled and configured to display on this form, then it is always included on the form.
  • Enter the Number of Unsuccessful Attempts to Login before the CAPTCHA displays. If enter 0, the CAPTCHA is always used.
  • In the CAPTCHA Timeout (minutes) field, enter the number of minutes before the CAPTCHA expires. When the CAPTCHA expires, the user must reload the page.
  • Enter the Number of Symbols used in the CAPTCHA, the maximum number is eight.
  • In the Symbols Used in the CAPTCHA field, specify the symbols that can be used in the CAPTCHA.
  • Set Case Sensitive to “Yes” to require that users enter the characters exactly as shown
  • Click Save Config.

Customer CAPTCHA

You can configure to force the customer to enter the CAPTCHA each time to login or after a certain time of login failed.

Follow these steps to configure a Storefront CAPTCHA:

Stores > Configuration > Configuration > Customer Configuration > Open the CAPTCHA tab and do these steps:

  • Set Enable CAPTCHA on Frontend to “Yes.”
  • Enter the name of the font for CAPTCHA symbols.
  • Choose the Forms
  • Set Displaying Mode
  • Enter the Number of Unsuccessful Attempts to Login
  • CAPTCHA Timeout (minutes): Enter the minutes before the CAPTCHA expires
  • Enter the Number of Symbols in the CAPTCHA, the maximum number is eight.
  • Specify the symbols that can be used in the CAPTCHA in the Symbols Used in the CAPTCHA
  • Set Case Sensitive to “Yes” to include uppercase and lowercase in your CAPTCHA.
  • Click Save Config

A Complete Tutorial On Configuring Admin Security In Magento 2 Admin Panel

Configuring Security In Magento 2 Admin Panel is an important work. The first thing you have to do after installed Magento on the server implements a custom admin URL. In the default installation of Magento, the admin password must be seven or more characters long including uppercase, lowercase, numbers, and symbols.

For higher security, you can implement two-factor authentication that generates a token on the mobile device.

The Admin Security Configuration allows store administrators to add a secret key to URLs, require a password to be case sensitive, restrict admin sessions length, the lifetime of the password, the number of login attempts before the system lock admin user account. For additional security, the Admin login can require a CAPTCHA.

Security (1)
Security (1)

Follow these steps to configure Admin security:

  1. On the admin sidebar, click Stores. Under Settings, click Configuration.
  2. On the left of the panel under Advanced, click Admin.
  3. Open the Security tab and do these steps:
  • Set Admin Account Sharing to “No” so admin cannot login from the same account on different devices.
  • To set the method that is used to manage password reset requests, set Password Reset Protection Type:
By IP and Email You can reset the password online after received a response from the notification is sent to the email address integrated with the Admin account.
By IP You can reset the password online without additional confirmation.
By Email You can reset the password only by responding by email to the notification that is sent to the email address integrated with the Admin account.
None Only the store administrator can reset the password.
  • Recovery Link Expiration Period (hours): enter the number of hours a password recovery link remains valid.
  • Max Number of Password Reset Requests: determine the maximum number of password requests that can be submitted per hour.
  • Min Time Between Password Reset Requests field: enter the minimum number of minutes that must pass between password reset requests.
  • Add Secret Key to URL: Append a secret key to the Admin URL as a precaution against exploits, set to “Yes.”
  • Set Login is Case Sensitive to “Yes” to require that the use of uppercase and lowercase characters in any login processes entered match what is stored in the system.
  • Admin Session Lifetime (seconds): determine the length of an Admin session before it times out, the value must be 60 seconds or higher.
  • Maximum Login Failures to Lockout Account: Enter the number of times a user can log in to the Admin account before it is locked. In the default installation, six attempts are allowed. Empty the field for unlimited login attempts.
  • Lockout Time (minutes) field: enter the minutes that an Admin account is locked when reached the maximum number of attempts.
  • Password Lifetime (days): Enter the number of days a password is valid to limit the lifetime of Admin passwords. For an unlimited lifetime, leave the field blank.
  • Set Password Change to one of these options:
Forced Requires to change Admin users passwords after the account is set up.
Recommended Recommends changing Admin users passwords after the account is set up.
  1. Click Save Config

Admin Password Requirements

Password An Admin password must be at least seven characters long including uppercase, lowercase, numbers and symbols.


A Fast Action Plan For Magento 2 Security

On the previous article, we described a complete guideline of security best practice for Magento 2 platform users. However, sometimes you forget to check the security of your website and hackers can break into your website and compromise your business. In this article, we will describe an action plan, so you will know what you have to do when suspect that your site is compromised.

