Installation Guide - miniOrange Brute Force Protection Extension for Magento.

Overview

miniOrange Brute Force Protection extension for Magento secures your Magento store against brute-force and automated login attacks by monitoring failed attempts across admin and customer logins (including forgot-password).
It slows attackers using configurable retry delays, temporarily or permanently locks suspicious accounts after a defined limit, and lets admins unblock users in one click. It also provides login attempt logs, sends alert emails for suspicious activity, and supports per-store configuration for multi-store setups—giving you better control, visibility, and protection from unauthorized access.
Click here to read more about the Brute Force Protection for Magento.

Download

Pricing Plans

Schedule a Meeting

Installation Steps

Purchase the miniOrange Brute Force Protection extension from Magento Marketplace (Adobe Commerce Marketplace).
Go to My profile -> My Purchases
Please ensure you are using correct access keys (My Profile - Access Keys)
Paste the access keys in your auth.json file inside your project
Use the below command to add the extension to your project.
```
"composer require {module_name}:{version}"
```
You can see the module name and list of versions in the selector below the extension module name.
Run the following commands on command prompt to enable the extension.

php bin/magento setup:upgrade

Configuration Steps

Setup Customer Brute Force Protection

After activating the Brute Force Protection Extension, Select if you want to implement BruteForce protection on customer or Admin end. We’ll go through both one after the other, starting with the Customer Brute Force Protection extension.
Click on Customer Brute Force Protection to configure it for the customer (frontend) side.

Magento Website Restriction - Go to Stores config

In the Scope dropdown, select the required scope (e.g., Default Config).

Access Restriction settings - Magento Website Restriction

In Login forms, Under General Settings, enable Enable BruteForce Protection by switching the toggle to On.

Magento Brute Force - Enable BruteForce Protection

To Configure Delay After Failed Login Attempts go to Custom Threshold for Delay on Successive Logins
Set custom threshold for delay. This is the number of failed attempts after which delay is applied. Also, set Delay in Seconds - This is how long the user must wait before trying again.

Magento Brute Force - Delay After Failed Login Attempts

To Configure Account Lockout (Temporary / Permanent) Go to Account Lockout Settings.
To set Temporary Custom Threshold for Account Lockout enter the number of attempts. This is the number of failed attempts after the account is locked temporarily. Also, set the delay in minutes as required
To permanently lockout customers after a certian number of failed attempts. Enter the number of attempts in the respective field. This will permanently lock the user after the mentioned number of failed attempts.

Magento Brute Force - Account Lockout Settings

In Email notifications settings, Enable Admin Alert to send admin alerts when account lockout threshold is reached
You can also enable Email Notifications to send email notifications to customer email when account lockout threshold is reached.

Magento Brute Force - Email Notifications

To apply the protection for Forget Password Form. Enable Forgot Password Protection under the general settings.

Set Custom Threshold for Delay on Successive Forgot Password Attempts. This is the number of failed attempts after which delay is applied. Also, set Delay in Seconds - This is how long the user must wait before trying again.

Magento Brute Force - Forgot Password Attempts

To set Temporary Forgot Password Account Lockout Settings enter the number of attempts. This is the number of failed attempts after which the account is temporary locked. Also, set the delay in minutes as required

In Email notifications settings, Enable Admin Alert to send admin alerts when account lockout threshold is reached for the Forget password forms.
You can also enable Email Notifications to send email notifications to Customer email when account lockout threshold is reached for the Forget Password forms. and Save the settings

Setup Admins Brute Force Protection

Now, to apply Brute Force Protection for Admins Click on Admin Brute Force Protection.

Magento Brute Force - Admin Brute Force Protection

In Login forms under Admin Brute Force Protection, In General Settings, enable Enable BruteForce Protection by switching the toggle to On.

Now, To Configure Delay After Failed Login Attempts go to Custom Threshold for Delay on Successive Logins
Set custom threshold for delay. This is the number of failed attempts for admins after which delay is applied. Also, set Delay in Seconds - This is how long the admin user must wait before trying again.

To Configure Account Lockout (Temporary / Permanent) for Admins Go to Account Lockout Settings.
To set Temporary Custom Threshold for Admin Account Lockout enter the number of attempts. This is the number of failed attempts after the admin account is locked temporarily. Also, set the delay in minutes as required.
To permanently lockout admins after a certian number of failed attempts. Enter the number of attempts in the respective field. This will permanently lock the admin user after the mentioned number of failed attempts.

Magento Brute Force - Account Lockout Temporary / Permanent

In Email notifications settings, Enable Admin Alert to send admin alerts when a certain admin account lockout threshold is reached
You can also enable Email Notifications to send email notifications to Admin email when a certain admin account lockout threshold is reached.

To apply the protection for Admin Forget Password Form. Enable Forgot Password Protection under the general settings.

Set Custom Threshold for Delay on Successive Forgot Password Attempts for Admins. This is the number of failed attempts after which delay is applied on the admin login forms. Also, set Delay in Seconds - This is how long the admin user must wait before trying again.

To set Temporary Forgot Password Account Lockout Settings enter the number of attempts. This is the number of failed attempts after which the admin account is temporary locked. Also, set the delay in minutes as required

In Email notifications settings, Enable Admin Alert to send admin alerts when an admin account lockout threshold is reached for the Forget password forms.
You can also enable Email Notifications to send email notifications to Admin emails when a certain admin account lockout threshold is reached for the Forget Password forms. and Save the settings

Customer Login Logs

In Customer Login Logs tab you can view and manage customer login logs to track login attempts, failures, and lockouts.
Enable Logs by selecting Enable from the dropdown and Select the log retention period as required. You can also Download and Clear Logs as required.

You can see a complete list of temporary and permanent blocked blocked users in the Blocked User tab. Admin can unblock the locked out admin and frontend users from this tab as required.

Get in Touch

Please reach out to us at magentosupport@xecurify.com, and our team will assist you with setting up the Magento Brute Force Protection Extension. Our team will help you with the setup and select the best suitable solution/plan as per your requirement.

Contents