There are many tutorials (e.g. the official one) how to make Magento secure, but none of them worked perfectly (for me).

So this is my approach:

Secure /downloader

Add to downloader/.htaccess:

Secure /admin via .htaccess

Because the admin URL does not point to a real directory called “admin” (but points to /index.php), this is a bit more complicated.

Add to your Magento root .htaccess:

Note the different syntax (expr) when using wildcards/subnet ranges instead of full IPs.

Secure /admin via index.php

The code above works for many cases, but under some circumstances it might happen that the user can access the login form anyway. For me, it worked e.g. with example.com/index.php/admin/admin…, but not for example.com/admin (so an attacker would be able to test passwords).

So I recommend to use the following PHP script in addition.

Save it as /ipcheck.inc.php, then edit index.php and add this line at the beginning:

 

  [email protected]