
It’s a good idea to add extra security protection to the admin section of a Magento site. The reason for this is that if a hacker gained access to your site’s admin section, they would be able to get your customers’ private information and obtain full control over your site. This would allow them take down your site completely, or make malicious changes to your site’s code that could harm your customers and website visitors.
One of the best approaches to securing the Magento admin section is to allow only specific IP addresses to reach the admin panel. The code below will allow you to do just that. You should add the code below to the .htaccess file in your root folder. Note that in my trials, the code worked best if added within the <IfModule mod_rewrite.c> tag, and that this <IfModule mod_rewrite.c> tag should preceed the existing <IfModule mod_rewrite.c> tag already in your Magento’s htaccess file.
The Code
1 2 3 4 5 6 7 |
<IfModule mod_rewrite.c> ## Deny access to admin section for all ips. Allow access only to those listed below: RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC] RewriteCond %{REMOTE_ADDR} !^12\.34\.131\.181 RewriteCond %{REMOTE_ADDR} !^56\.78\.156\.214 RewriteRule .* - [F,L] </IfModule> |
In the code above, you should replace the !^12\.34\.131\.181 with whatever your IP address is. Add additional lines below for each desired IP address.