Stratus Security Guides - Securing a Magento Store

Magento stores on Webscale STRATUS are protected by a Web Application Firewall (WAF). Every request to a store must first pass a host of WAF rules designed to repel hackers and other attempts to compromise a store.

Regardless of these efforts, an e-commerce store remains accessible by the public-at-large and therefore can be subject to additional attempts to compromise security.

To give your store additional protections,

Don’t use the default admin or backend login path. Using /admin is a common path too often used by hackers to make repeated attempts to gain access. Magento 2 automatically creates an obscure admin path. For Magento 1.x stores, the default “admin” path should be changes to a obscure value resembling a very secure password (e.g., “Uy49kkT” or “j87PenM”).
Install all updates and patches. The Magento Security Center is a Magento resource for recent and past updates. The community site, magesec.org , has open source scanning and patching tools.
Many sites hosted on Mojo STRATUS use WordPress for their blog feature. Using Nginx Includes or the built-in STRATUS panel access restriction , restrict the WordPress login by IP and prevent brute-force attacks.

location ~* /wordpress/wp-login.php$ {
  allow 1.1.1.1;
  try_files $uri $uri/ /index.php?$args;
 location ~* \.php$ { try_files /dummy @proxy; }
  deny all;
}

Remove all extraenous files from the Magento web root. Extra database dumps, un-needed files and test scripts, and other code that isnt necessary for production is often left exposed.
Use strong passwords!
Block countries for which shipping is not available.

Have questions not answered here? Contact Support to get more help.

Last modified on June 3, 2026