Magento security checklist to protect your store
Key takeaways
- Magento security is ongoing maintenance, not a one-time setup.
- Admin access, 2FA, permissions, patches, and extensions should stay high on your checklist.
- Backups, logs, scans, broken links, and cache health help keep your store stable.
- Security depends on Magento, extensions, hosting, and your recovery plan working together.
Like any complex piece of software, Magento requires a bit of maintenance every now and again. As your store evolves and your business grows, new products and customer accounts are created and deleted, extensions and themes are installed or modified, and the general day-to-day operations of the store leave their mark.
Diligently maintaining your store will ensure that it remains secure, fast, and reliable as the years go by. In this article, we’re going to focus on some of the most common tasks that Magento store owners should add to their to-do lists.
Host Magento at full throttle.
Get secure, reliable Magento hosting so you can scale faster.
1. Keep Magento updated and apply security patches
Adobe Commerce security patch release notes provide information about security improvements for supported versions of Adobe Commerce, including security bug fixes, security enhancements, known issues, and patch instructions. Store owners should also monitor the Magento Security Center, which publishes details about patches as they’re released.
Review those notes regularly and test patches in staging before applying them to production.
Security patch maintenance should include:
- Reviewing Adobe security patch notes and bulletins
- Testing patches in staging
- Applying security patches promptly after testing
- Checking extension compatibility before updates
- Keeping Magento, PHP, database, search, and other dependencies aligned with current requirements
2. Secure Magento admin access
Admin access is one of the most important areas to protect. A compromised admin account can expose orders, customer data, catalog data, configuration settings, and payment-related workflows.
Add these admin security tasks to your checklist:
- Use a unique admin URL
- Enforce 2FA for admin users
- Avoid shared admin accounts
- Use strong password policies
- Restrict admin access by IP or VPN when appropriate
- Remove inactive users
- Review admin login activity
3. Review user roles and permissions
Review permissions after staff changes, agency changes, new integrations, major site updates, or operational changes. Keep access aligned with each person’s actual responsibilities.
4. Audit third-party extensions and custom code
Extensions can add useful functionality, but they can also create security and performance risks if they’re outdated, poorly maintained, or no longer needed.
Review your extensions regularly:
- Remove unused extensions
- Update active extensions
- Review vendor reputation and update history
- Check compatibility before Magento upgrades
- Avoid modifying core Magento files
- Test extension updates in staging
For higher-risk stores, file integrity checks can also help identify unauthorized changes to core files or custom code.
5. Enforce HTTPS and SSL site-wide
HTTPS helps protect data moving between your store and customer browsers, especially on login, cart, checkout, and account pages.
Review your HTTPS setup regularly:
- Use a valid SSL certificate
- Force HTTPS across the full site
- Redirect HTTP pages to HTTPS
- Check for mixed-content warnings
- Review HSTS if your team has configured it correctly
Encrypted connections help protect checkout data in transit. Payment gateways, patching, hosting security, and access controls also play important roles in safer checkout operations.
6. Use a web application firewall and network protection
A web application firewall can help filter malicious traffic before it reaches your Magento store. It can also help block common exploit attempts, suspicious traffic patterns, and unwanted automated activity.
Network protection may include:
- WAF rules for ecommerce traffic
- Firewall rules
- DDoS protection
- Rate limiting for suspicious activity
- Restricted backend access where appropriate
7. Review file permissions and server hardening
Magento security also depends on server configuration and file system access.
Review these server-level tasks with your hosting or development team:
- Restrict write access where possible
- Avoid giving the web server unnecessary access to core application files
- Review PHP execution rules
- Secure SSH and SFTP access
- Disable unused services
- Keep server packages patched
These tasks help reduce the damage an attacker can do if one part of the environment becomes exposed.
8. Set up automated backups and test restores
If your Magento store is compromised by bad actors or damaged by human error, a recent backup can make recovery much more manageable. Without one, recovery can be slow, expensive, and disruptive.
Magento 2 has a built-in backup system that you will find in the dashboard under System > Tools > Backups. You can choose to back up the whole store with System Backup, the database and media, or just the database.
It’s a good idea to perform regular system backups and to move the resulting files off your Magento server to a safe location.
Backups should include code, database, media, and important configuration details. Store them somewhere safe, follow retention rules, and test restores regularly.
9. Use Magento Security Scan Tool and malware monitoring
Adobe Commerce Security Scan can help monitor Adobe Commerce and Magento Open Source sites for known security risks, malware, and security notifications. Adobe also documents the Security Scan Tool as a way to review scan reports and manage scan failures.
Use scanning as part of a broader monitoring plan:
- Run regular security scans
- Review malware or skimmer alerts
- Investigate scan failures
- Track false positives carefully
- Escalate suspicious results to your hosting or development team
Security scans don’t replace patching, backups, or access control, but they can help identify issues earlier.
