Table of contents

What is a Magento security patch?Types of Magento patchesHow to checkHow to installPost-installation checksBest practicesMagento patchingWhy is it important?FAQHow to get started

Get the industry’s most secure Magento hosting◦ 100% network uptime
◦ Comprehensive security
◦ 24/7 support

Magento Guide → Security → Patch

Magento security patch: What it is and how to install it

Magento stores are constantly under attack from bots, brute-force attempts, and zero-day exploits. Adobe releases security patches to fix vulnerabilities and protect your data—but many store owners don’t install them until it’s too late.

Let’s walk through what a Magento security patch is, how to apply one correctly, and why skipping a patch could leave your store wide open.

Host Magento at full throttle.

Get secure, reliable Magento hosting so you can scale faster.

Magento hosting

What is a Magento security patch?

A Magento security patch is a software update that addresses known vulnerabilities in the Magento core code. These patches are released by Adobe and can fix everything from cross-site scripting (XSS) flaws to remote code execution (RCE) issues.

Unlike full version upgrades, security patches are lightweight and focused. They don’t change your site’s layout or add new features; they simply harden your store against threats.

If your Magento store handles customer data, payments, or login credentials, keeping up with these patches is essential. Security patches also help you stay PCI DSS compliant and reduce the risk of a breach that could damage your reputation and revenue.

Types of Magento patches

Magento patches come in several forms, but not all of them are related to security. Here’s how to tell the difference:

Security patches: These fix critical vulnerabilities and are often labeled with names like SUPEE-11346 or PRODSECBUG. They’re the focus of this guide.
Quality patches: These correct bugs and issues in the Magento admin, B2B module, Page Builder, or inventory management. Adobe releases these through the Quality Patches Tool (QPT).
Custom patches: These come from third-party developers or hosting providers. You may need these to fix issues specific to your store setup.

When Adobe releases a security patch, it’s often available in both standalone form (for manual application) and bundled into a minor version update. If you’re not ready to upgrade Magento entirely, applying the patch alone is the next best step.

How to check if your Magento store needs a patch

Before installing anything, you’ll want to confirm whether your store already has the patch applied or whether it’s vulnerable.

Here are three ways to check:

View your current Magento version: Log into your Magento Admin Panel and scroll to the bottom of any page. You’ll see something like “Magento 2.4.7-p1.” Make a note of it.
Use the Magento Security Scan Tool: Adobe offers a free scanner at securityscan.magento.com. Register your site, verify ownership, and run the scan to see if patches are missing.
Use third-party security tools: Tools like MageReport.com and MGT’s Magento Security Tool can quickly detect if your site is missing key patches.

If your store is flagged for a known vulnerability, don’t wait. Proceed to install the patch or contact your developer to help.

How to install a Magento security patch (step-by-step)

Installing a patch may sound intimidating, but you can do it safely by following these steps. You’ll need SSH access and basic command line knowledge.

Backup options not showing in Admin Panel:

Go to Stores > Configuration > Advanced > System > Backup Settings and set Enable Backup to “Yes.”

1. Back up your site

Never apply a patch without a full backup. This includes:

All Magento files and directories
The entire database

Use your hosting panel or a command-line tool like mysqldump to create the backup. This gives you a rollback option if something breaks.

2. Put the site in maintenance mode

Maintenance mode prevents visitors from seeing a broken site during the patching process. To enable it, run this SSH command:

php bin/magento maintenance:enable

You can confirm it’s active by visiting your site: you should see a maintenance message.

3. Download the patch

Visit the Adobe Security Bulletins page and find the latest Magento patch relevant to your version. Download the correct patch file—typically .sh, .patch, or .diff format.

Make sure you:

Choose the right version (e.g., Magento 2.4.6 vs 2.4.7)
Verify whether the patch is for Open Source or Adobe Commerce

Upload the patch file to your Magento root directory using SFTP or your hosting control panel’s file manager.

4. Apply the patch via SSH

Connect to your server via SSH and navigate to the root Magento directory (where app, vendor, and bin folders are located).

