Magento Commerce, 2.2.x

Magento 2.2.x Notice: As outlined by the Magento Software Lifecycle Policy, Magento 2.2.x has reached the End-of-Support and will no longer receive quality fixes or documentation updates. To maintain your site's performance, security, and PCIPayment Card Industry: Refers to debit and credit cards and their associated businesses. compliance, upgrade to the latest version of Magento.

The online Magento 2.2.x User Guide is scheduled for removal, but will remain available in PDF for Open Source, Commerce, and Commerce for B2B.

Configuring Admin Security

Magento recommends that you take a multifaceted approach to protect the security of your store. You can begin by using a custom Admin URL that is not easy to ascertain, rather than the obvious “AdminThe password-protected back office of your store where orders, catalog, content, and configurations are managed.” or “Backend.” By default, passwords that are used to log in to the Admin must be seven or more characters long, and include both letters and numbers. As a best practice, use only strong Admin passwords that include a combination of letters, numbers, and symbols.

For increased security, consider implementing two-factor authentication that generates a token on a separate device. To learn more, see the selection of security-related extensions on Magento Marketplace.

The Admin security configuration gives you the ability to add a secret key to URLs, require passwords to be case sensitive, and to limit the length of Admin sessions, the lifetime of passwords, and the number of loginThe process of signing into an online account. attempts that can be made before the Admin user account is locked. For increased security, you can configure the length of keyboard inactivity before the current session expires, and require the user name and password to be case-sensitive. For additional security, the Admin login can be configured to require a CAPTCHA.

For technical information, see Security overview in the developer documentation.

To configure Admin security:

1. On the Admin sidebar, tap Stores. Then under Settings, choose Configuration.
2. In the panel on the left under Advanced, choose Admin.
3. Expand the Security section. Then, do the following:
a. To prevent Admin users from logging in from the same account on different devices, set Admin Account Sharing to "No."
b. To determine the method that is used to manage password reset requests, set Password Reset Protection Type to one of the following:
  • By IP and Email

    The password can be reset online after a response is received from the notification is sent to the email address associated with the Admin account.

    By IP

    The password can be reset online without additional confirmation.

    By Email

    The password can be reset only by responding by email to the notification that is sent to the email address associated with the Admin account.


    The password can be reset only by the store administrator.

c. In the Recovery Link Expiration Period (hours) field, enter the number of hours a password recovery link remains valid.
d. To determine the maximum number of password requests that can be submitted per hour, enter the Max Number of Password Reset Requests.
e. In the Min Time Between Password Reset Requests field, enter the minimum number of minutes that must pass between password reset requests.
f. To append a secret key to the Admin URL as a precaution against exploits, set Add Secret Key to URLs to “Yes.” This setting is enabled by default.
g. To require that the use of upper- and lowercase characters in any login credentials entered match what is stored in the system, set Login is Case Sensitive to “Yes.”
h. To determine the length of an Admin session before it times out, enter the duration of the session in seconds, in the Admin Session Lifetime (seconds) field. The value must be 60 seconds or greater.
i. In the Maximum Login Failures to Lockout Account field, enter the number of times a user can try to log in to the Admin before the account is locked. By default, six attempts are allowed . Leave the field empty for unlimited login attempts.
j. In the Lockout Time (minutes) field, enter the number of minutes that an Admin account is locked when the maximum number of attempts is met.
k. To limit the lifetime of Admin passwords, enter the number of days a password is valid in the Password Lifetime (days) field. /For an unlimited lifetime, leave the field blank.
l. Set Password Change to one of the following:
  • Forced

    Requires that Admin users change their passwords after the account is set up.


    Recommends that Admin users change their passwords after account is set up.

4. When complete, tap Save Config.
  • Admin Password Requirements




    By default, an Admin password must be seven or more characters long, and include both letters and numbers.