My Cart

How to Configure the Admin Security in Magento 2: Quick Tutorial

The Magento platform is well-known for its comprehensive security approach, and Magento store owners should take advantage of its effective solutions to fully protect their stores against hacker attacks.

How to Configure the Admin Security in Magento 2: Quick Tutorial

In this article, we will describe how to completely configure the admin security in a Magento 2 web store to timely prevent any potentially dangerous activity in its backend. So, let’s start.

Magento 2 Admin Security Configuration

With the Magento 2 admin security configuration, you can add a secret key to URLs, create case-sensitive passwords, limit the duration of admin sessions as well as the password validation period and the number of login attempts that can be made before an admin account is locked, and so on. Let’s consider the whole configuration process in more detail.

First, click Stores on the left sidebar of the Magento 2 Admin Panel. Then, choose Configuration in the Settings section.

Next, expand the Advanced section on the left panel of the Configuration window opened and choose Admin. In the Admin menu, expand the Security section.

Admin Security Configuration

Admin Security Configuration

Now, set up the Admin Account Sharing option by choosing between the following variants:

  • Yes – users will be able to log in to the same account from multiple devices.

  • No – the account will be accessed from a particular device. This is the default option that enhances the security of a store.

Next, choose the method that will be used for the password reset requests management. To do this, in the Password Protection Type field, choose among the following options:

  • By IP and Email – the password can be reset in the online mode after the response is received in the form of a reset notification sent to the related email address.

  • By IP – the password can be reset in the online mode with no additional confirmation.

  • By Email – the password reset is possible only by responding to the email reset notification.

  • None – only the store admin can reset the password.

In the Recovery Link Expiration Period (hours) field, set the number of hours during which a password recovery link is valid.

To determine the maximum number of password requests to be submitted per hour, enter the required value in the Max Number of Password Reset Requests field.

In the Min Time Between Password Reset Requests field, specify the minimum value for time (in minutes) intervals between password reset requests.

For additional website protection you can also create a secret key to your Admin URL as an additional preventing measure. To do this, set the Add Secret Key to URLs option to Yes.

To make the login and password values sensitive for uppercase and lowercase symbols, choose Yes in the Login is Case Sensitive field.

Next, determine the length of a single admin session by specifying the required value (in seconds) in the Admin Session Lifetime (seconds) field.

With the Maximum Login Failures to Lockout Account option, you can define the maximum number of login attempts before the account is disabled. If you want to have the unlimited number of attempts, leave the corresponding field empty.

Note that if you set the maximum number of login attempts, you should also specify the lockout time value (in minutes) for the following option. This value corresponds to the number of minutes according to which the admin account is disabled after the earlier specified number of login attempts is reached.

In the Password Lifetime (days) field, set the number of days during which the password is valid. If you want to determine the unlimited validation period for your password, just leave this field empty.

Last, decide on the Password Change option by choosing between the two variants in the corresponding box:

  • Forced – store admins will be required to change their passwords once the account is set up.

  • Recommended – store admins will be offered (but not required) to change the passwords after setting up the account.

You can set the default value for each of the above-described options by ticking the Use system value boxes next to each field.

The configuration of the admin security is completed. Now, click on the Save Config button at the top of the Configuration page to apply the settings.

Note that Magento has specific requirements for admin passwords. It means that such passwords must be at least seven characters long and include both letters and numbers.

The provider also recommends implementing several additional measures to enhance the admin security, including the CAPTCHA configuration. Let’s briefly consider this method.


CAPTCHA is a visual tool that verifies that a site is accessed by a human, not a robot. To pass the verification, a user should enter the symbols displayed on the picture in the corresponding field below.

Customers can reload the image displayed in CAPTCHA by clicking on the Reload button. The number of reloads is limited.

To learn how to configure the admin CAPTCHA for your store, read the official user guide.


With the Magento platform, web store admins can fully protect the backend area of their stores against any unauthorized access. All admin security settings can be quickly and seamlessly configured in the system’s admin panel.

Still, admin security is not the only aspect that should be taken into consideration by merchants when protecting their stores. Check our blog posts about Magento Security scan tool and illegitimate customer payments protection to find out what else can be done to make the work with a store more secure.