Security Checklist in Magento 2


A store website always consists of finance information which hackers want to steal and make use of. Once these types of information are taken, There will be a huge damage to both merchants and customers. When what customers lost are their personal and payment information, merchants may suffer hundred times more. For instance, a customer clicks on any location on your website and is directed to another link which contains viruses, thief, or immediately break into their bank account. This absolutely causes the decline in your store reliability and you can even stand on the risk of being threatened with lawsuits.

To eliminate the unsafety of your website, we suggest the list of methods to strengthen your security and avoid being a potential spot for hackers. This list properly seems to be a bit long to read for modern people with the harried treadmill of life. However, the more you do, the more secure your business is. Moreover, we have made the list as easy to follow as possible so, let’s start together!

Security Checklist

Backup your Magento store frequently

It is important to backup your Magento store to save your store database and rebuild Magento website if necessary. You can backup Magento system by using Magento control panel or backup manually through online backup tools. Below is the instruction to backup your Magento store with Magento backup tool in the admin.

Backup your Magento store

  • On the admin sidebar, choose System > Tools > Backups.
  • Click on System Backup to backup entire files included in your store website, Database and Media Backup to take the database and media folders contents or Database backup to backup the database only. In the System Backup section, you can choose to except media folder by marking with a tick on Exclude media folder from backup.
    • Enter a name to save the backup in the Backup Name field. Notice that only letters (a-z or A-Z), numbers (0-9) or spaces are accepted.
    • You should choose the Maintenance mode to maintain your store during backup.
  • Click Ok to start.
  • After finishing, the backups can be found in the var/backups/ folder.

Change backend URL

Changing your Admin URL is one of the methods to keep your store admin site harder to be found by the wandering internet users and less attracting to the hackers. Therefore, Magento 2.0 allow you to modify backend URL by configuring in Magento store admin. And here is the guidance of reforming the backend URL through Magento system.

Change backend URL

  • On the admin sidebar, choose Store > Settings > Configuration.
  • In the panel on the left, click Advanced > Admin.
  • Expand the Admin Base URL section and set options.
  • In the Use Custom Admin URL field, select “Yes” then fill in the Custom Admin URL field new Admin URL in the format of to adopt new Admin URL.
  • In the Use Custom Admin Path field, select “Yes” then fill in the Custom Admin Path field new Admin Path to adopt new Admin Path.
  • Click Save Config when you are done.
  • Log in to the Admin using the new Admin URL and Path after saving.

Use HTTPS/SSL for backend

Login your account when using a public hotspot and saving your account information across an unencrypted connection make you face the risk of being intercepted by hackers. Once this situation happens, you may suffer losing all store data with a broken store website. To eliminate this threat, we suggest you to requiring HTTPS/SSL in Magento to secure the connection.

Use HTTPS/SSL for backend

To get secure HTTPS/SSL URL:

  • On the Magento Admin sidebar, choose Store > Settings > Configuration.
  • In the panel on the left, click General > Web.
  • Expand the Base URLs (Secure) section and set “Yes” for the Use Secure URLs on Storefront and Use Secure URLs in Admin fields.
  • Click Save Config.

Use and keep your passwords strong for your Magento store

Using a strong password for your Magento store definitely the easiest method to strengthen your website security. To know if your password is strong enough, check the list below.

  • Your password concludes of upper and lower case alphabets, numbers, and special characters.
  • Password length is 10 characters at least.
  • Make sure that your password is not related to your birthday or any special events which are noticeable in your profile.
  • The password should be arranged in a random order. If you can not remember it, use a password management tool.
  • Your password for your Magento website should be different from other ones because the more usual a password is used, the easier your Magento website is hacked.
  • Do not leave notes of your password at easy-to-see places.
  • Do not save or store passwords on your computer to avoid password being stolen when you lose your computer/laptop or your window system has viruses which could take your personal information.
  • Change your password after every 3-6 months.

Use the latest Magento version

The new version of Magento is released to fix the bugs, update new features and other essential upgrades. Mostly, your security risks will be discovered and limited in the new version. Therefore, upgrading your Magento system to the latest version is totally necessary. This not only helps you save time dealing with problems occur during the last version, but also strengthens your security.

