Skip to content
Security

Magento security

Protect your Magento shop against hackers, fraud and malware. Practical tips and extension recommendations for maximum security.

12 essential Magento security tips

Implement these tips to make your Magento shop more secure immediately

1

Keep Magento up-to-date

Update Magento, extensions and patches immediately when available. Outdated versions have known vulnerabilities that hackers exploit.

2

Change the admin URL

The default /admin URL is too easy to guess. Change this to something unique like /my-secret-admin-2024 via app/etc/env.php

3

Use strong passwords

Minimum 14 characters with uppercase, numbers and special characters. Use a password manager and enforce this for all admin users.

4

Enable Two-Factor Authentication

Magento has built-in 2FA via Google Authenticator. Even if your password leaks, hackers cannot log in.

5

Install an SSL certificate

HTTPS is mandatory for webshops. Free via Let's Encrypt. Force HTTPS in Stores → Configuration → Web → Secure.

6

Make daily backups

If your shop gets hacked, you can revert to a clean version. Backup database and files. Store backups off-site.

7

Restrict admin access by IP

Only allow access to /admin from trusted IP addresses via .htaccess or firewall rules.

8

Remove unused extensions

Every extension is a potential security risk. Remove everything you don't actively use, not just disable.

9

Use a Web Application Firewall

A WAF like Cloudflare or Sucuri blocks attacks before they reach your server. Essential for Magento shops.

10

Monitor security logs

Check var/log/system.log and exception.log regularly for suspicious activity. Use a monitoring tool for alerts.

11

Disable developer mode on production

Developer mode shows sensitive error messages. Always use production mode: bin/magento deploy:mode:set production

12

Secure your database

Use a unique database password, disable remote access, and ensure only your webserver has access to MySQL.

Recommended security extensions

These extensions strengthen your Magento shop security

MageSpecialist TwoFactorAuth

Free

Two-Factor Authentication for admin panel. Supports Google Authenticator, Authy and hardware tokens.

Built-in from Magento 2.4+

Amasty Security Suite

Paid

Complete security suite with malware scanning, firewall, brute force protection and activity logs.

~€200/year

Mageplaza Security

Paid

Security scanner, suspicious activity detector, login protection and file permission checker.

~€150/year

reCAPTCHA

Free

Google reCAPTCHA for login, contact and registration forms. Prevents bot spam and brute force attacks.

Magento Marketplace

Cloudflare

Free

Web Application Firewall, DDoS protection and SSL. Free plan is sufficient for most webshops.

cloudflare.com

Sucuri Security

Paid

Malware scanning, firewall, DDoS mitigation and incident response. Enterprise-level security.

From €200/year

PCI-DSS compliance for Magento

Processing credit card payments? Then PCI-DSS compliance is mandatory

PCI-DSS compliance for Magento

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security requirements for all companies that process, store or transmit credit card data. If your webshop is not compliant, you risk fines up to €50,000+ and lose the right to accept credit cards.

12 PCI-DSS requirements:

  1. Install and maintain a firewall configuration
  2. Do not use default passwords and security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data over public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data on need-to-know basis
  8. Assign unique IDs to everyone with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Test security systems and processes regularly
  12. Maintain an information security policy

Easiest solution: Use an external payment gateway

Let Mollie, Stripe or Adyen process the credit card data. Then you don't need to be PCI-DSS compliant. The payment gateway redirects customers to their secure page, and you only receive a payment confirmation.

Correct file permissions

Wrong permissions are a major security risk

Recommended Magento permissions:

find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod -R 777 var/ pub/media/ pub/static/ generated/
chmod u+x bin/magento

These commands:

  • Directories: 755 (owner can do everything, others can read and execute)
  • Files: 644 (owner can read/write, others can only read)
  • Cache/media directories: 777 (Magento must be able to write)
  • Magento CLI: executable for owner

Warning

Never 777 permissions on root directory or app/etc/! This makes your shop vulnerable. Only var/, pub/media/, pub/static/ and generated/ may have 777.

Magento security checklist

Print this checklist and go through all points

Choose hosting with built-in security

Some Magento hosting providers offer managed security, malware scanning and automatic patches.

Compare Magento hosting