On the Admin sidebar, go to Stores > Settings > Configuration.
In the left panel under Advanced, choose Admin.
Expand the from the Security section.
To prevent Admin users from logging in from the same account on different devices, set Admin Account Sharing to No
.
To determine the method that is used to manage password reset requests, set Password Reset Protection Type to one of the following:
By IP and Email
— The password can be reset online after a response is received from the notification is sent to the email address associated with the Admin account.
By IP
— The password can be reset online without additional confirmation.
By Email
— The password can be reset only by responding by email to the notification that is sent to the email address associated with the Admin account.
None
— The password can be reset only by the store administrator.
Set login security options:
In the Recovery Link Expiration Period (hours) field, enter the number of hours a password recovery link remains valid.
To determine the maximum number of password requests that can be submitted per hour, enter the Max Number of Password Reset Requests.
In the Min Time Between Password Reset Requests field, enter the minimum number of minutes that must pass between password reset requests.
To append a secret key to the Admin URL as a precaution against exploits, set Add Secret Key to URLs to Yes
. This setting is enabled by default.
To require that the use of upper- and lowercase characters in any login credentials entered match what is stored in the system, set Login is Case Sensitive to Yes
.
To determine the length of an Admin session before it times out, enter the duration of the session in seconds, in the Admin Session Lifetime (seconds) field. The value must be 60 seconds or greater.
In the Maximum Login Failures to Lockout Account field, enter the number of times a user can try to log in to the Admin before the account is locked. By default, six attempts are allowed. Leave the field empty for unlimited login attempts.
In the Lockout Time (minutes) field, enter the number of minutes that an Admin account is locked when the maximum number of attempts is met.
Set password options:
To limit the lifetime of Admin passwords, enter the number of days a password is valid in the Password Lifetime (days) field. For an unlimited lifetime, leave the field blank.
Set Password Change to one of the following:
Forced
— Requires that Admin users change their passwords after the account setup.
Recommended
— Recommends that Admin users change their passwords after the account setup.
When complete, click Save Config.
On the Admin sidebar, go to Stores > Settings > Configuration.
In the left panel under Advanced, choose Admin.
Expand the from the CAPTCHA section.
Set Enable CAPTCHA in Admin to Yes
. Then complete the remaining options as follow:
Enter the name of the Font to be used for CAPTCHA symbols (default: LinLibertine
).
To add your own font, the font file must reside in the same directory as your Commerce installation and must be declared in the config.xml
file of the Captcha module at app/code/Magento/Captcha/etc
.
Select any of the following Forms where the CAPTCHA is to be used. To choose multiple forms, hold down the Ctrl key (PC) or Command key (Mac).
Admin Login
Admin Forgot Password
Set Displaying Modes to one of the following:
Always
— CAPTCHA is always required to log in to the Admin.
After number of attempts to login
— This option applies only to the Admin Login form. When selected, the Number of Unsuccessful Attempts to Login field appears. Enter the number of login attempts that you want to allow. A value of 0 (zero) is similar to setting Displaying Mode to Always
.
To track the number of unsuccessful login attempts, each attempt to log in under one email address and from one IP-address is counted. The maximum number of login attempts allowed from the same IP-address is 1,000. This limitation applies only when CAPTCHA is enabled.
In the Number of Unsuccessful Attempts to Login field, enter the number of times the administrator can try to log in before the CAPTCHA appears. If set to zero (0
), CAPTCHA is always required.
In the CAPTCHA Timeout (minutes) field, enter the number of minutes before the CAPTCHA expires. When the CAPTCHA expires, the administrator must reload the page.
Enter the Number of Symbols to appear in the CAPTCHA. Up to eight (8
) symbols can be used. For a variable number of symbols that changes with each CAPTCHA, enter a range (such as 5-8
).
In the Symbols Used in CAPTCHA field, enter the letters (a-z and A-Z) and numbers (0-9) that you want to appear randomly in the CAPTCHA. Symbols that are hard to distinguish from other symbols, such as i
, l
, or 1
, are not included in the default set of CAPTCHA symbols.
Set Case Sensitive to Yes
if you want to require administrators to enter the characters in upper- or lowercase exactly as shown in the CAPTCHA.
When complete, click Save Config.