Magento Tutorials

How to Stop Brute Force Attack in Magento 2

What is Brute Force Attack?

login form

Brute Force Attack is a hacking technique to break through a certain login form. The principle of Brute Force Attack is as simple as trial-and-error: Brute Force hackers use a program that automatically try plugging in values for username/password field, either one-by-one or parallel, with the hope of getting the right one. These values are taken out of available libraries of usernames/passwords that is formed by trying every possible combination of characters or data. These libraries are shared widely on the internet, sometimes even along with hacking tools.

How to prevent Brute Force Attack in Magento 2?

This simple type of hacking technique can be avoided by using these methods:

1. Limit the number of login attempt

In Magento, you can limit the number of login attempts by going into Store > Settings > Configuration > Advanced > Admin. In the Admin panel, expand Security and you should see a setting like so:

Maximum login attempts Magento 2

Simply uncheck Use system value and set the number of Maximum Login Failures to Lockout Account to your liking, and attackers won’t be able to brute force attack anymore.

2. Use custom Admin URL

Leaving your Admin URL by default ( would mean making it too easy for attackers to attack your website. In Magento, you can set a custom admin path of executing the following command:

php bin/magento setup:config:set --backend-frontname="newadminpath"

For example, with the following command

php bin/magento setup:config:set --backend-frontname="admin_simicart152"

Your new admin URL will be

3. Use security password enforcement tool to require users to use strong passwords.

In Magento 2, you are able to force users create highly secured passwords to avoid password-guessing using Password length, Minimum of different classes of characters in password (Lower Case, Upper Case, Digits, Special Characters), and so on.

4. Restrict Admin access by IP

You can also authorize only a certain number of IP addresses to access your Magento admin URL. By this way, attackers whose IP addresses are not on the list will find it harder to access your Magento Admin.

To set up the IP addresses that you want to be able to access your Admin URL, simply open the .htaccess file located in your Magento root folder and add the following lines:

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC]
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.12
RewriteRule .* - [F,L]

where ^/(index.php/)?admin(.*) is the path to your Admin panel. For example, if your admin URL is, we’ll need to change the first line to:

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin_simicart152(.*) [NC]

And as for allowed IP addresses, you’ll want to change the values of REMOTE_ADDR to the IP addresses that you want to allow. For example, let’s say we want to allow only the IP address to access our admin URL (which is admin_simicart152), we’ll want to add the following lines into our .htaccess file:

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin_simicart152(.*) [NC]
RewriteCond %{REMOTE_ADDR} !^10\.15\.2\.152
RewriteRule .* - [F,L]

5. Use captcha

Magento has its own library to include captcha in login form. You can also use popular captcha libraries like reCaptcha, Funcaptcha, solvemedia.


6.  Keep your Magento instance up-to-date

While this is kind of obvious, more recent Magento versions do come with security enhancements and other added benefits. To keep your store safe from brute force attacks and other malicious intents, always make sure that your Magento store is applied with the latest security patch

7. Last but not least, always use complicated password and change your password regularly.

Hope this helps!

See also:
Magento 2 Error: One or more indexers are invalid
Catalog Price Rules not working in Magento 2


A knowledge craver who always strive to be wiser everyday.

Notify of

Inline Feedbacks
View all comments