You can select any way that suit your needs and qualification. There are several ways of restricting access to /downloader/ possible. The default Magento Connect Manager URL is /downloader/ appended to the main URL of your Magento store, i.e. What is the default Magento Connect Manager URL? That is why it is actively used to bruteforce Magento admin passwords and it is important to protect default Downloader URL. So any Magento admin account can be used to access Magento Connect Manager with their credentials. Magento Connect Manager default credentialsĭefault login and password combination for Magento Connect Manager / Downloader are the same as for any Magento admin account.
Store manager for magento protected import file install#
Attacker will be able to discover backend URL for login (even if it is customized as described in Securing Magento /admin/), install a Filesystem extension to obtain full access to all files and finally database. Therefor if bot will find out a matching pair of login/password, whole Magento installation will be compromised. It use the same authorization methods as for Backend. What is wrong with publicly available /downloader/? Magento Connect Manager available via /downloader/ location is used for installation of Magento extensions and Magento upgrades and requires Magento admin rights for the action.
We seen the bots are trying it continuously (in some cases for several months or years already) We are noticing dynamic increase in robots/crawlers brute-forcing Magento’s /downloader/ locations, trying default admin user with various passwords (mostly dictionary-based) and other popular logins.