manento security

Digital transformation in the eCommerce sector has opened up a new world of borderless possibilities. Merchants can target customers globally, and customers can shop for the best products at the best price from anywhere in the world.

Unfortunately, cyber security threats pose the biggest risk to eCommerce, especially if your online store runs on Magento. This guide explores the measures you can take to boost Magento security and keep hackers at bay.

The Importance of Magento Store Security

eCommerce websites receive, process, and store large amounts of user data and online transactions. Hackers and other bad actors are particularly interested in getting this data to perpetrate nefarious activities, the most common being identity theft and financial fraud. The online retail sector is the most targeted when it comes to cyber-attacks. It is a never-ending battle of supremacy between hackers and merchants.

Magento store security should be a top priority for any online store owner. A data breach on your website can have devastating consequences on the financial well-being of your customers and your business, not to mention the irreparable damage to your brand reputation. That’s something your enterprise will likely never recover from. It doesn’t end there. You may find yourself in a world of legal trouble. Victims whose financial information was stolen will likely file lawsuits against you to recover their losses.

Your website’s eCommerce security isn’t something you should take lightly. You must make it the cornerstone upon which all your business operations are built. As they say, better safe than sorry.

Understanding the Risks and Consequences of Inadequate Security

The risks of inadequate security on your eCommerce website are twofold. On the one hand, you have threats posed by cybercriminals on the web. On the other hand, you have internal threats posed by employees and third-party insiders who work closely with your business.


Cyber Security Threats to Online Stores

Hackers targeting eCommerce platforms employ several tactics to breach online store security. Here’s an overview of the common ones:

  • Phishing attack: A hacker uses social engineering to trick unsuspecting users into sharing sensitive information such as account login credentials, credit card information, etc.
  • Malware: Malicious software designed to compromise your online store is covertly installed into your system and can disrupt your operations, hack passwords, or gather sensitive information on users.
  • SQL injection: A malicious query is inserted into the website’s database, giving the hacker viewing and editing rights to the sensitive information stored there.
  • Cross-site scripting (XSS): Malicious executable code is inserted into the website via JavaScript, giving the hacker access to visitors' browser session tokens, cookies, and other sensitive data.
  • eSkimming: Malicious code is inserted into online stores to steal customers' payment information, such as credit card or bank account details.
  • Distributed Denial of Service (DDoS): Cybercriminals flood the website with massive traffic, causing it to crash.
  • Brute force attack: A hacker attempts to guess the login credentials of a user by systematically inputting a series of different combinations until they crack it.

Internal Threats to Online Stores

Internal security risks to an online store refer to threats from within the company. Some might be entirely unintentional, while others might bear malicious undertones. Here’s an overview of the most common internal threats to your eCommerce store’s security:

  • Unintentional employee negligence: An employee fails to follow the existing security protocols by clicking on a suspicious link in an email, using a weak password, unwittingly sharing sensitive information with third parties, accessing the admin panel using public Wi-Fi, etc.
  • Intentional employee sabotage: A disgruntled employee intentionally sabotages the company by leaking sensitive customer data, sharing their login credentials with bad actors, and creating a backdoor that hackers can use to access the website, etc.
  • Third-party insiders: Customers, vendors, contractors, and other parties with access to your systems may compromise your site’s security in an act of negligence or sabotage.

Is Your Magento Store Secure?

The folks at Magento work tirelessly to identify emerging security threats and develop updates and patches to curb the menace. However, despite their best efforts, your store is still at risk from vulnerabilities and threats from third-party integrations, extensions, plugins, and even users with access to the Magento admin panel.

According to Sucuri’s 2021 Website Threat Research Report, a whopping 85.2% of Magento-powered eCommerce sites were using out-of-date versions of the software’s core files at the point of the attack. The reasons given by site owners for not updating to the latest version of Magento include not wanting to break their store’s functionality, which could result in revenue loss, and not having adequate resources or the technical expertise required to install the latest security patches.

That said, the single most important thing you can do to safeguard your Magento website is to ensure your software is up-to-date. A surprising number of merchants continue to use the outdated Magento 1, which terminated support at the end of June 2020. It means no further security patches have been developed since that date.