Then apply the patch:

For .sh files (shell scripts):
sh patch-name.sh
For .patch or .diff files:
patch -p1 < patch-name.patch

If the patch succeeds, you’ll see a success message or terminal confirmation.

5. Clear cache and reindex

After applying the patch, flush Magento’s cache to prevent conflicts:

php bin/magento cache:flush

Then reindex the site to apply the changes to all product and catalog data:

php bin/magento indexer:reindex

6. Disable maintenance mode

Once everything is working, take your site out of maintenance mode:

php bin/magento maintenance:disable

Double-check the frontend and backend to confirm functionality.

Post-installation checks to confirm patch success

Even if the patch installed successfully, it’s important to verify everything is stable and secure. Here’s what to check:

Admin Panel: Make sure all sections load without error.
Frontend pages: Test category pages, product pages, and checkout
Logs: Review var/log/ and var/report/ for new entries.
Security scan: Run the Magento Security Scan Tool again to confirm the patch is now applied.

If something went wrong, restore your backup and try again, or consult a Magento developer.

Best practices for Magento patch management

Patch once and patch often. Here are some strategies to make the process smoother over time:

Subscribe to Magento Tech Resources: Get alerts when new patches are released.
Create a staging site: Always test patches in staging before applying to production.
Keep a patch log: Document each applied patch and the date it was installed.
Schedule patch windows: Pick a time when traffic is low and your team is available.
Don’t skip minor updates: Magento version updates often include critical patches.

If you run a large or complex store, consider using a CI/CD pipeline to automate patch testing and deployment.

Magento patching with third-party tools and services

If you’re not comfortable with SSH or command-line tasks, there are easier ways to handle patching.

Two options to consider:

MGT Security Patch Tool: A web-based scanner that checks for missing patches and provides patching guidance. Good for users with minimal technical experience.
Magento Patch Manager by BSS Commerce: A commercial extension that helps non-technical users apply patches from the Admin Panel.

These tools won’t replace a full developer workflow, but they can save time and reduce risk for solo store owners.

Why skipping patches puts your store at risk

Many Magento breaches in the wild stem from old, unpatched software. Attackers know exactly which vulnerabilities are present in which versions, and they build bots that scan the web looking for unpatched stores.

Common exploits from missing patches include:

SQL Injection: Letting attackers read or manipulate your database.
Remote Code Execution: Letting hackers upload and run malicious files.
Cross-Site Scripting (XSS): Letting attackers hijack user sessions or display harmful content.

If you don’t patch your store, you’re not just risking data—you’re risking revenue, reputation, and potential legal action for non-compliance.

Magento patch FAQ

Download the correct patch file from Adobe’s Security Bulletins page or Tech Resources. Upload it to your server and apply it using SSH (sh patch-name.sh or patch -p1 < patch-name.patch). Clear the cache, reindex, and test the site.

A patch is a small fix for a specific issue, often applied manually. A security update is a broader release that may include multiple patches plus other changes. Patches are usually faster to apply if you’re not ready for a full upgrade.

You can find the latest update on Adobe’s Commerce Release Notes page. Check often, as new patches and updates are released regularly.

Upload the patch file to your Magento root directory, connect via SSH, and apply it using the appropriate command. Then flush the cache, reindex your site, and test all critical functionality.

Next steps for installing Magento security patches

Magento security patches are one of the easiest and most important ways to protect your ecommerce store. Skipping them leaves you exposed, while timely updates keep your site fast, safe, and PCI compliant.

If you’re new to patching or don’t have a developer on staff, start by applying critical patches on a staging site and using tools like MGT or BSS Patch Manager to simplify the process.

Ready to upgrade your Magento experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy.

Liquid Web offers the raw infrastructure power you need with mission-critical features that keep your store running smoothly. Most importantly, our in-house Magento experts are standing by to help with both hosting and Magento application roadblocks.

Click through below to explore all of our Magento hosting options, or chat with an expert right now to get answers and advice.