It is extremely important to lock down your Magento admin panel. Once hackers have gained access to a store administration panel they can begin spamming customers, stealing sensitive customer and store owner information or begin to execute phishing attacks against your customers. They can also begin attempting to exploit server weaknesses by uploading malicious files via admin functionality. One of the best ways to restrict access is by limiting the IP address that can even access the admin section.
The following rule inside your stores root .htaccess file will restrict this access to the IP Address 196.196.196.196 (you would change this to match your IP Address)
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC]
RewriteCond %{REMOTE_ADDR} !^196.196.196.196
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]The previous rule has the expectation that your stores administrative path was left as “Admin”. However, as leaving your path as admin is in itself a security risk the following shows how to change it to a new administrative path, for this example we will use “secureadmin”
RewriteCond %{REQUEST_URI} ^/(index.php/)?secureadmin/ [NC]
RewriteCond %{REMOTE_ADDR} !^196.196.196.196
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]By updating the first line of the provided htaccess you are able to update the administrative path restriction as required.
