In this Magento 2 tutorial, we will show you several steps of admin security and admin CAPTCHA configuration in Magento 2.
How To Configure Admin Security In Magento 2?
To begin with, Magento 2 allows you to set up the length of the inactive keyboard before expiring session and require username and password to be case-sensitive as well.
- Step 1: Go to the admin panel, navigate to STORES and choose Configuration (under Settings)
(Admin Panel => STORES => Configuration)

- Step 2: Expand the ADVANCED field (on the left) and select Admin in the drop-down

- Step 3: Configure Security section
Firstly, you must set Add Secret Key to URLs to Yes in order to protect against exploits.
Secondly, you must set Login is Case Sensitive
to Yes to ensure that the username and password are similar to those saved in the system.
Thirdly, you must add a specific Admin Session Lifetime in “second” (>60) or leave it blank.
Fourthly, enter the maximum number of failed logins before the admin account is locked temporarily.
Fifthly, define the time that the account will be locked (in “minute”). After that time, the user can re-login.
Sixthly, define the time for a password to exist (in “day”). After that time, the admin has to change the password and this new one must never be used before.
Finally, set Password Change to Forced so that the admin is obligated to change the password before expiring. Save the Config to complete settings.

How To Configure Admin Captcha In Magento 2?
As you might know, CAPTCHA (Completely Automated Public Turing Test To Tell Computers And Human Apart) is created with the aim of guaranteeing that a person is accessing your site instead of a bot/ computer. Let’s start to set up CAPTCHA for the admin in Magento 2.
- Step 1: Go to the admin panel, navigate to STORES and choose Configuration (under Settings)
(Admin Panel => STORES => Configuration)

- Step 2: Expand the ADVANCED field (on the left) and select Admin in the drop-down

- Step 3: Set up CAPTCHA Options
Firstly, you must enable CAPTCHA in admin by selecting Yes.
Secondly, you must choose the Font used for CAPTCHA. In case you want to use another font, make sure that that font must reside in the same directory as your Magento and be declared in the CAPTCHA’s config.xml file.
Thirdly, you must opt for a form using the CAPTCHA (Admin Login or Admin Forgot Password).
Fourthly, choose a displaying mode as one of the following options:
- Always: Submitting Captcha is compulsory to log in to the admin all the time
- After a number of attempts to log in: The admin only is required to fill in the Captcha when he/she fails to log in a certain number of times. If choosing this option, you must enter the Number of Unsuccessful Attempts to log in.
Fifthly, set the CAPTCHA Timeouts (in “minute”) – after this time, the CAPTCHA will expire and the user must reload the page and re-login.
Sixthly, list all of the symbols allowed to appear in the CAPTCHA (including letters and numbers).
Finally, set Case Sensitive to Yes if you want the user to enter exact characters as shown. Save the config to complete settings.

We have shown you several steps to configure admin security and admin CAPTCHA as well in Magento 2. If you have any problems when following this tutorial, be free to ask us by leaving a comment below. See you in the next tutorials!
[ratings]