Magento 2 Admin Security Checklist

Installation and User Guide for Magento 2 Security Checklist Extension

Table of Contents

  1. Installation

    • Download Extension

    • Installation via app/code

    • Installation via Composer

  2. Security Checklist Report

    • Security Checklist Report

Installation

  • Download Extension: Once you have placed the order from our site then go to the Account section, click on My Downloadable Products, and download the extension package.

  • Installation via app/code: Upload the content of the module to your root folder. This will not overwrite the existing Magento folder or files, only the new contents will be added. After the successful upload of the package, run the below commands on the Magento 2 root directory.

php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento setup:static-content:deploy
  • Installation via Composer: Please follow the guide provided in the below link to complete the installation via composer.

pageInstallation Via Composer

Configuration Settings for Security Base

Go to Admin > Stores > Configuration > Scommerce Configuration > Security Base

General Settings

  • Enabled – Select “Yes” or “No” to enable or disable the module.

  • License Key – Please add the license for the extension which is provided in the order confirmation email. Please note license keys are site URL specific. If you require license keys for dev/staging sites then please email us at support@scommerce-mage.com.

Configuration Settings for Security Checklist

Go to Admin > Stores > Configuration > Scommerce Configuration > Security Checklist

General Settings

  • Enabled Security Checklist – This setting will be used to enable or disable admin security checklist

  • Enable Database prefix check :- This setting will be used to enable or disable check for DB prefix. Database prefix added in app/etc/env.php file, to make it work you also need to make changes in database.

  • Enable FE Captcha check:- This setting will be used to enable or disable checks for Frontend Captcha. Go to Stores > Configuration > Security > Google reCAPTCHA Storefront in order to verify it.w

  • Enable BE Captcha check:- This setting will be used to enable or disable checks for Backend Captcha. Go to Stores > Configuration > Security > Google reCAPTCHA Admin Panel and Stores > Configuration > Admin > CAPTCHA Storefront in order to verify it.

  • Enable Magento version check- This setting will be used to enable or disable check for Magento Version and latest security patches.

  • Enable Admin Users check-:- This setting will be used to enable or disable check for Admin Users Security. Especially usernames, password lifetime policy and login activity. Go to Stores > Configuration > Advanced > Admin > Security Or Go to System > Permission > All users to manage admin users

  • Admin Usernames Stop List:- You can add list of usernames that shouldn't be used for admin accounts. Comma separated.

  • Enabled Admin Path Check:- This setting will be used to enable or disable check for Admin Path Security. Admin Path is configured in app/etc/env.php file or go to Advanced > Admin > Admin Base URL > Use Custom Admin Path to change it

  • Admin Path Stop List:- You can add list of paths that shouldn't be used for admin. Comma separated.

  • Enable Content Script Check:- This setting will be used to enable or disable check for scripts added in your content or configuration

  • Enabled Checklist Check Cron Job:- IF enabled the security checklist also checks whether admin 2FA is enabled or not.

  • Enabled Checklist Check Cron Job:- This setting will be used to enable or disable checklist cron job

  • Checklist Cron Schedule:- This will allow you to define schedule how often you want to clear Login Attempts logs cron.

Security Checklist Report

Go to Admin > System > Scommerce Security> Security Checklist

Security Checklist Report

The Security checklist grid has several distinctions for various checks: Warning, Error and Success

  • Admin password Protection: - For Admin password protection, if a password change is not forced, the user will see an error. If the lifetime is more than 90 days, the user will see a warning. If a password change is forced and the lifetime is less than 90 days, then the user will see success.

  • Magento version check: - For a Magento version check, if the version is outdated, the user will see an error. Otherwise, the user will see success.

  • Database Prefix check: - For the Database prefix check, if the table prefix is not set in the configuration file, the user will see an error. Otherwise, the user will see success.

  • Frontend ReCaptcha Protection - For Frontend ReCaptchaProtection, if all frontend forms are protected with recaptcha, the user will see a success. When some forms are protected, the user will see a warning. If none of the forms are protected, the user will see an error.

  • Admin Captcha Protection:- For Admin Captcha protection, if all backend forms are protected with Captcha, the user will see a success. When some forms are protected, the user will see a warning. If none of the forms are protected, the user will see an error.

  • Admin path protection: - For Admin path protection, if the user's admin path doesn't contain words from the stop list, doesn't contain numbers or capital letters, and is at least 15 characters long, the user will see a success. If any of the criteria mentioned are not fulfilled, the user will see a warning.

  • Admin usernames check:- For Admin usernames check, if the username contains words from the stop list or if the username contains numbers, the user will see a warning. Otherwise, success.

  • Admin users activity check: - For Admin admin user activity check, if the account is unused, the user will see a warning. Otherwise, success.

  • Check for static scripts inserted from Config and CMS Pages: - For Static scripts in Configuarion, CMS Blocks, and CMS Pages, if a text field has a static script, the user will see a warning. Otherwise, success.

  • Check for static scripts inserted from Product Attributes: - For Static scripts inserted by any product attributes the user will see a warning with the name of the attribute otherwise, success.

  • Check for Admin 2FA: - It also checks whether admin 2FA is enabled or not.

If you have a question related to this extension please check out our FAQ Section first. If you can't find the answer you are looking for then please contact support@scommerce-mage.com.

Last updated