10. Monitor logs and admin activity
Magento logs information about what happens on a store in the database, including customer activity, orders, visits, and more. That information can be very useful, but the logs grow over time and can take up a lot of space and degrade database performance.
Magento can automatically remove stale logs, but this capability is turned off by default.
Logs can also help teams find unusual behavior, failed logins, repeated errors, and possible compromise indicators.
Review:
- Admin activity
- Failed login attempts
- Magento logs
- PHP error logs
- Web server logs
- Security scan alerts
- Sudden traffic or error spikes
Keep log rotation on your maintenance list so log files don’t grow unchecked or hurt performance.
11. Find and fix 404 errors
404 is the HTTP response code that web servers send to browsers when they can’t find the requested resources. Over time, you will move or delete product and content pages from your Magento store. If you aren’t careful, links from other pages on your store will be broken, resulting in 404 errors when shoppers try to visit them.
404 errors create a poor user experience and too many can have a negative impact on a store’s standing in search results. It’s a good idea to regularly use a tool like Screaming Frog’s Broken Link Checker to find and fix any 404 errors on your store.
404s aren’t always security issues, but they do affect store health. Unusual 404 patterns may also point to bots, scanners, or attempted access to sensitive paths.
12. Clean cache, generated files, and image cache carefully
Magento caches product images in a dedicated cache. The Catalog Image Cache can sometimes become very large over time as new products are added and old products are deleted. Flushing the cache, removing the images, can free a large amount of disk space.
You will find the cache controls in the Magento 2 admin menu under System > Cache Management. At the bottom of the Cache Management page is a button that will flush the Catalog Image Cache.
If you choose to flush the Catalog Image Cache in this way, there is likely to be a performance impact as Magento regenerates the cache of existing product images.
Cache maintenance can help after updates, theme changes, product changes, or image updates. Plan cache flushing carefully on busy stores because Magento may need to rebuild cached assets after the flush.
13. Protect staging and development environments
Staging and development environments can expose data, admin pages, old code, or test credentials if they’re ignored.
Review these tasks:
- Require authentication
- Avoid real customer data when possible
- Keep staging patched
- Block indexing
- Limit access
- Remove old test environments
- Avoid reusing production credentials
A neglected staging site can become a security risk, even if the production store looks well-maintained.
14. Review PCI and checkout security
Checkout security involves more than SSL. Payment gateways, PCI scope, hosting security, admin access, secure integrations, and patching all help protect checkout operations.
Review checkout-related security regularly:
- Confirm payment integrations are supported and updated
- Review admin users with access to order and payment-related workflows
- Keep checkout extensions updated
- Test checkout after patches and extension updates
- Review PCI responsibilities with your payment and hosting providers
15. Create an incident response checklist
Every Magento team should know what to do if something looks wrong.
A simple response checklist can include:
- Take the site or affected feature out of active use when needed
- Preserve logs and evidence
- Run security scans
- Review admin accounts and recent changes
- Contact hosting, support, and development teams
- Restore from a verified clean backup when appropriate
- Patch the issue before reopening affected workflows
- Document what happened and what changed
A simple incident response checklist helps your team move quickly, contact the right people, save important details, and recover safely when something looks wrong.
Suggested Magento security maintenance cadence
| Cadence | Magento security maintenance tasks |
| Daily or ongoing | Monitor uptime and security alerts; review critical errors; watch for suspicious admin login activity; confirm backups completed |
| Weekly | Review logs and scan results; check failed jobs, cron issues, and checkout errors; review 404 patterns and broken links; confirm cache and image behavior looks healthy |
| Monthly | Review admin users and permissions; audit active extensions; check for Magento and extension updates; test key transactional flows; review backup restore readiness |
| Quarterly or after major changes | Test a full restore; review server and firewall rules; run deeper extension and code reviews; review PCI and checkout-related workflows; reassess staging and development access |
Magento security FAQs
Magento security next steps
Magento security is ongoing store maintenance. Patches, admin controls, backups, scans, logs, extension reviews, hosting security, and recovery planning work together to keep the store running.
Start by checking admin access, 2FA, patch status, extension updates, backups, and Security Scan results before moving into deeper server and recovery planning.
Magento security works best when the store runs on a stable hosting foundation with support for performance, backups, monitoring, and recovery. Liquid Web Magento hosting gives ecommerce teams the performance, support, and reliability they need to keep Magento stores running with confidence. Explore Liquid Web Magento hosting to find the right fit.
Ready to get started?
Get the fastest, most secure Magento hosting on the market
Additional resources
Magento admin training: top 5 online resources →
Get Magento admin training to manage your store with confidence.
Magento extensions: a complete beginner’s guide →
Enhance your Magento store with powerful extensions.
Benefits of Magento for your ecommerce business →
Discover the benefits of Magento for growing ecommerce businesses.