Navigate to Admin Panel > Stores > Configuration > Advanced > Admin and click on Security section
There are following below steps , make admin security more secure
- Admin Account Sharing: Default setting No, If set to Yes, you can log in from multiple computers into same account, that’s why Default setting No improves more Security.
- Password Reset Protection Type: By default By IP and Email, if Admin want to modify by IP or Email, select value IP or Email from drop down
- Recovery Link Expiration Period (hours): By default 2 Hour, the link the Admin has got in his email to reset/modify password, in case forget password, recommended always put more than 1 value.
- Max Number of Password Reset Requests: By default 5, allow only 5 times per hour to reset the password. If Admin want to get rid of this limit he can change the default 5 value to 0
- Min Time Between Password Reset Requests: By default 10, password reset request per hour to 5 by default and Minimum delay between password reset request is 10 Minutes by default, If Admin want to get rid of this limit he can change the default 5 value to other
- Add Secret Key to URLs: By default Yes, Due Headers Security, Cross-site scripting (XSS), Cross-site request forgery(CSRF) Strict-Transport-Security(STS), Content-Security-Policy(CST),it is highly recommended never select No from drop down.
Login is Case Sensitive: By default Case Sensitive No, If Admin want to get rid of this limit he can select Yes from drop down.
- Admin Session Lifetime (seconds):By default, the admin session lifetime in Magento 2 is set to 900 seconds (15 minutes), If Admin want to get rid of this limit he can change his own time duration in seconds. In Production not recommended more than 900 seconds (15 minutes).
- Password Reset Protection TypeBy default 6 attempts, after 6 attempts Admin account will be locked, enter the number of times a user can try to log in to the Admin before the account is locked, Leave the field empty for unlimited login attempts.
- Lockout Time (minutes): By default 30 minute , every 30 minute, screen will be Lockout & need to ReLogin in Admin.
- Password Lifetime (days): By default 90 days, every 90 days need to change password. If Admin want to get rid of this limit he can change more than 90 days, put more than 90 days value, if empty this, Password Lifetime will be disabled & never ask to change password, Password Lifetime value empty never recommended on production.
- Password Change: By Default Forced & recommends password change every 90 days, as mentioned password lifetime(90), If number of days for “Password Lifetime”, and set the dropdown value of “Password Change” to “Recommended“, it won’t be mandatory to change the password. However, if the dropdown value is set to “Forced“, the admin panel will be accessed only after the password change.
Magento 2 All Database Tables [500 & more Tables]
HTTP Security Headers Checker Tool – Security Headers Response
How to add Feature-Policy Security Header
How to add X-Content-Type-Options Security Header
How to add Expect-CT Security Header
How to add X-Frame-Options Security Header
How to add X-XSS-Protection Security Header
How to add Referrer Policy Security Header
Referrer Policy Header Security
How to add HTTP Strict Transport Security (HSTS)
How To Set CSRF Token in Magento 2