Long passwords are harder to guess. After the Advanced passwords requirements are enabled, the first thing you can do is make the passwords for admin users longer. That means 8 characters and more. If the suggested password is shorter, the system won’t accept it as suitable.
The usage of different cases is another layer of password protection. If this feature is enabled, won’t allow passwords that don’t contain at least one letter of another case. At least one uppercase symbol adds multiple variations to any weak password.
The combination of special characters and different case letter makes passwords almost invincible. Once special chars feature is enabled, it will demand passwords to have at least one character besides letters, like digits.
Based on admin user activity, the extension can detect and suspend accounts that act suspiciously in your admin area. For example, if the password got wrong too many times. You can limit all admins in login failures, and if this limit is exceeded, the lockout comes into place. You can lock user temporary (for a specified amount of minutes), or permanently. In this case, the user can be locked or unlocked manually at System > Permissions > All Users.
The shorter the lifetime of the password is, the lower the chances that it can be stolen and used against you. Determining the time period is up to you. Changing passwords once in a while for all admin team is a good habit, and the extension can control this measure automatically. After the lifetime expires, admin users are forced to proceed to account settings or recommended to change their passwords.
The more activity your admin team produces, the more logins attempts there are, and it is harder to trace suspicious actions among them. To stop and prevent excessive use off admin user accounts, you can set a quantitative limit for logins per password. How it works: after a user had a specified amount of logins, they have to update their password.
To ensure your team won’t miss their password change appointments, you can remind them via Security Suite. Once the time has come, users can be either forced or recommended to change their passwords.
Important note: adjusting all descriptive setting to the minimum possible values maximizes the protection you can get out of Security Suite.
Cut off intruders by banning third-party devices from accessing your admin area. If you want your admin team to access the admin area of the store only from the same IP addresses, for example, from their work computer, you can add their addresses to the whitelist.
To protect the devices your employees work on from unauthorized access, you can add SMS-code into verification process. After the user submits login and password, they are asked to enter an SMS-code they received. Then all you have to do next is enter the phone number and confirm it. After the first user goes through 2FA, it is enabled for all admin users.
Important notice: before you enable IP Whitelisting for any IP addresses, make sure your own IP address is on the list. If it is not, you won’t be able to login to the admin panel the next time.
Important notice: before configuring two-factor authentication via SMS for your store, you have to create an account on Twillio.com and configure a production API Key. You will need it in extension settings. You can find the precise instructions on Twilio configuration in Security Suite user guide.
Confirm the identities of your team two more times before they have access to sensitive information. In ‘Both’ mode, the IP address will be checked first, and only then the user will be redirected to the mobile confirmation page. By choosing ‘Combined’ mode, only users that are not from Whitelist will be redirected to SMS confirmation. These modes work best if your team is more than a few employees and they change over time.
Once the cron job is enabled, Security Suite will deliver your daily news about current security status. You will be able to see what you need to update and where are possible breaches can be located.
Don’t wait for the daily report of there is something wrong with the store and you suspect a security issue, opt for manual scanning. There is a rescan button that can trigger the scanning anytime besides the daily cron job execution, with instant results.
All you need is to specify:
The Logger settings let you set up appropriate lifetime for data in the Login Attempts Grid and Action Logger Grid on the server. If you need the information about login attempts further in your work or for other purposes, you can enable export. The data will be exported before the specified lifetime ends and gets deleted.
Know exact time when they logged into the admin panel from the Login Attempts Grid, located at System > Security Suite > Login Attempts. You can find unsuccessful logins and users with doubtful user agents like unusual browsers.
To install NEKLO extension on Magento 2, you need to have FTP/SSH access details.
We have a qualified support team that is always there to help. We look forward to challenges and approach each of them with an open mind and a nonstandard way of thinking. If there is a problem, we know the solution.
We earned the right to be trusted and proud of the work we have done. We completed many tasks and have a lot to come. We have worked on broad range of domains such as e-Business, Supply Chain Management, Pharmaceuticals, Healthcare, Education, Data Warehousing and more.
We deliver solutions that that we know will work. 40% of our developers are Magento, Oracle and Zend certified. We are enthusiastic about what we do, we are the experts in the field of eCommerce and have a portfolio worth a look.
You're reviewing: Security Suite