Magento Security – Recommended Method to Protect /downloader

Since Magento uses the /downloader as a way to conveniently install programs via Magento Connect Manager it is apparent that this is also a security concern since it allows the possibility for bots or people to attempt to learn credentials for the installation.

Checking access logs to my website, I was alarmed at the amount of attempts to the www.mysite.com/downloader

As a work around I've gotten into the habit of renaming the downloader directory to downloader.offline but occasionally I forget. (Either to rename it back to install a program or after I'm done).

What is the recommended method to protect this link?

Best Answer

Just put a .htaccess (or if nginx/whatever a config) into the downloader directory with Disallow from all in it to forbid any request on the directory.

If you wanted to allow a few IP addresses in (like your own), try something like this in your .htaccess

order deny,allow
deny from all
allow from 1.2.3.4 5.6.7.8

Where 1.2.3.4 and 5.6.7.8 are IP addresses you want to let through.

My prefered way: Just delete downloader

Best Answer

Related Solutions

Magento – Invalid login credentails – Magento Connect Manager / downloader

Related Topic