Skip to content

Secure Magento: protect your store against hackers

Last updated: 31 December 2025

Magento stores are a popular target for hackers. They contain customer data and payment information. A hack can destroy your reputation and business. Here you'll learn how to secure your store.

Why do Magento stores get hacked?

Common reasons:

  • Outdated software: Old versions have known vulnerabilities
  • Weak passwords: Admin accounts with simple passwords
  • Insecure extensions: Extensions from unreliable sources
  • Misconfiguration: Default settings not changed

Essential security measures

1. Keep Magento updated

This is the most important measure. Adobe regularly releases security patches.

Check for updates:

bin/magento maintenance:enable
composer update
bin/magento setup:upgrade
bin/magento maintenance:disable

Subscribe to Adobe Security Bulletins for notifications.

2. Use strong admin credentials

Best practices:

  • Use unique, complex passwords (16+ characters)
  • Change the default admin URL (/admin)
  • Enable two-factor authentication (2FA)
  • Limit admin access to specific IP addresses

Change admin URL in app/etc/env.php:

'backend' => [
    'frontName' => 'your-secret-admin-url'
]

3. Secure the server

Essential server configuration:

  • Firewall active (only necessary ports open)
  • SSH key authentication (no password login)
  • Regular OS updates
  • Fail2ban for brute force protection

4. SSL/HTTPS required

All traffic must run via HTTPS.

Configure in Magento: Stores > Configuration > General > Web > Base URLs (Secure)

  • Use Secure URLs: Yes
  • Use Secure URLs in Admin: Yes

5. Set correct file permissions

find var generated vendor pub/static pub/media app/etc -type f -exec chmod 644 {} \;
find var generated vendor pub/static pub/media app/etc -type d -exec chmod 755 {} \;
chmod 750 bin/magento

6. Database security

  • Use a strong database password
  • Limit database access to localhost
  • Make regular backups
  • Remove unused admin accounts

Advanced security

Web Application Firewall (WAF)

A WAF blocks malicious requests before they reach your server.

Options:

  • Cloudflare WAF (paid)
  • Sucuri (paid)
  • ModSecurity (free, configure yourself)

Security extensions

Recommended:

  • Magento Security Scan (free from Adobe)
  • MageReport (free scan)
  • Amasty Security Suite (paid)

Monitoring

Set up alerts for:

  • New admin users
  • Failed login attempts
  • File changes in core folders
  • Unusual database queries

Security checklist

Measure Priority Status
Magento up-to-date ⭐⭐⭐⭐⭐
Strong admin passwords ⭐⭐⭐⭐⭐
2FA enabled ⭐⭐⭐⭐
Custom admin URL ⭐⭐⭐⭐
SSL/HTTPS ⭐⭐⭐⭐⭐
Firewall active ⭐⭐⭐⭐
Regular backups ⭐⭐⭐⭐⭐
WAF ⭐⭐⭐

What to do after a hack

  1. Take the site offline - Prevent further damage
  2. Document everything - Logs, modified files
  3. Restore from backup - Use a clean backup
  4. Analyze the cause - How did they get in?
  5. Patch the vulnerability - Prevent recurrence
  6. Inform stakeholders - Customers, payment provider, possibly authorities

Was this article helpful?

Compare hosting packages directly to find the best choice for your situation.

Related articles

What is web hosting? Explanation for beginners

Discover what web hosting is and how it works. Complete explanation about servers, domains and different hosting types for beginners.

What is VPS Hosting?

VPS hosting explained: what is a Virtual Private Server, who is it suitable for and what are the advantages compared to shared hosting?

What is an SSL Certificate?

Everything about SSL certificates: what is SSL, why do you need it and how do you recognize a secure website? Essential for every website.

What is Uptime in Web Hosting?

What does uptime mean in web hosting? Learn about uptime percentages, SLA guarantees and why 99.9% uptime is important for your website.

How much storage do I need for my website?

Discover how much disk space you really need for your website. Practical guide with examples per website type.

Ready to choose?

Compare hosting packages