Since Magento uses the /downloader as a way to conveniently install programs via Magento Connect Manager it is apparent that this is also a security concern since it allows the possibility for bots or people to attempt to learn credentials for the installation.
Checking access logs to my website, I was alarmed at the amount of attempts to the www.mysite.com/downloader
As a work around I've gotten into the habit of renaming the downloader directory to downloader.offline but occasionally I forget. (Either to rename it back to install a program or after I'm done).
What is the recommended method to protect this link?
Best Answer
Just put a .htaccess (or if nginx/whatever a config) into the
downloader
directory withDisallow from all
in it to forbid any request on the directory.If you wanted to allow a few IP addresses in (like your own), try something like this in your
.htaccess
Where
1.2.3.4
and5.6.7.8
are IP addresses you want to let through.My prefered way: Just delete
downloader