Child pages
  • Security Suite - Magento 2

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.




Table of Contents


Firefox user notice:

Please use different web browser to view this document.

Sorry for the inconvenience.


Magento 2 Security Suite minimizes the vulnerability of your store with a set of powerful 'anti-hacking' tools. Those include advanced password validity and verification settings, 2FA, scanner tool, and more. Additionally, you have a full control over admin sessions and action along with login attempts.

Compatibility: Magento Open Source 2.2.X, Magento Commerce 2.2.X


UI Button
titleProduct Page

Thank you for choosing Aheadworks!

Installing Security Suite


1. Install the library using the following console command: composer require authy/php:^3.0


2. Unpack the zip file provided in the root folder of your Magento 2 installation.


3. From a command line, run the following:
bin/magento module:enable Neklo_Core
bin/magento module:enable Neklo_Security
bin/magento setup:upgrade
bin/magento setup:static-content:deploy

Introducing Simple Bundle Product


Magento 2 Security Suite protects your store from an unauthorized access, malware, and hack attacks. The extension grants you a range of options to take the security of your online store to the next level:

  • Two-factor authentication;
  • Advanced password verification procedure;
  • Lock user function;
  • Scanner, etc.

Extension Logic

The extension is a combination of the best-proven solutions created that give you a total control over your store 24/7.

Decide who can access your store as an admin. Detect login attempts, monitor actions made by admin users, and get email notifications of Magento Admin Activities. With this security extension for Magento 2, you will get a holistic picture of what happens in your store.

Backend Configuration


Extension Settings

  1. Log in to your Magento Admin Panel.
  2. Go to Stores > Settings > Configuration > Neklo tab > Security Suite > General Settings.
  3. Set the 'Is Enabled' option to 'Yes'.
  4. Click on the 'Save Config' button to apply the changes.



Advanced User Validation

Advanced Password Validation Settings allow you to set advanced password requirements to reduce the possibility of password cracking.

  1. To access the settings, go to Stores > Settings > Configuration > Neklo tab > Security Suite > Advanced Password Validation Settings.
  2. To unfold the list of password requirements, choose 'Yes' in the 'Use advanced password requirements' field.

The advanced settings include the 'Minimum Password Length', 'Use both lower and upper-case letters', and 'Use special chars' fields. It is recommended to set all these options to 'Yes' to increase the security of your passwords to maximum. The minimum password length should be not less than 7 characters.

(скрин)Image Added

Password Lifetime Settings

Password Lifetime Settings allow you to configure various time restrictions for the users’ passwords.

  1. To view the 'Password Lifetime' settings, go to Stores > Settings > Configuration > Neklo tab >Security Suite > Password Lifetime Settings.To view the settings, go to Stores > Settings > Configuration > Neklo tab >Security Suite > Password Lifetime Settings.
  2. In order to use the 'Security Suite Password Lifetime' settings, you need to clear the corresponding checkbox next to the fields you want to use.

(скрин)Image Added

Password lifetime restrictions include the following:

  1. 'Password Lifetime (days)' allows choosing how many days the passwords will be used. It is recommended to set the password lifetime to no more than 90 days. Upon expiration of this time period, the user will be notified to change their password in the Admin Panel.
  2. 'Password Lifetime (successful logins)' allows setting the number of logins before the password should be changed. For example, after 30 successful logins the user will not be able to login with the old password.
  3. 'Password change' notifies the user when the password lifetime expires. If set to 'Recommended', a small window will appear at the top of the page telling it is time to change the password. If 'Forced', then the system will force the user to change the password by constantly redirecting him to the 'Account Settings' page.
  4.  'Maximum Login Failures to Lockout Account' regulates the number of maximum login attempts before blocking the user. After the successful login, the number of previous login failures is accumulated for the rest of the password lifetime.
  5. 'Lockout Mode' allows defining whether the user blocking will be temporary or permanent. In 'Lock Time (minutes)', you can set up the period in minutes. The account will be unlocked after the lock time (minutes) expires. Permanent mode locks users permanently until the account is manually unblocked.


You can lock any user automatically. Security Suite provides the 'Lock User' functionality similar to the default 'Active/Inactive' functionality. Locked users will be unable to login into your Magento system. To lock user manually, go to System > Permissions > All Users and choose the user you want to lock.

Twillio Settings

Before enabling 2FA, you need to create and configure an account at

Please note that NEKLO is not currently associated with Twillio so this service may charge fees for its functionality. If you have any issue with your Twillio account, please contact the support at
To connect your Twillio account to your Magento store, complete the following steps:

  1. Log in to your Twilio account and open the 'Authy' section.
  2. Create a new application by following the instructions.
  3. Go to Authy > Name > Settings and configure the settings according to your preferences.

    Those are the recommended settings required for the smooth work of the extension:

    Authentication via SMS - Enabled.
    • Force SMS - DISABLED (please use this configuration only in case if the 'Sync tokens in Authy app' option is enabled)
    • Force Phone Calls - DISABLED.
    • Sync tokens in Authy app - Enabled.

  4. After the settings are configured, you can copy your production API Key at the top of the page. You will need it for the further extension configuration.

(скрин)Image Added

Two-Factor Authentication (2FA)

This set of settings allows you to choose how 2FA will be performed in your Magento store.

  1. To view the 'Two-factor authentication (2FA)' settings, go to Stores > Settings > Configuration >Neklo tab > Security Suite > Two-factor authentication (2FA).
  2. To unfold the list of advanced settings, choose 'Yes' in the 'Is Enabled' field.

(скрин)Image Added

There are several work modes for the 2FA to choose from in:

  1. IP Whitelist. This setting is needed to enable admin access only for specific IP addresses. If the setting is enabled, it is necessary to add admin IP addresses to the 'Allowed IP list' field. If no IP addresses will be added, no admin user will be able to login to the admin panel.

