Magento 2 Security Suite DocumentationSecurity Suite

« Back to Magento 2 Security Suite

  • Installation

    You can install the module for Magento 2 using Composer or you can manually install it using FTP.

    • Run the following commands in your Magento 2 root directory to install the module using Composer.

      # Add the FishPig Composer repo
      composer config repositories.fishpig composer https://repo.fishpig.co.uk/
          
      # Install the module using Composer
      composer require fishpig/magento2-nobots:*
      
      # Enable the module in Magento 2
      php bin/magento module:enable FishPig_NoBots
      
      # Run the Magento upgrade system
      php bin/magento setup:upgrade
    • You can download the latest version of the module from the Downloads page.

      Extract the ZIP file and upload the files to your Magento site at the directory below:

      app/code/FishPig/NoBots

      When creating the folders, ensure you use the correct capitalisation.

      To complete the installation, run the following commands in a terminal.

      # Enable the module in Magento 2
      php bin/magento module:enable FishPig_NoBots
      
      # Run the Magento upgrade system
      php bin/magento setup:upgrade

    ↑ Back to Top

  • Configuration

    The Magento 2 Security Suite comes ready configured with automated rules and will work right away with no configuration. If you want customise the module you can do so at Stores > Configuration > FishPig > Security Suite.

    reCAPTCHA

    The module uses Google's reCAPTCHA to allow banned users to regain access to the site without having to contact you. To set this up, you should first generate your reCAPTCHA keys and enter them in the module config.

    Blacklist by IP

    Security Suite includes several blacklists that are enabled by default. If a user is found to be on any of these lists, they are automatically banned.

    User found on a blacklist are fully banned and cannot use reCAPTCHA to regain access to the site.

    You can also specify custom IP addresses to block specific IP addresses or ranges.

    Whitelist by IP

    Like blacklists, the module includes several whitelists for IPs and these are enabled by default. These allow popular sites to always access the site without ever getting banned. Popular payment gateways (that cannot be identified using reverse DNS) are included here.

    Whitelisted users will never be banned, even if they break rules.

    You can also add your own IP addresses here.

    Whitelist by Hostname (rDNS)

    This system uses reverse DNS to identify the hostname of the user's IP address and is used to whitelist certain users. An example of this is Google. Any IP found to belong to Google will never be banned as google.com is found in this whitelist.

    ↑ Back to Top

  • Rules

    The Magento 2 Security Suite comes ready configured with automated rules and will work right away with no configuration. If you want customise the module you can do so at Stores > Configuration > FishPig > Security Suite.

    Rule: Banned Keyword

    This rule bans users that include any of the banned keywords in their input to the server. For example, if the user uses a common spam domain for their email, this rule will be triggered and the user will receive a ban.

    Rule: Too Many 404s

    This rule bans users that hit multiple 404's within a given time frame. The current default is 5 404 pages in under 1 minute. This can be modified to suit your site's needs. This aims to block bots that try URLs in the hope of finding an Admin page, an SQL backup, a backdoor or something else malicious.

    Rule: Honey Pot

    The Security Suite adds a honey pot form to the page's HTML. This is hidden from real users but is visible in the code to bots. Bots generally crawl sites, find forms and then submit spam content. If this dynamic honey pot form is submitted, the user is deemed to be a bot and receives a ban.

    Rule: Spam URL Submission

    This rule blocks users that include URLs in fields that shouldn't have a URL in. For example, if the firstname field includes a URL (which can happen on spam posts), the user receives a ban.

    ↑ Back to Top

  • Manage Banned Users

    View Banned Users

    You can view the list of banned users by going to System > Security > Bot Protection.

    This section lists all users that have interacted with your site that have either been banned, found on a blacklist or found on a whitelist.

    You can click into a user and see what rules they broke and what content (if applicable) triggered the rule. As an example, if the user was banned because of the Too Many 404's rule, you would see each of the 404s that triggered the ban.

    Un-Ban a User

    If a user has been banned and you want to manually un-ban them, you can do so by going to the banned users list and then clicking 'Select' on the right and then selecting 'Delete'.

    Clear Data

    From time to time, you may want to clear all current bans and start again. You can do this by clicking the 'Delete Data' button at System > Security > Bot Protection.

    ↑ Back to Top