Magento 2.x Admin Security

Navigate to Admin Panel > Stores > Configuration > Advanced > Admin and click on Security section

There are following below steps , make admin security more secure

  • Admin Account Sharing: Default setting No, If set to Yes, you can log in from multiple computers into same account, that’s why Default setting No improves more Security.
  • Password Reset Protection Type: By default By IP and Email, if Admin want to modify by IP or Email, select value IP or Email from drop down
  • Recovery Link Expiration Period (hours): By default 2 Hour, the link the Admin has got in his email to reset/modify password, in case forget password, recommended always put more than 1 value.
  • Max Number of Password Reset Requests: By default 5, allow only 5 times per hour to reset the password. If Admin want to get rid of this limit he can change the default 5 value to 0
  • Min Time Between Password Reset Requests: By default 10, password reset request per hour to 5 by default and Minimum delay between password reset request is 10 Minutes by default, If Admin want to get rid of this limit he can change the default 5 value to other
  • Add Secret Key to URLs: By default Yes, Due Headers Security, Cross-site scripting (XSS), Cross-site request forgery(CSRF) Strict-Transport-Security(STS), Content-Security-Policy(CST),it is highly recommended never select No from drop down.

Login is Case Sensitive: By default Case Sensitive No, If Admin want to get rid of this limit he can select Yes from drop down.

  • Admin Session Lifetime (seconds):By default, the admin session lifetime in Magento 2 is set to 900 seconds (15 minutes), If Admin want to get rid of this limit he can change his own time duration in seconds. In Production not recommended more than 900 seconds (15 minutes).
  • Password Reset Protection TypeBy default 6 attempts, after 6 attempts Admin account will be locked, enter the number of times a user can try to log in to the Admin before the account is locked, Leave the field empty for unlimited login attempts.
  • Lockout Time (minutes): By default 30 minute , every 30 minute, screen will be Lockout & need to ReLogin in Admin.
  • Password Lifetime (days): By default 90 days, every 90 days need to change password. If Admin want to get rid of this limit he can change more than 90 days, put more than 90 days value, if empty this, Password Lifetime will be disabled & never ask to change password, Password Lifetime value empty never recommended on production.
  • Password Change: By Default Forced & recommends password change every 90 days, as mentioned password lifetime(90), If number of days for “Password Lifetime”, and set the dropdown value of “Password Change” to “Recommended“, it won’t be mandatory to change the password. However, if the dropdown value is set to “Forced“, the admin panel will be accessed only after the password change.

Magento 2 All Database Tables [500 & more Tables]


HTTP Security Headers Checker Tool – Security Headers Response


How to add Feature-Policy Security Header


How to add X-Content-Type-Options Security Header


How to add Expect-CT Security Header


How to add X-Frame-Options Security Header


How to add X-XSS-Protection Security Header


How to add Referrer Policy Security Header


Referrer Policy Header Security


Magento 2 Admin Security


How to add HTTP Strict Transport Security (HSTS)


Magento 2 Admin Security


How To Set CSRF Token in Magento 2


What is CSRF and CSRF Token

Magento 2.x , How To Select Strong Password

Free Online Random Strong Generator Password

There are two places, where customer & site admin need to put strong password

[1] Step: Customer Account Registration Page

By using Free Online Random Strong Generator Password

https://pwdmaker.com

[2] Step: Admin Account Creation Page

By using Free Online Random Strong Generator Password

https://pwdmaker.com/

Magento 2.4.1 Features

  • Support PHP Latest Version 7.4
  • Support Elastic Search Latest Version 7.7 & above
  • Support MYSQL Latest Version 8.0
  • Support Maria DB Latest Version 10.4
  • Support RabbitMQ Version 3.8
  • Support Radis Version 5.0
  • Support Varnish Version 6.2
  • Support Apache Version 6.2
  • Support Nginx Version 1.8
  • Catalog Search Engine by default Elastic Search
  • MySQL Catalog Search Engine has been deprecated
  • Payment Module Braintree has been removed
  • Support PWA Studio Latest Version 8.0
  • Support CAPTCHA protection for payment-related and order-related API endpoints and the Place Order storefront page.
  • Support For the Same Site attribute for cookies, Google Chrome implementation of the new cookie classification system will be approved.
  • Support 15 Security enhancement to eliminate XSS (cross-site scripting) and RCE (remote code execution) vulnerabilities.
  • Support latest Page Builder 1.4.0
  • Enhancement in Page Builder as full-screen mode which helps the administrator to modify the content easily throughout the Workspace.
  • Support Adobe Stock Integration Version 2.1.0.
  • Infrastructure improvements Customer, Account, Catalog, Content Management System, Order Management System, Import/Export, Promotions & Targeting, Cart & Checkout, Staging and Preview
  • Introduce New Media Gallery for ADMIN, where Merchants are permitted to do bulk delete images & images are filtered by the storefront area
  • Introduce Page Builder as full-screen mode which helps the administrator to modify the content easily throughout the Workspace.
  • Improved Page Builder that supports full-screen mode for easier editing of content and consistent experience
  • The Zend Framework has been deprecated and migration to Laminas project
  • Advance MSI Features
  • Security feature Two-factor authentication (2FA) enabled by default in Magento admin
  • Support Advance GraphQL Feature, PWA Studio