If your eCommerce store is currently running on the older version of Magento, it is at risk of potential attacks from new threats and vulnerabilities. We strongly urge you to migrate your online store to Magento 2, the latest version of the software, to enjoy the latest security enhancements, updates, patches, and other improvements.

See also: Magento 1 to Magento 2 Migration

Importance of Magento Security Patches

Your online store’s first line of defense against malicious attacks is to install the latest security patches as soon as Magento makes them available. These security patches are designed to mitigate the risk associated with a breach to ensure your store mounts the best defense possible to protect your customers and, by extension, your business.

It is worth noting that Magento’s security patches are often bundled with feature upgrades. It is, therefore, a good idea to give yourself some wiggle room in the interim to test these new features properly while relying on a solid web application firewall to safeguard your store against any known security vulnerabilities through a process known as virtual patching.

Make no mistake about it. Virtual patching is a temporary security measure. It is only supposed to buy you time to update your website with the latest security fixes until you’ve fully tested and used the feature upgrades.

Some things to keep in mind before installing the latest Magento security patches:

  • Read through the version release notes to familiarize yourself with the new changes that have been made and their impact on your online store;
  • Ensure you have a recent backup of your website’s files and database just to be on the safe side;
  • Activate the exception logging feature to flag errors that occur during the Magento update;
  • Launch a staging version of your website to test the new version of the software before it goes live on your actual site;
  • Update your site during low peak times when your store has the lowest anticipated traffic to avoid any issues with customers being unable to complete transactions if the storefront suddenly becomes unavailable.

How to Apply a Magento Security Patch

To install the latest Magento security patch, here’s how to do it:

  1. Backup your online store’s database and files.
  2. Visit the Magento 2 Security Updates page and download the latest security patches for your software version.
  3. Upload the files to your store's root directory.
  4. If your website is compiled, you'll need to deactivate the compiler by going to System > Tools > Compilation.
  5. Use SSH to connect to your website and run the command associated with the respective patch file extension.
  6. Test your store to confirm that it is functioning properly.
  7. Reactivate the compiler (if you had deactivated it in Step 4 above) and run it.

Once your website is successfully patched, Magento’s built-in caching system will reset. To manually reset the cached version of your online store, log into the admin panel and go to System > Tools > Cache Management > Flush Magento Cache.

Magento Security – 20 Best Practices to Protect Your Store

Data breaches can unlatch a door of disarray for eCommerce websites. You must, therefore, understand the dangers posed by inadequate security and take necessary measures to protect your eCommerce store from hackers and other bad actors from breaching sensitive customer data. Here's an in-depth look at the top Magento security best practices to protect your eCommerce site against potential threats.

1. Upgrade to the Latest Release of Magento

While most people don’t generally jump at the chance of upgrading to the latest software, it would be in your best to do so, especially if you run an online store. A common misconception is that people believe new version releases may have bugs that could present potential security vulnerabilities.

This couldn’t be further from the truth. Upgrading to the latest release of Magento ensures your eCommerce website has the latest security patches against emerging threats not adequately addressed by previous software versions. If, for whatever reason, you are unable to update your store to Magento's latest version, ensure you download and install all the necessary security patches to prevent your website from getting hacked.

2. Enable Two-Factor Authentication

Two-factor authentication, also known as two-step verification, can significantly reduce the likelihood of security breaches related to your Magento passwords. If a hacker somehow gets your store's login credentials, they would still be unable to successfully log in to the admin panel. What's more, two-factor authentication is remarkably effective against brute force attacks, so even if a hacker were to guess your username and password, they still wouldn't be able to log in.

While Magento comes with a built-in two-factor authentication feature, there are several other third-party extensions you can install to protect your website and respective user accounts. Just make sure it’s from a trusted source.


3. Access the Admin Panel via a Custom Path

The default URL for accessing the admin panel in most (if not all) websites is /admin. While it might seem like an innocuous little detail, it poses a serious threat to your store's security. This is why you need to change it ASAP to conceal the admin page.