DIAGNOSE. Scan your website to establish the security status of your Magento store. is a recommended service for free to all Magento users.
CLEAN. Contact a qualified consultant or online service to clean your site of all malicious code. The most recommended from Magento users is Sucuri Website Malware Removal.

  • Remove the leftover executable code in /media folder.
  • Remove unknown Admin users and reset all Admin passwords.
PROTECT. Update your Magento installation and security patches

REPORT. If you have found a vulnerability in Magento, send a description of the problem with technical details to
UPGRADE. For additional peace of mind that comes from 24/7 support, plan your upgrade now to Magento Commerce Cloud.

Above is a fast action plan for Magento 2 security, we hope that you don’t have to use this action plan, or at least you can follow this list to defend yourself against hackers and protect your online store from malicious code. If you have more effective method to secure your online store, please leave a comment or contact us directly, and we will update this article as soon as possible. On the next blog post about Security For Magento 2, we will describe tutorial on configuring Admin Security. See you in the next blog post.

A Complete Guideline Of Security Best Practice For Magento 2 Platform Users

Because of the personal, payment and credit card information that is required to complete a sale, hackers are always aiming to eCommerce sites. When a website is hacked, customers might suffer money loss and private identity theft, and merchants suffer lost of merchandise, their reputations collapse. In this guideline, we will describe a multifaceted approach to enhance the security system of your Magento installation, so you can make your online store secure and avoid being hacked.

  • Start Right

Choose the reliable hosting providers and solution integrators. When checking their qualifications, check their approach to security. Make sure that they pentest their code for security issues, and they have a standard secure software development life cycle, for example, The Open Web Application Security Project (OWASP).

Launching your site or upgrade to run it over securely, encrypted HTTPs

  • Protect the environment

Update all software and security patches on your server, including other websites and database software.

Server Environment

Secure the server operating system. Your hosting provider must ensure that they do not install any unnecessary software on the server.
Manage files using SSH/SFTP/HTTPS, and disable FTP.
To protect system files when using the Apache web server, Magento includes .htaccess files. If you use another web server such as Nginx, make sure to protect all system files and directories. For a sample Nginx configuration, see magento-nginx.conf on GitHub.
Use secure and unique passwords (at least 20 characters including uppercase, lowercase, numbers, and symbols) and change them periodically.
Update the software and security patches.
Check any issues that are reported for software components used by your Magento installation, including the operating system, MySQL database, PHP, Redis (if used), Apache or Nginx, Memcached, Solr, and any other components in your specific configuration.
Restrain access to the cron.php file to only required users. For example, restrict access by IP address. If possible, block access entirely and execute the command using the system cron scheduler.

Advanced Techniques

Automate the deployment process, if possible, and use private keys for data transfer.
Restrain access to the Magento Admin by list all IP address of computers that are authorized to use the Admin and Magento Connect downloader. To know how to whitelist IP addresses, please read: Secure Your Magento Admin.
Do not install extensions directly on a production server. Block or remove access to the /downloader directory to disable the Magento Connect downloader on the production site. Use the same whitelisting methods if necessary.
Use two-factor authorization for Admin logins. Some extensions provide additional security by requiring a generated passcode on your phone or a token from a particular device.
Check your server for “development leftovers.” Clear all available log files, publicly visible .git directories, tunnels to execute SQL, database dumps, phpinfo files, or any other unprotected files that are not required, and might be used for hacking.
Restrain outgoing connections to only those that are required, such as for payment integration.
Use a Web Application Firewall to block all suspicious traffic, such as credit card information being sent to a hacker.

Server Applications

Secure all applications running on the server.
Try not to run other software on the same server as Magento, especially if it is accessible from the Internet. Vulnerabilities in blog applications such as WordPress can leak personal information from Magento database. Install such software on a different server or virtual machine.
Update the software and security patches.

Admin Desktop Environment


Secure the computer that is used to access the Magento Admin.
Update your antivirus software, and use a malware scanner. Do not install any unknown programs, or click suspicious links.
Use a password manager tool, for example, LastPass, 1Password, or Dashlane to create and manage secure, unique passwords. Use a secure password to log in to the computer (20 characters including uppercase, lowercase, numbers and special characters), and change it periodically.
Do not save FTP passwords in FTP programs, because they are often penetrated by malware and used to infect servers.
  • Protect Magento


Update the Magento installation and security patches to enhance security.
Use a unique, custom Admin URL to avoid to scripts that try to hack into every Magento site.

Check with your hosting provider before using a custom Admin URL. Some hosting providers require a standard URL to meet firewall protection rules.