Use Two-Factor Authorization

Two-Factor Authorization Extension ensures that only trusted devices can access your Magento backend. The extension enhances your security by requiring a time-based passcode when logging into Magento. With this second security layer, a stranger can not break into your Magento store even if they know your password. To hack your Magento store, a hacker will need a unique admin login page, a secure username and password and your smartphone in their possession which is quite impossible to do. Therefore, the double secure process of Two-Factor Authorization Extension makes an absolute anti-theif tool for your Magento admin.

Look for errors or suspicious activity in logs

Looking for suspicious activity in logs is recommended to regularly check web server logs and look for errors or suspicious activity. This action will help you detect the danger from hackers and prepare your Magento security to deal with new threats. All unusual errors such as trying to log in with fail passwords manytimes, log in from a strange location, or log in fail because of entering a wrong passcode should be noticed and banned. You can also integrate a Look for errors or suspicious activity in logs Extension to identify and manage the suspicious log in.

Restrict Admin Access To Only Approved IP Addresses

If your Magento has many stores with many adminitrators for managing in the backend, a whitelist which conclude of authorized IP Addresses should be created. Other IP addresses will be banned from acessing in the admin page. This can be achieved via .htaccess or you can use the Apache directive LocationMatch.

Always Use A Private and Secure Email Address

The reason and the approach for using a private and secure email address is similar to the process for having strongs passwords for your Magento store. An email address itself has contain many personal information and can be connected with a lot of other website accounts. It is undoubtable that the more difficult one email can be found, the more secure your private information can be. Moreover, you also should configure your email security well to safeguard your Magento store.

Use antivirus software latest version

We recommend you to use and update for the latest anti-virus software to protect not only for your computer, but also for entire your working online process. Newest anti-virus version will detect the most recently released viruses and minimize the risk of being attacked for your Magento system. Hackers do not rest so do not let them take advantage of your distractions.

Change Your File Permissions

Magento 2.0 require certain permissions which are different from ownership on the file system. Ownership determines who can perform actions on the file system; permissions determine what the user can do. To make sure that other user can not mess up your files and folders, File Permissions should be set when you login your Magento server.

Block unwanted countries

Unless your Magento store sell products worldwide, You had better block user from other countries to ensure that nobody would wandering around your pages. In addition, this action also assist you on better recognizing the hackers information as their locations are eliminated. To configure unwanted countries, you have to intergrate the extension that have block undesirable countries feature.

Prevent MySQL injection

You have to prepare additional method to protect your store beside the features Magento supplies. For that reason, Preventing MySQL injection with third-party is necessary though Magento provides great support to outmaneuver any MySQL injection attacks with its newer versions and patches. Extra web application firewalls effectively keep your site and your customers safe.

Disable Any Dangerous PHP Functions

To avoid exploitation of the PHP functions that can be dangerous, be sure to add the following rule to your php.ini file: disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen.

Get a Magento security review done

As the development of softwares and security methods, hackers also find new technique to steal your information. Besides, It is really difficult to cover all bugs through hundreds of files. Therefore, let give a scan to check your Magento security and repair the secure holes. There are several reliable websites which provide free service to give you a quick insight in the security status of your Magento shop and how to fix possible vulnerabilities.

Get in touch with the Magento Community

There is a forum for Magento users to communicate and share knowledge at You can ask and answer questions related to Magento in this forum. This forum is actually the Magento society which can help you a lot when facing security problems. After all, Do not forget to update the information that people post in the forum.

Magento Community

Only Use Magento Extensions from trusted sources

A Magento extension is actually dowloaded from the internet and integrated directly into your Magento system which can cause many problems if the extension is unsafe. When your firewall is disable, your Magento security is not strong enough and you do not have an anti-virus software, your total system can break down in seconds.

Therefore, we recommend you to choose to use only extensions from trustworthy providers which are well tested. Furthermore, you should also update your extensions regularly as new versions always fix the bugs as well as complete the extension security.

Moreover, Despite being a quite new Magento developer, Mageplaza has been reviewed as one of the best of Magento Extension providers not only for the great features of the modules, but also for the reliability of the security and support team. Hence, you can always be comfortable when using extensions from Mageplaza.

It comes to the end of tutorial: Security Checklist in Magento 2.

Please leave comments if you have any questions, feedbacks.

Comments for Security Checklist in Magento 2

You also may like these Magento 2 Extensions

One Step Checkout

13 reviews

Layered Navigation

5 reviews


5 reviews


7 reviews


10 reviews

Zoho CRM

no review

Store Locator

no review

Shop By Brand

no review