The easiest way to do this would be to change the word "admin" to something completely unrelated. Steer clear of words like "backend," "control panel," "dashboard," or anything else that might allude to the admin panel. Even something as seemingly random as “mango” or “purple” would suffice.

To create a custom path for your admin URL, go to the admin panel and select System > Configuration > Admin. Next, navigate to the section labeled Admin Base URL, select “Yes” to Use Custom Admin URL, input your preferred path in the format, and click Save Config.

4. Use Secure URLs

Any information exchange that occurs online can easily be intercepted by a third party when using an unencrypted connection. If hackers gain access to this information, they can use it to perpetrate identity theft and fraud. To safeguard your business and customer data, you must encrypt your data using HTTP/SSL protocols.

Log in to your Magento store admin panel and select System > Configuration > Use Secure URLs.

See also: Magento Open Source vs. Magento Commerce Cloud – Which Is Better?

5. Use Secured File Transfer Protocol

Intercepting or guessing FTP passwords is a common method cybercriminals use to hack websites. To avoid falling victim to this, use a Secured File Transfer Protocol (SFTP) with a private key for file decryption and user authentication.

6. Implement a Backup Strategy

Taking preventative measures to protect your online store against malicious attacks from hackers is an effective and proactive approach to Magento security. However, if a breach does occur, you need an effective backup strategy to ensure you can get your business up and running again in the shortest time possible.

For this reason, you must ensure that you back up your store database regularly. Your backup plan should indicate the files to include, the backup frequency, and the backup functionality.

A good backup should include the files required for your store’s configuration, functionality, and look. Magento supports four types of backups:

  • A full system backup, including the database, source code, and media
  • A database backup for the database alone
  • A database and media backup
  • A system backup without media

We recommend doing a full system backup as it makes the most sense since it includes the database and source code.

With regard to the backup frequency, it all boils down to how often your site content changes. You can do a daily, weekly, bi-weekly, or monthly backup, depending on how many updates you make to your eCommerce store.

As far as the backup functionality goes, the underlying reason for backing up your site is to be able to restore it to its original, unadulterated version in the event of a hack. Any backup you do should be able to roll back your Magento website to its original state.

7. Deactivate Directory Indexing

The other thing you need to do to enhance the security of your Magento store is to disable directory indexing. By deactivating this option, you can hide the directory paths to where your domain files are stored. That way, you can prevent cyber criminals from accessing your site’s core data.

8. Establish a Sound Hosting Plan

As an online store owner, you should steer clear of shared hosting. While it might seem like a good option if you're just starting, it exposes your Magento store to security vulnerabilities that could result in more harm than good since multiple websites are hosted on the same server. If one of them gets hacked, it opens up all the other stores hosted on the same server to the same attack.

The next best option might be to get on a dedicated hosting plan where your eCommerce website would be hosted on a server designated specifically for you. While this approach is certainly better than shared hosting, the downside is its inability to scale alongside your business. If your online store gets a sudden spike in traffic and your server resources aren’t equipped to handle it, your website will inevitably crash.

The best Magento hosting plan would be to get a managed cloud provider that can handle all the security aspects of your store, including implementing frequent server-level security patches.

9. Install a Web Application Firewall

eCommerce sites are a huge target for hackers. Cyber attackers are constantly on the prowl for vulnerable online stores from which they can steal customer's sensitive information, such as credit card details and personally identifiable information.

One way to stop hackers dead in their tracks is to install a web application firewall. A firewall has the uncanny ability to analyze the traffic to your online store and identify suspicious activity patterns. It can block malicious IPs and traffic attempting to hack your website and protect your store against cyber-attacks including, but not limited to, SQL injections, RFI and LFI, XSS, and dozens of other threats.

10. Conduct a Periodic Magento Security Audit

Part of maintaining a website is conducting periodic audits on it. Do it often. Do it thoroughly. Seal any emerging loopholes that pose potential security vulnerabilities.

The idea behind regularly auditing your eCommerce website is to identify broken security infrastructure and open backdoors before hackers do so that you can fix them and protect your store against potential attacks.