Block access to any development, staging, or testing systems. Use IP whitelisting and .htaccess password protection. When compromised, such systems can produce a data leak or be used to attack the production system.
Use the correct file permissions. Set core Magento and directory, including app/etc/local.xml files to read-only.
Use a secure password for the Magento Admin (20 characters including uppercase, lowercase, numbers and special characters).
Use all security-related configuration settings of Magento for Admin Security, Password Options, and CAPTCHA.
  • Don’t be Taken for a Ride
Only download and install extensions from trusted sources. Review extensions for security issues before installing them.
Do not click suspicious links or email.
Do not unveil the password to your server or the Magento Admin, unless you are required to do so.
  • Be Prepared!
Build a disaster recovery/business continuity backup plan.
Backup your server and database automatically to an external location. A typical setup requires daily incremental backups, with a full backup on a weekly basis. To verify that data can be restored, test the backup regularly.
For a large site, simple text file dumps of the database take a long time to restore. To deploy a professional database backup solution, work with your hosting provider.
  • Monitor for Signs of Attack

To check for signs of attack, complete a security review periodically, and also when contacted by customers with security-related concerns.

Security Review

Check for unauthorized Admin users periodically.
Use automated log review tools such as Apache Scalp.
To install and set up an Intrusion Detection System on your network and review server logs for suspicious activity, work with your hosting provider.
Use a file and data integrity checking tool such as TripWire to receive notification of any potential malware installation.
Monitor all system logins (FTP, SSH) for unexpected activity, uploads, or commands.
  • Follow Your Disaster Recovery Plan

In case your website is compromised, work with your IT security team, hosting provider and system integrator to decide the scope of the attack. Focus on consideration the type of compromise and the size of the store. Then, adjust the following recommendations to your business needs.

  1. Block access to the site, so the hacker cannot erase evidence or steal more data.
  2. Backup the current site, which will include evidence of the installed malware or compromised files.
  3. Determine the scope of the attack. Was credit card data accessed? What type of data was stolen? Was the data encrypted? How much time has passed since the compromise? Typically you can expect the following types of attack:
Deface Site access is compromised, but often the payments information is not. User accounts might be compromised.
Botnet Hackers use your site as a botnet that spams email. Although data is not compromised, your server is blacklisted by spam filters.
Direct Attack on Server Data is compromised, malware and backdoors are installed, and the site is down. Payment information – provided that it is not stored on the server – is probably safe.
Silent Card Capture (Phishing) Hackers install hidden malware or card capture software or possibly modify the checkout page to phishing credit card data. Such attacks can go secretly for a long time, and result in a significant compromise of customer accounts and financial information.
  1. Try to find the attack vector to decide how and when the site was compromised. Read server log files and file changes. Sometimes there are multiple different attacks on the same system.
  2. If possible, format and reinstall everything. In the case of virtual hosting, create a new instance. Malware might be hidden in an unsuspected location, just waiting to restore itself. Remove all unnecessary files. Then, reinstall all required files from a known, clean source.
  3. Update security patches.
  4. Reset all credentials, including the database, file access, payment and shipping integrations, web services, and Admin login.
  5. If payment information was compromised, it might be necessary to contact your payment processor.
  6. Contact your customers about the attack and the type of information affected. If payment information was compromised, they should check for unauthorized transactions. If personal data including email addresses was compromised, they might be targeted with phishing or spam.

A Complete Guideline Of Security In Magento 2

In the previous articles, we described alternative media storage in Magento 2 including several tutorials on using the database and using the Content Delivery Network. In this article, we will describe security best practices, tutorial on managing Admin sessions and certifications, implement CAPTCHA, and maintain website restrictions.

For security reason, please visit a Magento Security Center and sign up the Security Alert Registry to receive the latest news about potential vulnerabilities and best practices. Don’t forget to set up a Security Scan for each domain in your Magento 2 installation.

Security Center
Security Center

A Security Scan provides a function to monitor each of your Magento sites for known security risks, and to receive patch updates and security notifications. From the Security Scan, store administrators can get the status of the real-time security in the store, schedule security scan weekly, daily, or on demand, receive reports with the results of security tests and the recommended actions for each failed test.

Security Scan
Security Scan

The Security Scan tool is in the dashboard of Magento account. For further information about security, please read the tutorial on how to run the security scan, security best practice and security action plan.

Above is an insight into the security system in Magento 2, we hope that you can find useful information from this article and build the best protection for your shopping website. In the next article, we will describe a complete guideline of security best practice in Magento 2 installation. Keep tracking Magestandard by subscribe us to read further information about security in Magento 2.