login

Website security is one of the most important things you should prioritise when you're managing a Magento store. Customers provide vulnerable data while placing orders and trust you to keep it safe.

All of that data is stored in the Magento admin panel, which most often undergoes brute-force attacks. That's why it's recommended that you change the Magento 2 admin URL to a more complex one to improve Magento security.

However, it is not as easy as it seems and requires a lot of attention. So, in this guide, we'll explain why changing the Magento admin URL is important and walk you through three effective ways to do it. We'll also highlight the key precautions and best practices to avoid potential risks.

What is Magento 2 Admin URL?

The Magento admin URL is a special web address that is used to enter the backend of your online store. This is a security gateway for authorised admin users to perform any operations in the admin panel, such as managing products, orders, configurations, etc.

Once you install Magento 2, the system will create an admin panel link for you with a random string. Usually, the admin URL is below the base URL, meaning the admin is one directory below the root. Most often it looks like:

  • Default Base URL — yourwebsite.com/magento/
  • Default Admin URL — yourwebsite.com/admin

Magento Admin Panel

Why Change Magento 2 Admin Login URL?

As a rule, the default Magento 2 admin login URL is quite predictable, which makes your backend an easy target for hackers. So it's a common security practice to replace the given URL right away, for a variety of reasons.

Enhance store protection 

A custom admin URL is like a hidden door to your store's backend, making it much harder for attackers to find. If they can't find it, they can't attempt to break in.

The simple change of the default URL adds an extra layer of security to your admin panel.

Keep bots away

Hackers often launch automated bot attacks on found Magento 2 admin login URL not only to pose a security threat but also to consume the server resources. If your admin URL is hard to guess, it keeps troublesome and uninvited guests away.

Protect sensitive data

If someone gets into the backend of your store, it may lead to severe consequences. You need to change the Magento base URL to avoid stolen data, lost money, damaged reputation, and even legal trouble.

Track suspicious activity

Magento enables you to track failed or unauthorised access to your old admin URL. Such an attempt is a clear sign that someone is trying to get into your store. This warning gives you time to take extra precautions and strengthen your security.

Pro tip: additionally, you can track Magento login activity to your current admin path to prevent unauthorised logins.

Before You Change Admin Panel URL

As mentioned before, an easy Magento admin URL is vulnerable to brute-force attacks and other malicious actions. That is why changing the admin panel URL is at the top of the Magento security checklist.

But don't jump to it just now. There are a few things you have to pay attention to before you change the admin URL address:

  • Contact the hosting provider before changing Magento admin URL. Sometimes they require a standard URL to comply with the firewall protection rules.
  • Make changes in the development environment to avoid website breakdown.
  • Don't change Magento admin panel URL if you don't know how to edit the configuration file on a server. Any mistake can remove access to the backend.

Keeping this in mind, you can safely change the admin URL by yourself.

How to Change Magento 2 Admin Login URL?

Magento, being as flexible as it is, provides different methods to change the admin URL. Whether you're a developer or an admin user, you can do it in just a few steps.

There are three common methods to do so. Let's start with the simplest one.

Method 1: Via the admin panel

This method doesn't need any coding or command line knowledge. To change the base Magento admin URL from the admin panel, go to Stores > Configuration > Advanced > Admin > Admin Base URL.

This is exactly where you can configure the URL path for your admin panel.

  • Enable the Use Custom Admin URL option to enter your own value.
  • Set your Custom Admin URL, but make sure your base URL ends with a slash (/).
  • Remove the System Value and enable the Use Custom Admin Path option.
  • Enter the Custom Admin Path that will be added to the custom admin URL after the ending slash.

Once you finish, don't forget to press the Save Config button and log in with the new admin panel URL.

Change Magento 2 Admin URL

Note: always double-check if the new URL or path doesn't contain a mistake, as you may get locked out of your backend. If anything goes wrong, you can still change the URL using one of the following methods.

Method 2: Use config.php

If you know how to work with server documents, you can also change the Magento admin URL by editing the env.php configuration file.

