Magento stores are high-value targets. They process payments, store customer data, and often run on shared infrastructure. A compromised store means payment card theft, data breaches, and regulatory fines.
This checklist covers the most impactful security hardening steps for a production Magento 2 store.
1. Change the admin URL
The default admin URL /admin is targeted by automated scanners within hours of a store going live. Change it to something non-obvious:
bin/magento setup:config:set --backend-frontname="your_secret_admin_path"
bin/magento cache:flush
Or in app/etc/env.php:
'backend' => ['frontName' => 'your_secret_path'],
Use something random and non-guessable. Not /manager, /backend, or /store-admin.
2. Enable two-factor authentication
Magento 2.4+ ships with 2FA built in. Enable it and enforce it for all admin users:
bin/magento module:enable Magento_TwoFactorAuth
bin/magento setup:upgrade
Supported authenticators: Google Authenticator, Authy, Duo Security, U2F.
For headless admin access (API), whitelist specific IPs instead of disabling 2FA:
bin/magento config:set twofactorauth/general/force_providers "google"
3. File permissions
Magento's recommended file permissions:
# Directories
find var generated vendor pub/static pub/media app/etc -type d -exec chmod 770 {} +
# Files
find var generated vendor pub/static pub/media app/etc -type f -exec chmod 660 {} +
# bin/magento
chmod 770 bin/magento
# Never allow write on app/code
find app/code -type f -exec chmod 640 {} +
find app/code -type d -exec chmod 750 {} +
Critical: app/etc/env.php contains database credentials. Ensure it's not world-readable:
chmod 640 app/etc/env.php
4. Disable directory listing
In your nginx config:
autoindex off;
Or in Apache .htaccess:
Options -Indexes
Directory listing exposes your file structure to attackers.
5. Content Security Policy headers
Magento 2.4+ has CSP support. Enable report-only mode first to find violations without breaking your store:
bin/magento config:set csp/mode/storefront/report_only 1
bin/magento config:set csp/mode/admin/report_only 1
Configure your CSP whitelist in Admin → Security → Content Security Policy. Add your analytics, payment processor, and CDN domains.
Once violations are resolved, switch to enforce mode:
bin/magento config:set csp/mode/storefront/report_only 0
6. Security headers
Add these to your nginx config:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Only once CSP is configured
# add_header Content-Security-Policy "..." always;
7. Keep Magento patched
Magento releases security patches regularly. Subscribe to the Magento security alert RSS feed and the Adobe security bulletin.
# Check current version
bin/magento --version
# Check for available updates
composer outdated magento/*
Apply security patches within 2 weeks of release. Critical patches within 48 hours.
8. Restrict admin access by IP
If your team accesses admin from predictable IPs, whitelist them at the nginx level:
location ~* ^/your_admin_path {
allow 1.2.3.4; # office IP
allow 5.6.7.8; # developer IP
deny all;
try_files $uri $uri/ /index.php$is_args$args;
}
This stops brute-force admin attacks even if the attacker knows your admin URL.
9. Disable unused payment methods and modules
Every enabled payment method is potential attack surface. Disable anything you don't use:
bin/magento module:disable Magento_Paypal
bin/magento module:disable Magento_Braintree
# etc.
bin/magento setup:upgrade
10. Monitor for malware
Magento stores are targeted by card-skimming malware (Magecart attacks). Malware is typically injected into:
- JavaScript files in
pub/static/ - PHP files in
app/code/or templates - Database (inline scripts in CMS blocks or product descriptions)
Set up file integrity monitoring:
# Create a baseline hash of all PHP files
find app/code vendor/magento -name "*.php" -exec md5sum {} \; > /var/integrity/baseline.txt
# Run daily and alert on changes
find app/code vendor/magento -name "*.php" -exec md5sum {} \; | diff /var/integrity/baseline.txt - | grep "^>"
For database-injected malware, scan CMS blocks and product descriptions weekly:
SELECT * FROM cms_block WHERE content LIKE '%<script%' AND content NOT LIKE '%requirejs%';
11. Secure env.php
app/etc/env.php contains your database password, Redis password, and encryption key. Never commit it to version control:
echo "app/etc/env.php" >> .gitignore
Use environment variables or a secrets manager for CI/CD pipelines:
export DB_PASSWORD=$(aws secretsmanager get-secret-value --secret-id prod/magento/db --query SecretString --output text | jq -r .password)
Security audit checklist
- [ ] Admin URL changed from
/admin - [ ] 2FA enabled for all admin users
- [ ] File permissions set correctly
- [ ]
env.phpnot world-readable, not in git - [ ] Directory listing disabled
- [ ] Security headers configured (X-Frame-Options, X-Content-Type)
- [ ] CSP in report-only mode (working toward enforce)
- [ ] Admin IP restriction (if team has static IPs)
- [ ] Unused modules and payment methods disabled
- [ ] File integrity monitoring running
- [ ] On latest Magento security patch
- [ ] SSL/TLS 1.3 enabled, TLS 1.0/1.1 disabled
Security is never "done" — it's an ongoing process. Schedule a quarterly security review against this checklist.
Originally published on magevanta.com
Top comments (0)