You are here: Reference > Configuration Reference > Advanced > Admin
Magento Open Source, 1.9.x

Magento 1.x Security Patch Notice
For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Admin

System > ConfigurationAdvanced > Admin

ClosedAdmin User Emails

Admin User Emails
  • Field Descriptions

    Field

    Scope

    Description

    Forgot Password Email Template

    Global

    Identifies the email template that is used for the message that is sent when an Admin users forget their passwords. Default template: Forgot Admin Password

    Forgot Password Email Sender

    Global

    Identifies the store contact that appears as the sender of the Forgot Password email. Default value: General Contact

    Recovery Link Expiration Period (days)

    Global

    Determines the lifetime in days, of the password recovery link that is sent to Admin users who forget their passwords.
ClosedStartup Page

Startup Page
  • Field Descriptions

    Field

    Scope

    Description

    Startup Page

    Global

    Determines the landing page that appears after you log in to the Admin. Options include: Any available Admin page.
ClosedAdmin Base URL

Admin Base URL
  • Field Descriptions

    Field

    Scope

    Description

    Use Custom Admin URL

    Global

    Determines if a custom URL is used to access the Magento Admin. Options: Yes / No

    Custom Admin URL

    Global

    Specifies a custom URL to access the Magento Admin. By default, the Admin URL is the same as the base URL.

    Important! The Admin URL must be in the same Magento installation, and have the same document root as the storefront.

    Use Custom Admin Path

    Global

    Determines if a custom path is used to access the Magento Admin.The default path is “admin.” Options: Yes / No

    Custom Admin Path

    Global

    Changes the name of the default Admin path. Enter the custom path name in lowercase characters. For example: backend
ClosedSecurity

Security
  • Field Descriptions

    Field

    Scope

    Description

    Add Secret Key to URLs

    Global

    When enabled, appends a secret key to the Admin URL as a precaution against exploits. Options: Yes / No

    Login Is Case Sensitive

    Global

    Determines if login credentials are case sensitive. Options: Yes / No

    Session Lifetime (seconds)

    Global

    Determines the length of a user session in seconds. Values less than 60 are ignored. Any change is applied after you log out.

    Allow Magento Backend to run in frame

    Global

    This option prevents “clickjacking” if you run your store in an iframe. Enabling the option causes the X-Frame-Options response header to be sent. Options: 

    Enabled

    Only from same domain

    For security reasons, it is recommended that this setting not be enabled.

    Allow Magento Frontend to run in frame

    Global

    This option prevents “clickjacking” if you run your store in an iframe. Enabling the option causes the X-Frame-Options response header to be sent. Options: 

    Enabled

    Only from same domain

    For security reasons, it is recommended that this setting not be enabled.

    Admin routing compatibility mode for extensions

    Global

    Gives you the opportunity to verify that all extensions and customizations are compatible with a patch before deploying the full patch to production. We recommend that you install a patch first in a test environment. Then, set Admin Routing to “Disable.” If your extensions and customizations work correctly, the fully-enabled patch can be deployed to production. Options: 

    Enable

    (Default Setting) Partially enables an installed patch to allow extensions or customizations with older modules to continue working in an unsecured state while the code is updated. When all impacted extensions are updated, set Admin Routing to “Disable” to fully enable the security patch.

    Enabling this setting increases the risk of automated attacks again the Admin..

    Disable

    Fully enables an installed security patch. Any extensions with older modules will not work correctly.

    Forgot password flow secure

    Store View

    Determines the process that is used when Admin users forget their passwords.

    Disabled

    Forgotten passwords can be managed only by the store administrator.

    By IP and Email

    The store sends the Admin user a request to confirm the password reset. The password can be reset by the user after the store receives confirmation from the email address associated with the Admin account.

    By IP

    The Admin password can be reset online without additional confirmation.

    By Email

    The Admin password can be reset only by responding to the notification sent to the email address associate with the Admin account.

    Forgot password requests to times per hour from 1 IP

    Store View

    Determines the number of times a password request can be processed per hour from the same IP address.

    Forgot password requests to times per 24 hours from 1 e-mail

    Store View

    Determines the number of times a password request can be processed during a 24-hour period from the same email address.
ClosedDashboard

Dashboard
  • Field Descriptions

    Field

    Scope

    Description

    Enable Charts

    Global

    Determines if the real-time chart that depicts order data is generated each time the Dashboard page is viewed. Options: Yes / No
ClosedCAPTCHA

CAPTCHA
  • Field Descriptions

    Field

    Scope

    Description

    Enable CAPTCHA in Admin

    Website

    Enables CAPTCHA for the Admin login. Options: Yes /  No

    Font

    Website

    Determines the font that is used to display the CAPTCHA. To add your own font, put the font file in the same directory as your Magento instance, and specify it in the config.xml stored at: app/code/core/Mage/Captcha/etc/

    Default font: LinLibertine

    Forms

    Website

    Determines the form(s) where CAPTCHA is used. Options:

    Admin Login

    Admin Forgot Password

    Displaying Mode

    Website

    Determines when the CAPTCHA appears. Options:

    Always

    CAPTCHA is always required to log in.

    After number of attempts to login

    Specifies the number of login attempts before the CAPTCHA appears. A value of 0 (zero) is similar to setting Displaying Mode to Always. When selected, the number of unsuccessful login attempts appears.

    This option does not apply to the Forgot Password form, which always display the CAPTCHA,

    Number of Unsuccessful Attempts to Login

    Global

    Determines the number of times a person can try to login before the CAPTCHA appears. If set to zero, the CAPTCHA is always used.

    To track the number of unsuccessful attempts to log in, the system tracks the login attempts from one email address from a single IP-address. The maximum number of attempts allowed from the same IP address is 1,000. This limitation applies only if CAPTCHA is enabled.

    CAPTCHA Timeout (minutes)

    Website

    Determines the lifetime of the current CAPTCHA. When the CAPTCHA expires, the user must reload the page to generate a new CAPTCHA.

    Number of Symbols

    Website

    Determines the number of symbols that are used in the CAPTCHA, up to a maximum of eight. You can also specify a range such as 5-8.

    Symbols Used in CAPTCHA

    Website

    Determines which symbols are used in the CAPTCHA. Only letters (a-z and A-Z) and numbers (0-9) are allowed. The default set of symbols suggested for the field excludes similar characters such as l and 1. For best results use symbols that users can readily identify.

    Case Sensitive

    Website

    Determines if the characters in the CAPTCHA are case sensitive. Options: Yes / No

Copyright © 2019Magento, Inc. All rights reserved.