This method doesn't require the admin panel access, but access to your server via FTP or SSH is a must.

  • Log in to your Magento server with SSH or FTP.
  • Navigate to the app/etc/env.php file in a text manager.
  • Search for the 'frontName' parameter that could be something like 'admin' or 'backend'.
  • Replace it with your custom admin panel path. You can replace your old admin URL with the new one, which in our case is 'sample_custom_admin', using the following command:
'backend' => [
   'frontName' => 'sample_custom_admin'
]
  • Save changes and go to the admin panel to clean cache or use the following command:
 php bin/Magento cache:flush

Note: always back up the env.php file before making any changes there. A simple missing comma or bracket can cause your Magento site to break.

Method 3: Via command line

If you can't access the admin panel or don't want to edit sensitive files manually, the safest way to change the admin panel URL is by using the command line interface:

  • Log in to your Magento server via SSH and go to your store root directory.
  • Run the following command:
php bin/magento setup:config:set --backend-frontname=“sample_custom_admin”

Once you finish, save changes and flush the cache.

Note: in case you mistype or forget the path that you have set, you will need to access the env.php file to fix this.

How to Restore Default Magento Admin URL or Path?

Changing the default URL is a smart move to improve your store's security. However, sometimes you get to the point when you need to restore it again.

Besides, if you forget the custom admin URL and edit the env.php file incorrectly, you may need your default admin URL for troubleshooting.

Moreover, some hosting providers can restrict a custom admin URL. In this case, going back to the old one can be a solution.

Magento provides the following CLI commands to restore your original admin URL along with the path:

php bin/magento config:set admin/url/use_custom 0
php bin/magento config:set admin/url/use_custom_path 0

These commands tell Magento to stop using a custom URL/path and go back to the default one.

Best Practices for Secure Magento Admin URL

As you already know, it's not enough to just change the default Magento admin URL. Your task is to make it difficult to find or guess. In this section, we share simple tips to help you make your custom admin URL even more secure.

Avoid common or default words

Some of the well-known backend paths are /admin, /backend, /administrator, /panel, /dashboard. Hackers use automated tools to find them and launch brute-force login attacks.

By choosing a hard-to-guess URL, you reduce the risk of being found.

Don't use personal or brand names

Hackers usually hunt for predictable URLs. But "experienced" ones may know more specific information about your store, such as your store name, domain, or even your name, and use it against you.

That's why it's recommended to avoid anything personal or brand-related while creating your custom admin URL.

Restrict admin access by IP address

Another way to strengthen your admin panel URL is to allow only limited IP addresses to access it.

So, even if someone knows your new URL but tries to access your admin panel from an unknown location, they won't get in. The login attempt will be blocked.

Use alphanumeric and randomised strings

Sometimes you don't even need to come up with a certain path for the login URL. To make it more difficult for attackers to detect, use a random combination of letters, numbers, and special symbols.

The more complicated your custom admin URL is, the less likely it is to be found.

Use HTTPS for the admin URL

To keep your login details safe, make sure your admin URL is available through HTTPS rather than HTTP. Use a valid SSH certificate and automatically redirect all HTTP traffic to HTTPS, which encrypts the connection between your browser and the server.

Change the admin URL after each major incident

If you experience a brute-force attack, suspect a breach, or notice any unusual login activity, change your admin URL right away. It will stop ongoing access attempts and create a new path that attackers don't know exists.

Now you know all of the ways and tips to change Magento 2 admin URL and path to secure your orders, customers, and other vulnerable data from malicious attacks.

However, this is not the only precaution you should take now since cyberattacks are more common. So, to improve Magento admin security go through several weak points and make sure nothing threatens your data.

FAQs

I forgot my new Magento admin URL – what now?
collapsible icon
If you forgot your new admin URL, you can restore it by accessing the add/etc/env.php file on your server or by using SSH to run this CLI command: php bin/magento info:adminurl.
Will changing the admin URL affect SEO or my store performance?
collapsible icon
No, changing the admin URL doesn't affect your SEO or performance. It only influences the backend.