Recently, the number of Magento related security incidents are rising significantly. Therefore, restricting access to the Magento admin area has become increasingly essential. And the easiest way to protect the backend of Magento from password guessing attacks is only enable trusted IP addresses to access.

In this instruction, I will show you the two ways for restricting access to the Magento admin area. You can drastically minimize the security risk within a couple of minutes to configure.

Restrict access to Magento 2 admin

Restrict IP addresses in Apache

  • Step 1: Through cPanel/FTP/SSH, login to your server. Then navigate to your Magento installation root.
  • Step 2: In this step, you can open the .htaccess file in your text editor. Next, add the following code to the file.
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC]
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.12
RewriteRule .* - [F,L]
  • Step 3: If your admin URL has been changed, you can update it in the first line of the code above. For example, if you change it to backoffice, the first line will be turned into:
RewriteCond %{REQUEST_URI} ^/(index.php/)?backoffice(.*) [NC]
  • Step 4: With all the IP address or range which should have the ability to access the Admin area, you can add this line after replacing the sample IP:
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
  • Step 5: In this final step, you need to save the .htaccess file and the changes need to be verified. You can do it by accessing the Magento Admin area from your browser.

Restrict IP addresses in Nginx

  • Step 1: Through cPanel/FTP/SSH, login to your server. Then navigate to the path called nginx.conf. It will depend on your configuration but normally it is /usr/local/nginx/.
  • Step 2: In this step, open the nginx.conf file which is in your text editor. After that, add the following code to the file:
location ~* ^/(index\.php/admin|admin) {
    allow 1.1.1.1;

    try_files $uri $uri/ /index.php?$args;
    location ~* \.php$ { try_files /dummy @proxy; }
    deny all;
}
  • Step 3: If your admin URL has been changed, you can update it in the first line of the code above. For example, if you change it to backoffice, the first line will be turned into:
location ~* ^/(index\.php/backoffice|backoffice) {
  • Step 4: With all the IP address or range which should have the ability to access the Admin area, you can add this line after replacing the sample IP:
allow 1.1.1.1;
  • Step 5: Finally, the last thing you have to do is saving the nginx.conf file and reload the config file with this command:
# /usr/local/nginx/sbin/nginx -s reload

Conclusion

Through the above guide, we have explained to you the methods to restrict access to Magento 2 admin by ensuring that only whitelisted IP addresses can have the ability to access the Magento admin area on your Apache or Nginx web server. We hope you would find it helpful when managing Magento store’s security. If you still need help, please contact us or leave comments below.