While there are various security extensions on the market you can use to audit your site; it's in your best interest to bring on board a Magento security expert to do an in-depth security audit for you and pen-test various aspects of your site. A Magento security audit can help uncover security vulnerabilities such as injection flaws, broken authentication, data exposure, and XSS flaws and fix them. These security gaps can be difficult to detect without a pro.

11. Add a Security Key to Your Admin Panel

One of the defining features of Magento is the ability to append secret security keys to URLs. By doing this, only users with the secret key can access the admin panel, effectively eliminating potential eavesdroppers and hackers.

Moreover, you can take your Magento 2 security a step further by enabling the keyboard inactivity time feature. That way, the user is automatically logged out of the admin panel after a specific period of inactivity, requiring them to log in again using their secret key.


12. Ensure Your Website Is PCI-DSS Compliant

eCommerce sites handle loads of sensitive customer information such as personally identifiable information, payment information, and more. It calls for vigilant monitoring from store owners to prevent security breaches that could result in data leaks. If such a breach were to occur, it could land you and your business in a world of legal trouble.

The Payment Card Industry (PCI), an organization of the top credit card companies, has developed security guidelines and regulations designed to protect customer’s financial data. Websites that are found to be operating in contravention of these guidelines might be subject to hefty fines and penalties.

Some of the security requirements for PCI compliance include:

  • Developing and maintaining a secure network framework
  • Protecting cardholder data through encryption and secure storage
  • Maintaining up-to-date vulnerability management software to protect the website database against malware and other forms of cyber attacks
  • Implementing robust access control measures
  • Regularly monitoring and testing network resources and processes
  • Maintaining an information security policy that addresses information security for all store users

As an online store owner, you are solely responsible for guaranteeing safe checkout for your customers and abiding by the PCI-DSS regulations governing secure credit card handling. Remember, these rules exist to protect customers and, by extension, your business.

See also: How to Migrate from Magento to Shopify

13. Enable IP Whitelisting and .htaccess

One of the most effective ways of safeguarding your Magento store involves whitelisting specific IPs to access your admin panel. Using both IP whitelisting and .htaccess for password protection is an effective way of blocking access to highly sensitive development, staging, and testing systems. If compromised, it would leave your Magento site exposed to data leaks or brute force attacks.

The easiest and most convenient way to whitelist IPs is through third-party Magento 2 security extensions like GeoIP Ultimate Lock, which blocks traffic from specific regions, countries, servers, and IP addresses. You can even use it to block access to specific pages and products in your store.

14. Use a Strong Password

You've probably heard it a million times – never use easy-to-guess passwords. Steer clear of using your name, names of loved ones (pets included), your birthday, birthdays of loved ones, the word “password,” and anything else that someone with just the right amount of information about you could easily crack. Use strong passwords to protect critical information you wouldn’t want getting into the wrong hands.

The question then becomes: What qualifies as a “strong” password?

  • It should be at least eight characters long;
  • It should have a mix of both upper and lowercase letters, preferably picked at random;
  • It should have a combination of numbers, letters, and symbols;
  • It shouldn’t be a sequential string of characters such as Abcdefgh, 12345678, 87654321, etc.
  • Replace letters with numbers and symbols where possible. For instance, "Weird Domain” becomes “w3iRd d0M@!N”

15. Restrict the Number of Failed Login Attempts

As a rule of thumb, limit the number of failed attempted logins to three before blocking any subsequent attempts for a specific duration. You should also limit the number of password reset requests to protect your online store from unauthenticated login attempts.

To do this, go to the admin panel in your Magento store, select Stores > Settings > Configuration > Advanced > Admin > Security, and change the respective configurations.

16. Enable CAPTCHA in Forms and Account Logins

CAPTCHA is a tool used to protect websites against bot attacks. It is especially important for Magento eCommerce websites to prevent bots from spamming contact forms and gaining access to the admin panel.

To enable CAPTCHA for Magento, go to your store’s admin panel and select Stores > Settings > Configuration > Advanced > Admin. At this point, expand the CAPTCHA section and select "Yes" to enable it.

