◦ Comprehensive security
◦ 24/7 support
Magento Guide → Security
Magento security guide: 11 best practices
Magento is a powerful ecommerce platform, but its popularity also makes it a prime target for hackers. If you’re not actively securing your store, you could be exposing sensitive customer data, payment info, and your business reputation to serious risks.
Here’s how to tighten security and protect what matters.
Host Magento at full throttle.
Get secure, reliable Magento hosting so you can scale faster.
Why Magento security matters
Ecommerce stores deal with personal data, credit card details, and account credentials daily. That makes them a high-value target for attackers looking to steal data or inject malware.
Even a small vulnerability, like an outdated extension, can be enough to give bad actors access to your store. Once inside, attackers can deface your site, steal payment data, or install code that secretly skims customer information.
Worse, Google may blacklist your store, or you could face fines for violating PCI-DSS compliance rules. Security isn’t just a best practice—it’s a business necessity.
1. Keep Magento and extensions updated
Magento regularly releases updates that patch known vulnerabilities. Skipping these updates is like leaving your front door unlocked. Hackers are constantly scanning for unpatched Magento sites, and once they find one, they can exploit it to take control of your store.
How to update Magento and extensions:
- Back up your store before any update—this includes files and the database.
- Log in to your Magento admin panel and check for version updates under System > Web Setup Wizard (Magento 2.3 and earlier) or use Composer for Magento 2.4+.
- To update using Composer, access your server via SSH and run:
composer require magento/product-community-edition 2.4.x –no-update
composer update
bin/magento setup:upgrade
bin/magento cache:flush - To update extensions, run:
composer update vendor/extension-name - After the update, test your store thoroughly to catch any broken features or layout issues.
2. Use strong admin credentials and change the URL
Default usernames and predictable login URLs are easy targets. Many automated bots constantly scan for /admin and try weak passwords like admin123. Using a strong username and password, and changing the admin path, makes it significantly harder for bots to break in.
How to strengthen admin access:
- In the Magento admin panel, go to System > Permissions > All Users. Edit each user to use a strong, unique username (not “admin”) and a password with 12+ characters, including upper/lowercase letters, numbers, and symbols.
- To change the admin URL, edit the env.php file in app/etc/. Find the line:
‘backend’ => [‘frontName’ => ‘admin’],
and replace ‘admin’ with something like ‘securepanel983’. Save and flush the cache - Always use a password manager to generate and store your credentials securely.
3. Enable two-factor authentication (2FA)
Two-factor authentication (2FA) adds a second login step, usually a time-based code from an app. Even if someone steals your password, they can’t log in without the 2FA code. Magento 2.4+ includes native 2FA for the admin panel.
How to enable 2FA in Magento:
- From the admin panel, go to Stores > Configuration > Security > 2FA.
- Choose the 2FA provider (e.g., Google Authenticator, Duo Security).
- Set it to “Enabled” and select which user roles must use it.
- When logging in, users will be prompted to scan a QR code with an app like Google Authenticator.
- After setup, log in with both your password and the time-based code.
4. Use HTTPS and an SSL certificate
HTTPS encrypts the data your users send to your site—like passwords, addresses, and payment info. Without it, this data can be intercepted by attackers. HTTPS also boosts SEO and builds trust with customers who expect the padlock icon.
How to force HTTPS in Magento:
- Buy or get a free SSL certificate from your hosting provider and install it.
- In the Magento admin panel, go to Stores > Configuration > Web > Base URLs and Base URLs (Secure).
- Change the URLs from http:// to https://.
- Set “Use Secure URLs on Storefront” and “Use Secure URLs in Admin” to “Yes.”
- Flush the Magento cache: bin/magento cache:flush.
5. Set correct file and folder permissions
Magento’s file and folder permissions control what users and scripts can modify. If your permissions are too loose, attackers could upload malicious files or overwrite your code.
How to set proper permissions:
- Connect to your server via SSH.
- Navigate to your Magento root directory.
- Run:
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 600 app/etc/env.php
chmod 600 app/etc/config.php
Never use chmod 777 on any production file or folder.