Other important Magento 2.4.x issue as below

Magento 2.3 To Magento 2.4.5 Comptibility For PHP, MYSQL, Composer, Apache etc


Magento 2.4.4 Features


Magento 2.4.4 Installation Steps


Magento 2.4.3-p1 Installation Steps


Magento 2.4.3 Installation Steps


Magento 2.4.3 Features


Magento 2.4.3 – p1 Features


Magento 2.4 Two Factor Authentication


Magento 2.4.1 Features


Magento 2.4 Features


Magento 2.4 Installation


Magento 2.2, Magento 2.3, Magento2.4 Installation Issue on Windows 10, XAMPP


Magento 2 Installation at 51% Error: (Wrong file in Gd2.php:64) Module ‘Magento_Theme’

Magento 2.x To Increase Admin Session Timeout

There are three methods to increase Admin Session Timeout
Step-1: By Using Database SQL Query

INSERT INTO `core_config_data` (`config_id`, `scope`, `scope_id`, `path`, `value`) 
VALUES  (null, 'default', 0, 'admin/security/session_lifetime', '1800');
By default Admin Session Time value 900 second, user can put Minimum second is 60 and Maximum is 31536000 (for one year)

Step-2: By Using CLI Command

php bin/magento config:set admin/security/session_lifetime 86400 && php bin/magento cache:flush

Step-3: By Using Magento 2 Admin

  • In the Admin Panel
  • Stores > Configuration
  • Advance > Admin > Security Section and uncheck the use system value for Admin Session Lifetime (seconds)

Follow Below Video

Magento 2.x Create SEO Friendly URL

There are two methods to create SEO Friendly URL

Step-1: By Using Database SQL Query

select* from core_config_data where path = "web/seo/use_rewrites"
update core_config_data set value=1 where path like "web/seo/use_rewrites";

Step-2: By Using Magento 2 Admin

  • Go To Admin Panel
  • Stores > Settings > Configurations
  • In the left panel, under General, select Web
  • Open the Search Engine Optimization section
  • Finally Select Yes From Drop Down

Magento 2.x Remove Version From URL

There are two methods to remove version from URL
Step-1: By Using Database SQL Query, need to insert in core_config_data

insert into core_config_data (config_id, scope, scope_id, path, value) values (null, 'default', 0, 'dev/static/sign', 0);

Step-2: By Using Magento 2 Admin

  • Login to admin panel
  • Go to Stores > Configuration
  • Under Advanced, select Developer
  • Expand Static Files Settings
  • Set “No” to Sign Static Files

Magento 2.4 Features

  • Support PHP Latest Version 7.4
  • Support Elastic Search Latest Version 7.x
  • Support MYSQL Latest Version 8.0
  • Support Maria DB Latest Version 10.4
  • Catalog Search Engine Elastic Search
  • Mysql Catalog Search Engine has been deprecated
  • Payment Module Braintree has been removed
  • Support PWA Studio Latest Version 6.0
  • Support Apache Latest Version 2.4.43 & NGINX Latest Version 1.19.1
  • Support latest Page Builder 1.4.0
  • The Zend Framework has been deprecated and migration to Laminas project
  • Removed the integration of the Authorize.Net, eWay, CyberSource, and Worldpay payment methods.
  • Advance MSI Features
  • Security feature Two-factor authentication (2FA) enabled by default in Magento admin
  • Support Advance GraphQL Feature
  • Enhanced Adobe Stock Integration v2.0

Other important Magento 2.4.x issue as below

Magento 2.3 To Magento 2.4.5 Comptibility For PHP, MYSQL, Composer, Apache etc


Magento 2.4.4 Features


Magento 2.4.4 Installation Steps


Magento 2.4.3-p1 Installation Steps


Magento 2.4.3 Installation Steps


Magento 2.4.3 Features


Magento 2.4.3 – p1 Features


Magento 2.4 Two Factor Authentication


Magento 2.4.1 Features


Magento 2.4 Features


Magento 2.4 Installation


Magento 2.2, Magento 2.3, Magento2.4 Installation Issue on Windows 10, XAMPP


Magento 2 Installation at 51% Error: (Wrong file in Gd2.php:64) Module ‘Magento_Theme’

Magento 2.x Activate Flat Catalog [Category & Product]

For Speed Optimization, need to enable Flat Catalog

There are following below Admin steps.

  • Go To Admin
  • On the Admin Panel
  • Stores > Settings > Configurations
  • On the left panel, under Catalog, select Catalog
  • Open the Storefront section
    • Choose Yes in the Use Flat Catalog Category field.
    • Choose Yes in the Use Flat Catalog Product field.

How to Enable Flat Catalog Flat Catalog Configuration

Magento 2.x RMA (Return Merchandise Authorization)

Magento 2 RMA (Return Merchandise Authorization) allows non-login customers to return items, the customers who do not have accounts or registered users but have placed the orders , Now, they want to return their purchased items, now able to send RMA requests (to require for returning/replacing purchased items) easily.