17. Customize File and Directory Permissions

Customizing your Magento platform is critical to addressing your unique business needs. One of the most important aspects of customization is setting access permissions for files, folders, and directories. That said, the process isn’t as straightforward as you would expect, but it is a step you cannot avoid when it comes to protecting your online store.

The recommended permission settings for files and directories are 644 and 755, respectively. However, you can set different levels for various files and directories depending on the importance associated with them and the amount of protection they require. The best approach would be to have a Magento expert set these permissions for you. If you consider yourself tech-savvy, you can do it yourself by following the instructions provided in the Magento Community forum.

18. Define Appropriate User Roles

While on the subject of permissions, you also need to define the correct user roles for your employees based on their specific job descriptions. As a rule of thumb, the access level you grant users must be based on the permissions they need to perform their specific duties.

To assign user roles in Magento, log into the admin panel and go to System > Permissions. Here, you'll see the options "Users" and "Roles." Roles will be defined in the "Roles" section, whereas "Users" is where the individuals will be assigned their respective roles.

19. Only Install Extensions From Trusted Sources

Vulnerable third-party apps and plugins pose a major risk to websites and have single-handedly been responsible for several hacks. Ensure you only install extensions from trusted sources.

How can you tell if an extension is trustworthy? One foolproof way would be to check the reviews and statistics on a particular extension from the Magento Marketplace to see what previous users say about it. Read the associated information to determine whether the extension developer’s profile is credible.

An example of a credible Magento developer is FMEextensions. The company has a solid reputation in the Magento Marketplace and features several secure, verified extensions.

20. Install a Magento 2 Security Extension

Some top Magento 2 security extension apps you can install to protect your online store against hackers and other cyber threats include:

  • Astra – A web application firewall.
  • Watchdog – Monitors activity on the admin panel.
  • Amasty’s 2FA – Provides reliable two-step authentication.
  • MageFirewall – Detects and blocks malicious activities, including brute force attacks, suspicious login attempts, suspicious IP addresses, etc.
  • Magento 2 Disable Right Click – Stops visitors from copying your website content.

Final Thoughts

The security of your data and that of your customers must be a top priority for your online store. While Magento certainly has a lot to offer as far as its out-of-the-box security features go, there’s still a lot you must do to secure your eCommerce website.


A data breach can have monumental financial, legal, and reputational consequences, so making Magento security the pinnacle of your operations will help ward off cybercriminals and other bad actors. The tips and protection strategies in this guide will help point you in the right direction.

Are you looking to switch from your current eCommerce provider to a different platform? Cart2Cart can help you do just that. Our fully automated shopping cart migration tool can seamlessly re-platform your online store with no downtime or data loss in the shortest time possible.

Sign up for a free demo today to see Cart2Cart in action.


What is Magento security?

Magento security refers to the specific, actionable measures merchants can take to safeguard their eCommerce websites against hackers and bad actors looking to breach and steal sensitive customer data.

How to secure a Magento 2 website?

Some of the steps you can take to secure your Magento 2 website include, but are not limited to:

  • Upgrading to the latest release of the eCommerce software
  • Enabling two-factor authentication
  • Accessing the admin panel via a custom path
  • Using secured URLs
  • Using a secure FTP
  • Deactivating directory indexing
  • Getting your website periodically audited

What is a Magento security patch?

A Magento 2 security patch is an update that fixes bugs and vulnerabilities in the eCommerce solution to enhance the functionality and performance of the platform. A security patch can ward off hackers from accessing your website database and stealing sensitive customer data such as card payment details and personally identifiable information. Visit the Magento Security Updates page and download the latest security patches for your software version.

What are some top recommendations to keep a Magento store secure?

Top Magento security best practices to protect your online store against hackers and other malicious threats include, but are not limited to:

  • Implementing a robust backup strategy
  • Installing a web application firewall
  • Adding a security key to your Magento admin panel
  • Ensuring your website is PCI-DSS compliant
  • Enabling IP whitelisting and .htaccess
  • Restricting the number of failed login attempts
  • Enabling CAPTCHA in forms and account logins
  • Customizing file and directory permissions
  • Defining appropriate user roles
  • Installing extensions from trusted sources