Magento Open Source, 1.9.x

Magento 1.x Security Patch Notice
For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Magento Security Best Practices

All eCommerce sites are attractive targets to hackers because of the personal and payment information that is required to complete a sale. Even if the system does not directly process credit card transactions, a compromised site might reroute customers to a false page, or alter an order before it is transmitted to the payment processor.

A compromised site can have long-term consequences for both customers and merchants. Customers might suffer financial loss and identify theft, while merchants can face damage to their reputations, loss of merchandise, higher processing fees, revoked privileges with financial institutions, and the threat of lawsuits.

This guide outlines a multifaceted approach to improve the security of your Magento installation. Although there is no single way to eliminate all security risks, there are many things that you can do to make your site a less attractive target. It is crucial for hosting providers, system integrators, and merchants to work together to establish and maintain a secure environment, implement methods for early detection, and determine a plan of action in the event of a breach. To learn more, see Best Practices in the Magento Security Center.

Make sure to stop by our Magento Security Center, and sign up for the Security Alert Registry to receive notification from our security team of any emerging issues and solutions.


Parts of this article were inspired by real-world solutions that were shared by community members. The resulting article incorporates content from the community, with input from our team. We’d like to thank the following people for contributing to this article:

  • Bryan (BJ) Hoffpauir for sharing his insight on the Magento forum, and for contributing recommendations in the Attack Response Plan section of this article. See the original post by beejhuff for more information.
  • Anna Völkl (@rescueann), Magento developer at LimeSoda.
  • Robert Mangiafico (@robfico) CTO at LexiConn.
  • @dracony_gimp for his security presentation, Being Hacked is Not Fun.
  • Willem de Groot for providing a sample Nginx configuration.