Magento 2 Security Extension (NoBots) Documentation
-
Installation
You can install the module for Magento 2 using Composer or you can manually install it using FTP.
ComposerManualRun the following commands in your Magento 2 root directory to install the module using Composer.
# Add the FishPig Composer repo composer config repositories.fishpig composer https://repo.fishpig.com/ # Install the module using Composer composer require fishpig/magento2-nobots:* # Enable the module in Magento 2 php bin/magento module:enable FishPig_NoBots # Run the Magento upgrade system php bin/magento setup:upgrade
You can download the latest version of the module by logging in to your account and selecting Account > Projects.
Extract the ZIP file and upload the files to your Magento site at the directory below:
When creating the folders, ensure you use the correct capitalisation.
To complete the installation, run the following commands in a terminal.
# Enable the module in Magento 2 bin/magento module:enable FishPig_NoBots # Run the Magento upgrade system bin/magento setup:upgrade
-
Configuration
The Magento 2 Security Suite comes ready configured with automated rules and will work right away with no configuration. If you want customise the module you can do so at Stores > Configuration > FishPig > Security Suite.
reCAPTCHA
The module uses Google's reCAPTCHA to allow banned users to regain access to the site without having to contact you. To set this up, you should first generate your reCAPTCHA keys and enter them in the module config.
Blacklist by IP
Security Suite includes several blacklists that are enabled by default. If a user is found to be on any of these lists, they are automatically banned.
User found on a blacklist are fully banned and cannot use reCAPTCHA to regain access to the site.
You can also specify custom IP addresses to block specific IP addresses or ranges.
Whitelist by IP
Like blacklists, the module includes several whitelists for IPs and these are enabled by default. These allow popular sites to always access the site without ever getting banned. Popular payment gateways (that cannot be identified using reverse DNS) are included here.
Whitelisted users will never be banned, even if they break rules.
You can also add your own IP addresses here.
Whitelist by Hostname (rDNS)
This system uses reverse DNS to identify the hostname of the user's IP address and is used to whitelist certain users. An example of this is Google. Any IP found to belong to Google will never be banned as google.com is found in this whitelist.
-
Rules
The Magento 2 Security Suite comes ready configured with automated rules and will work right away with no configuration. If you want customise the module you can do so at Stores > Configuration > FishPig > Security Suite.
Rule: Banned Keyword
This rule bans users that include any of the banned keywords in their input to the server. For example, if the user uses a common spam domain for their email, this rule will be triggered and the user will receive a ban.
Rule: Too Many 404s
This rule bans users that hit multiple 404's within a given time frame. The current default is 5 404 pages in under 1 minute. This can be modified to suit your site's needs. This aims to block bots that try URLs in the hope of finding an Admin page, an SQL backup, a backdoor or something else malicious.
Rule: Honey Pot
The Security Suite adds a honey pot form to the page's HTML. This is hidden from real users but is visible in the code to bots. Bots generally crawl sites, find forms and then submit spam content. If this dynamic honey pot form is submitted, the user is deemed to be a bot and receives a ban.
Rule: Spam URL Submission
This rule blocks users that include URLs in fields that shouldn't have a URL in. For example, if the firstname field includes a URL (which can happen on spam posts), the user receives a ban.
-
Manage Banned Users
View Banned Users
You can view the list of banned users by going to System > Security > Bot Protection.
This section lists all users that have interacted with your site that have either been banned, found on a blacklist or found on a whitelist.
You can click into a user and see what rules they broke and what content (if applicable) triggered the rule. As an example, if the user was banned because of the Too Many 404's rule, you would see each of the 404s that triggered the ban.
Un-Ban a User
If a user has been banned and you want to manually un-ban them, you can do so by going to the banned users list and then clicking 'Select' on the right and then selecting 'Delete'.
Clear Data
From time to time, you may want to clear all current bans and start again. You can do this by clicking the 'Delete Data' button at System > Security > Bot Protection.