web hosting
build a website

Magento restrict IP addresses to admin

Aug 20, 2015   //   by Anthony Devine   //   Website Development tips  //  No Comments

Recently with the shoplift bug I have had a couple of Magento sites that have become compromised. So I installed the fixes suggested and then newer fixes came out and I ignored them and then the site got compromised again so I installed the new fix. Each time I installed the fix I went to the site https://shoplift.byte.nl/ and it always said that my site was still vulnerable so I thought best bet was to restrict IP addresses to the admin on my magento sites.

To do this I added in my .htaccess file the following under #RewriteBase /magento/

############################################
# Restrict access to admin and only allow the following ips

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteCond %{REQUEST_URI} admin [NC]
RewriteRule ^(.*)$ / [F,L]

The 2 lines of 123.123.123.123 you change to the IP addresses that you want to whitelist for your admin and you can add as many lines as you wish.

Now I have added this in the site https://shoplift.byte.nl/ says that my sites are secure.

I will be updating this post if this fix does not stop the sites from being compromised.