cancel
Showing results for 
Search instead for 
Did you mean: 

Changed the password to Magento

Changed the password to Magento

Hope someone can help I had some work done by a freelance Magento expert and by no way I am saying he has done everything wrong but just want to secure my site down, he did some work 2-3 months ago after the work was finished I changed the passwords to both my server and Magento back-end I also changed the URL to the Magento back-end login. I then needed some more work done a few days ago he emailed me saying that the password had changed so he changed the password to Magento and also the URL back-end login. I was a bit shocked that he could do this without knowing the new password to the Magento back-end. Could anyone tell me how to lock down the site so this type of thing is not possible?

4 REPLIES

Re: Changed the password to Magento

Hello @paulpsp

You should always be careful about your Magento security. It's better to create admin roles and give them access to only those parts of your site which are needed to complete their work.

Additionally, you can use a 2-factor authentication to secure your store login even better.

You can have a look at this extension https://amasty.com/magento-security-suite.html which combines all needed security modules such as Advanced Permissions, 2-Factor Authentication I've mentioned above, Backup and Admin Actions Log. Each of them can also be bought separately.

 

Was my answer helpful? You can accept it as a solution.
200+ professional extensions for M1 & M2 with free lifetime updates!

Re: Changed the password to Magento

Important step in securing you Magento is to be aware and stay on top of anything that is going on inside your files.

 

Security module MageFence offers a number of great monitoring features for your Magento:

  • you get email notification every time a user with admin privileges logs in
  • you can see all the changes made by admin users in Admin Activity log
  • the module scans for changes on regular basis and notifies you every time the change in your files is found
  • it also gives you a list of all changed files so you can confirm the changes you have made yourself and pinpoint the suspicious ones
  • it detects users with admin privileges that are created by injecting directly into database, and notifies you immediately

 

Furthermore, you can protect access points to your Magento backend (Admin Panel Login and Magento Connect Manager) easily from backend and without losing functionality. And it also comes with a built-in Two factor Authentication, which adds another step to login process, so you can prevent unauthorized access even if attacker somehow gets a hold of your password.

 

It also has a checklist feature that will give you a quick insight in all important issues regarding security of your Magento.

 

Bottom line, it is like a surveillance system for your online store: nothing can go down, without you knowing it. I suggest you take a look at it, because it is a pretty good security solution that doesn't allow things like changing your files or any kind of hack attacks slip under the radar. http://www.extensionsmall.com/mage-fence-security.html

Re: Changed the password to Magento

Hi @paulpsp

 

Following basic steps may also be helpful

 

1)keep note of all the credentials which you share with the developer. Like mysql, ftp,sftp,php myadmin, purchased extensions accounts, cPanel etc.

Always share only the necessary credentials.once work is complete change the credentials.

2) Do not give root user access until it is required.

3) keep your admin access IP restricted. (Use static IP)

Temporarily whitelist the developer IP.

4)create a user and role with access to required sections of admin panel.

5)try to use version control instead of giving direct access to the ftp or sftp. It will be easier for you to see what code has been changed.

 

 

 

 

 

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Changed the password to Magento

There one thing you should know -- once someone has access to webstore file system he can run a script to generate new user. On change password. It's also possible to play around with database and whatnot. Having access to file system is kind of master key to everything.

 

Developers like me have sometimes dozens of site to take care of. It's annoying as hell to remember every password on every system, even when using LastPass or some equivalent (not really suitable for ssh passwords). Some people use same password for every site (security risk) or something based on server (another security risk), but it's much safer to use ssh keys. This approach replaces password altogether and everyone worth their salt uses this approach instead. I'm pretty sure that even though you changed server passwords, you didn't change his keys so he was able to log in anyway.

Tanel Raja