We’re pleased to announce a new open source tool for Magento to add to your security toolbelt: SomethingDigital_InvalidateAdminPasswords.
Here’s the use case: your Magento website has experienced a breach and you want to reset all admin credentials.
I had previously blogged a quick tip for how to do this here, but this module offers a much better experience:
- Invalidation is handled via a bin/magento command. No raw SQL queries needed 😅
- It sends an email to all admin users instructing them to reset their password (process documented in blog post had no way of notifying users).
- The email can be customized from the Magento admin panel.
- Invalidates two-factor authentication user configuration (assuming 2FA is via msp/twofactorauth).
- Functionality is covered by integration tests and hooked up to Travis CI.
It’s important to note that the module currently does not kick out any users with active admin sessions. However, there is documentation in the README explaining what can be done to achieve that.
You never know when you might need this feature and don’t want to be scrambling to have it when it’s already too late, so install this module now!
Hope you enjoy it!