A tool to invalidate all Magento admin user passwords
If you're dealing with a Magento site that has experienced a breach, it's a good idea to reset all admin user passwords.
This module adds a new bin/magento
command, sd:invalidate-admin-passwords:invalidate
$ php bin/magento sd:invalidate-admin-passwords:invalidate -h
Description:
Invalidate admin passwords
Usage:
sd:invalidate-admin-passwords:invalidate
Options:
-h, --help Display this help message
-q, --quiet Do not output any message
-V, --version Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
-n, --no-interaction Do not ask any interactive question
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
As the action is quite destructive (as expected) you'll be asked to confirm before the command runs.
Settings are available via the Magento admin panel under Stores > Configuration > Advanced > Admin > Admin User Emails.
- Send Password Reset Required Email If set to "Yes" invalidating admin user passwords will also trigger an email to each admin user informing them that their password must be reset
- Password Reset Required Template The email template that will be sent to each user.
- Clear MSP Two Factor Auth If set to "Yes" invalidating admin user passwords will also invalidate MSP 2FA user configuration. This is recommended as it's possible 2FA configuration may have been compromised (in addition to passwords)
The email template can be customized under Marketing > Communications > Email Templates.
- Click Add New Template
- From the "Template" dropdown select "Password reset required" under SomethingDigital_InvalidateAdminPasswords
- Customize as desired
Next head back to Stores > Configuration > Advanced > Admin > Admin User Emails and point "Password Reset Required Template" to your newly customized template.
This module will not kick out admin users with active login sessions. As Magento uses the same storage for customer and admin sessions there is no great way to clear ONLY admin user sessions. If you'd like to kick out users with active login sessions the best option is to wipe all sessions.
Issue a FLUSHDB
command to the Redis instance configured to store session data
Delete rm -rf
the session directory (typically var/session
)
The module uses the mechanics outlined in this blog post. All passwords are set to a string (SomethingDigital\InvalidateAdminPasswords\Model\Invalidator::INVALIDATED_PASSWORD_STRING
) that no other string will hash to.