'Allowed IP list' is the field where you need to add appropriate IP addresses with the 'Add' button.

Click 'Save Config' to apply the changes.

(скрин)Image Added


Before enabling 2FA, please enter your IP address in Allowed IP List. Otherwise, you will not be able to login in Magento.

2. SMS Code. If enabled, this mode allows sending codes for authentication to the mobile numbers stated in the User General Settings. It is necessary to complete the following steps for SMS Code to work. Insert the Twillio API key into the 'Authy API key' field to connect your Magento store with the specific Twillio account.

Add phone number for at list one Magento admin user in System > Permission > All Users >The user you want.

Click 'Save Config' to apply the changes.

Please note that 2FA will be enabled only after at least one admin user will verify his mobile phone number with Twillio. Verification instructions are described below.

3. Both (SMS code with IP Whitelist). This mode requires the user to complete both 2FA steps. The user’s IP should be listed in the IP Whitelist, and if this is so, the user should complete SMS code verification.
4. Combined (SMS code or IP Whitelist). In this mode, if you log in into Magento admin not from whitelisted IP, you will be redirected to the confirmation page. There you need to enter the security code from the SMS. Please note that the SMS verification will work only if the user has verified his mobile phone number with Twillio.(скрин)

Image Added

Twillio Verification Process

  1. Make sure you have entered a valid API Key from your Twillio account and added your IP in the allowed list.
  2. Proceed to System > Permission > All Users. If the 2FA feature is enabled, there will be a new required field - 'Phone Number'.
  3. Phone Numbers must be inputted for every user. If a user does not have a phone number assigned and his/her IP is not in the 'Allowed IP' List, he/she will not be able to log in as an admin.


After you enter a phone number in the particular fields and saved the changes, this phone number must be confirmed. You will get a text message with the verification code sent to the specified phone number.

Once you have entered a verification code and saved the user, you will see a message that the phone number has been verified.

For all users that setup with 2FA upon the valid login with their username and password, they will receive a verification code on their mobile device in SMS or via Twillio Authy application during Magento admin login.

The system will require a second prompt for Security Code. Only upon entering the Security Code the user will be allowed to login into the Magento instance.

You should enter this security code on the login page and click on the 'Confirm' button.

(скрин)Image Added

And now your account should be successfully logged in the Magento Admin. Scanner

This feature will schedule an automatic scan of your Magento Instance by All results of scanning will be listed in the Magento Admin Panel. You can manually rescan your store any time.

To view the ' Scanner' settings, go to Stores > Settings > Configuration > Neklo tab > Security Suite > Scanner.

To enable MageReport automatic scanning, choose 'Yes' in the 'Is Enabled by Cron' field. If enabled, the scan is executed once per day at midnight of the server’s local time by cron.

The 'Rescan' button allows you to run Magereport check immediately.

(скрин)Image Added

Notification Settings

Notification settings allow you to select the specific Magento activities that will be notified to you via email.

  1. To view the ' Scanner' settings, go to Stores > Settings > Configuration >Neklo tab > Security Suite > Notification Settings.
  2. To enable email notifications, choose 'Yes' in the 'Is Enabled' field.

(скрин)Image Added

In the 'Sender' field, you can specify the email sender. Sender emails are taken from Stores >Settings > Configuration > General > Store Email Addresse.

In the 'Event List' field, you can select what admin user activities you want to be notified about.

In the 'Recipients' field, you can add and delete the users who will get email notifications.

Click 'Save Config' to apply the changes.


Here is an example of how the email notification from Security Suite looks like.

(скрин)Image Added

Logger Settings

This Neklo Security Suite extension starts the logging process immediately after it was installed. So, after all the installation instructions are done, the extension starts collecting admin activity logs. This info is stored in separate database tables and can be viewed and managed in the 'Login Attempts' and 'Action Logger' grids.

To view logger settings, go to Stores > Settings > Configuration > General > Logger Settings. These settings include the following:

  1. Action logger lifetime (Days). You can manage for how long the logs will be stored on your server and in the 'Login Attempts' grid in days. The data will be removed from the database once the specified number of days has passed.

  2. Login Attempts Lifetime (Days). Here you can choose for how long the login info will be stored on your server and in the 'Account Logger' grid. The data will be removed from the database once the specified number of days has passed.

  3. Is Export Enabled. This setting allows you to export file automatically before the data will be removed from the server. Files are stored under var/export folder.

  4. Click 'Save Config' to apply the changes.

(скрин)Image Added

Since potentially there can be a larger amount of data recorded, the Security Suite extension provides log truncation rules which will give you an ability to delete data older than Lifetime fields specify. Logs are stored on the server under the var/export folder.

Login Attempts Grid

The 'Login Attempts' grid reflects all login attempts and extensive information about them. The grid is located under System > Security Suite > Login Attempts.

(скрин)Image Added

Action Logger Grid

The 'Action Logger' grid shows all the actions made by admin users. The grid is located under System > Security Suite > Action Logger.


(скрин)Image Added

Image Added

Admin Sessions Grid

The 'Sessions' grid displays all the admin sessions both active and ended. Here you can terminate any active session you find suspicious.

You can find the grid following My Account > Account Settings and then scrolling down. There you will see a table with all the admin sessions.

(скрин)Image Added


Thank you for using this extension. You will find more our great solutions for Magento here:

UI Button
titleProduct Page

Need Customization?

Magento 2 Custom Development Services by Aheadworks

You can always find the latest version of the software, full documentation, demos, screenshots, and reviews on

License agreement:
Contact Us:
Copyright © 2018 Aheadworks Co.