Magento Commerce, 2.0.11

Magento 2.0.18 is the final 2.0.x release. After March 2018, Magento 2.0.x will no longer receive security patches, quality fixes, or documentation updates. To maintain your site's performance, security, and PCIPayment Card Industry: Refers to debit and credit cards and their associated businesses. compliance, upgrade to the latest version of Magento.

Admin Security

For increased security, you can configure the length of keyboard inactivity before the current session expires, and require the user name and password to be case-sensitive. For additional security, the AdminThe password-protected back office of your store where orders, catalog, content, and configurations are managed. loginThe process of signing into an online account. can be configured to require a CAPTCHA.


Security

To configure Admin security:

1. On the Admin sidebarThe right or left column of a two-column page layout., tap Stores. Then under Settings, choose Configuration.
2. In the panel on the left, under Advanced, choose Admin. Then, do the following:
a. To append secret key to the Admin URLUniform Resource Locator: The unique address of a page on the internet. to protect against exploits, set Add Secret Key to URLs to “Yes.” This setting is enabled by default.
b. To require the user name and password to have the same upper-and lowercase characters as those that are saved in the system, set Login is Case Sensitive to “Yes.”
c. To require Admin users to sign in again after a period of keyboard inactivity, set Admin Session Lifetime (seconds) to a number greater than 60. To not set a limit on the length of a session, leave the field blank.
d. In the Maximum Login Failures to Lockout Account field, enter the number of times Admin users can try to log in before their accounts are locked.
e. In the Lockout Time (minutes) field, enter the number of minutes an Admin account is locked before the user can try to log in again.
f. In the Password Lifetime (days) field, enter the number of days an Admin password can be used before it expires.
g. If you want to require Admin users to change their passwords before they expire, set Password Change to “Forced.”
3. When complete, tap Save Config.