Secure Magento: protect your store against hackers
Last updated: 31 December 2025
Magento stores are a popular target for hackers. They contain customer data and payment information. A hack can destroy your reputation and business. Here you'll learn how to secure your store.
Why do Magento stores get hacked?
Common reasons:
- Outdated software: Old versions have known vulnerabilities
- Weak passwords: Admin accounts with simple passwords
- Insecure extensions: Extensions from unreliable sources
- Misconfiguration: Default settings not changed
Essential security measures
1. Keep Magento updated
This is the most important measure. Adobe regularly releases security patches.
Check for updates:
bin/magento maintenance:enable
composer update
bin/magento setup:upgrade
bin/magento maintenance:disable
Subscribe to Adobe Security Bulletins for notifications.
2. Use strong admin credentials
Best practices:
- Use unique, complex passwords (16+ characters)
- Change the default admin URL (/admin)
- Enable two-factor authentication (2FA)
- Limit admin access to specific IP addresses
Change admin URL in app/etc/env.php:
'backend' => [
'frontName' => 'your-secret-admin-url'
]
3. Secure the server
Essential server configuration:
- Firewall active (only necessary ports open)
- SSH key authentication (no password login)
- Regular OS updates
- Fail2ban for brute force protection
4. SSL/HTTPS required
All traffic must run via HTTPS.
Configure in Magento: Stores > Configuration > General > Web > Base URLs (Secure)
- Use Secure URLs: Yes
- Use Secure URLs in Admin: Yes
5. Set correct file permissions
find var generated vendor pub/static pub/media app/etc -type f -exec chmod 644 {} \;
find var generated vendor pub/static pub/media app/etc -type d -exec chmod 755 {} \;
chmod 750 bin/magento
6. Database security
- Use a strong database password
- Limit database access to localhost
- Make regular backups
- Remove unused admin accounts
Advanced security
Web Application Firewall (WAF)
A WAF blocks malicious requests before they reach your server.
Options:
- Cloudflare WAF (paid)
- Sucuri (paid)
- ModSecurity (free, configure yourself)
Security extensions
Recommended:
- Magento Security Scan (free from Adobe)
- MageReport (free scan)
- Amasty Security Suite (paid)
Monitoring
Set up alerts for:
- New admin users
- Failed login attempts
- File changes in core folders
- Unusual database queries
Security checklist
| Measure | Priority | Status |
|---|---|---|
| Magento up-to-date | ⭐⭐⭐⭐⭐ | |
| Strong admin passwords | ⭐⭐⭐⭐⭐ | |
| 2FA enabled | ⭐⭐⭐⭐ | |
| Custom admin URL | ⭐⭐⭐⭐ | |
| SSL/HTTPS | ⭐⭐⭐⭐⭐ | |
| Firewall active | ⭐⭐⭐⭐ | |
| Regular backups | ⭐⭐⭐⭐⭐ | |
| WAF | ⭐⭐⭐ |
What to do after a hack
- Take the site offline - Prevent further damage
- Document everything - Logs, modified files
- Restore from backup - Use a clean backup
- Analyze the cause - How did they get in?
- Patch the vulnerability - Prevent recurrence
- Inform stakeholders - Customers, payment provider, possibly authorities
Was this article helpful?
Compare hosting packages directly to find the best choice for your situation.
Related articles
What is web hosting? Explanation for beginners
Discover what web hosting is and how it works. Complete explanation about servers, domains and different hosting types for beginners.
What is VPS Hosting?
VPS hosting explained: what is a Virtual Private Server, who is it suitable for and what are the advantages compared to shared hosting?
What is an SSL Certificate?
Everything about SSL certificates: what is SSL, why do you need it and how do you recognize a secure website? Essential for every website.
What is Uptime in Web Hosting?
What does uptime mean in web hosting? Learn about uptime percentages, SLA guarantees and why 99.9% uptime is important for your website.
How much storage do I need for my website?
Discover how much disk space you really need for your website. Practical guide with examples per website type.