After deployment, consider setting app/etc to read-only:
chmod -R 400 app/etc
6. Disable directory indexing
Directory indexing exposes a list of files in your folders when no index file exists. This can reveal sensitive paths, logs, or backup files to hackers.
How to disable directory indexing:
- If you use Apache, edit the .htaccess file in your root directory.
- Add or update this line:
Options -Indexes - If using NGINX, modify your server block config to include:
autoindex off; - Restart your web server to apply changes:
- Apache: sudo systemctl restart apache2
- NGINX: sudo systemctl restart nginx
7. Use a web application firewall (WAF)
A WAF blocks malicious traffic before it reaches your Magento application. It filters out known exploits, bad bots, and attack patterns like SQL injection or cross-site scripting.
How to set up a WAF:
- Choose a cloud WAF provider like Cloudflare, Sucuri, or Astra.
- Point your domain’s DNS to the WAF provider so all traffic goes through it.
- Enable ecommerce-specific rulesets provided by your WAF.
- Turn on logging and alerts so you can review suspicious traffic.
8. Limit admin access by IP
By restricting access to your admin panel to specific IP addresses, you can prevent unauthorized access even if someone knows your login URL.
How to restrict admin access by IP:
If you use Apache, edit the .htaccess file in the admin directory:
<Limit GET POST>
order deny,allow
deny from all
allow from 123.45.67.89
</Limit>
For NGINX, edit your site config:
location /securepanel983/ {
allow 123.45.67.89;
deny all;
}
Restart your web server after saving changes.
9. Regularly back up your Magento store
Backups help you recover from ransomware, hacks, or even human error. Without a backup, you may lose everything—or be forced to rebuild your site from scratch.
How to back up your Magento site:
- Use your hosting control panel or SSH to create a backup of your site files and database.
For file backups, run:
tar -czvf magento-files-backup.tar.gz /path/to/magento
For the database, run:
mysqldump -u db_user -p db_name > magento-db-backup.sql - Store your backups offsite (like AWS S3 or another server).
- Automate backups with a cron job or use a managed hosting service that offers daily backups.
10. Monitor logs and use security scanning tools
Attackers often leave clues in your logs—repeated failed login attempts, unfamiliar IPs, or strange URL requests. Regular monitoring lets you spot and stop attacks early.
How to monitor and scan for threats:
- Use Magento’s built-in logs: var/log/system.log and var/log/exception.log.
- Enable the Magento Security Scan Tool from your Adobe Commerce account.
- Install a file integrity scanner like Tripwire or AIDE.
- Consider third-party services like Detectify, Patchstack, or Sucuri for malware scanning.
11. Choose a secure Magento hosting provider
Your Magento hosting environment directly affects your store’s security. A good host will offer built-in firewalls, malware scanning, and prompt patching—saving you from having to handle it all yourself.
What to look for in a Magento host:
- Hosting infrastructure built for Magento (Varnish, Redis, PHP tuning).
- Proactive malware monitoring and automated backups.
- Firewall and DDoS protection.
- 24/7 support with Magento expertise.
- PCI-compliant hosting environment.
If you’re on shared hosting or a generic VPS, consider switching to managed Magento hosting to reduce risk and improve performance.
Next steps for Magento security
Magento security is ongoing, not a one-time setup. Following these best practices will protect your store, your customers, and your revenue long-term.
Start by running a Magento Security Scan and reviewing your admin panel for out-of-date software or unpatched modules.
Ready to upgrade your Magento experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy.
Liquid Web offers the raw infrastructure power you need with mission-critical features that keep your store running smoothly. Most importantly, our in-house Magento experts are standing by to help with both hosting and Magento application roadblocks.
Click through below to explore all of our Magento hosting options, or chat with an expert right now to get answers and advice.
Ready to get started?
Get the fastest, most secure Magento hosting on the market
Additional resources
What is Magento Ecommerce? →
A complete beginner’s guide to the Magento Ecommerce platform
Magneto vs. WordPress →
Compare pricing, hosting, security, SEO, and a lot more
Best Magento ERP extensions →
Our top 10 compared so you can decide which is best for your business
