• Use a strong password

A strong password can protect you from intruders, remember to use a multi-character password, blending lowercase with citation, number and punctuation. I recommend using the Strong Password Generator website: http://strongpasswordgenerator.com/
No use of passwords containing dates, known names or easy words.

  • Do not use your password in another location.

It is recommended to have a different password for each location, never repeat your password elsewhere.

  • Do not use the default /admin path.

By default Magento uses the / admin path to access the administrative panel. This path is very easy and will always be used by hackers or bots to access your admin.
You can change this path by opening the app/etc/local.xml file and by locating:


Change to a name where only you know, something like: supersecretadminpath

  • Use unknown email.

Magento has a function to recover the password by email and this can be very useful and also very dangerous.
If your email has been compromised, your admin may be at great risk as well.
When registering accounts with access to the administrative panel use emails that will not be easily recognized or that are not published on the site or elsewhere.

  • SSL.

Use secure connection in administrative panel, it will be more security against attacks.
To enable SSL in admin, go to SYSTEM -> Configuration -> WEB -> HTTPS.
In BASE URL verify that the link is with https.
Now check the USE HTTPS ON ADMIN option instead.

  • Two-factor authentication.

Unfortunately today having an admin insurance is not enough. To further improve your admin's protection, use two-factor authentication.
This type of authentication will prompt you for a code only after you have entered your password correctly. Typically this code is generated by an application on your phone or a device that generates a token.
Some modules:

  1. Rublon – Free: http://www.magentocommerce.com/magento-connect/rublon.html
  2. Two-Factor Authentication – Paid: http://www.magentocommerce.com/magento-connect/two-factor-authentication.html

There are other forms of security like limiting IP access, but I have decided not to put this tutorial since IPs in Brazil usually change frequently and this can be a problem for anyone who wants to access the administrative panel of another location.
If you have any other tips, do not hesitate to comment below.