Magento RSS Brute Force

Lydia .

Creativemgroup, a Magento specialist agency who work with a number of our Magento clients, have discovered a new threat to Magento stores which includes Magento 1 and 2.

By exploiting the inbuilt RSS feed functionality, it’s possible for a brute force to be passed through to the Magento Admin login. Over 30 days they recorded 128,500 attempts to gain access to one site through this vulnerability, and the rules below blocked them all. The brute force is not only a security issue, the load that gets put on the server as a result can cause site disruptions.

They, and we, recommend popping the following rules into your htaccess, or NGINX config if you’re not using the RSS functionality:


For Apache just deny access to the admin RSS’s entirely.

RewriteCond %{REQUEST_URI} ^.*/RSS/ORDER [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]


location ~* /rss/order/new {
        return 403;
    location ~* /rss/catalog/notifystock {
        return 403;
    location ~* /rss/catalog/review {
        return 403;

New call-to-action

Nimbus Hosting
1 Centrus, Mead Lane Hertford Hertfordshire SG13 7GX GB 0203 005 9181 [email protected]