Magento Open Source 2.2.x

Security Best Practices

All eCommerce sites are attractive targets to hackers because of the personal and payment information that is required to complete a sale. Even if the system does not directly process credit card transactions, a compromised site might reroute customers to a false page, or alter an order before it is transmitted to the payment processor.

A compromised site can have long-term consequences for both customers and merchants. Customers might suffer financial loss and identify theft, while merchants can face damage to their reputations, loss of merchandise, higher processing fees, revoked privileges with financial institutions, and the threat of lawsuits.

This guide outlines a multifaceted approach to improve the security of your Magento installation. Although there is no single way to eliminate all security risks, there are many things that you can do to make your site a less attractive target. It is crucial for hosting providers, system integrators, and merchants to work together to establish and maintain a secure environment, implement methods for early detection, and determine a plan of action in the event of a breach.

Additional Resources

For additional technical best practices and developer-centric information, see the following information.

  • The Magento Security blog investigates and provides insights to security issues, best practices, and solutions for all of your security questions.
  • Try out the free Magento Security Scan Tool! Monitor your sites for security risks, update malware patches, and detect unauthorized access with this tool from Magento Commerce.
  • Check all available Developer Tools through the Admin. These features can help test, verify, and prepare your site and Admin for workloads and traffic.
  • The Magento Community has limitless best practices, recommendations, and tutorials to help get you started with Magento, maintaining your catalogs, and much more. Check out the best Community Resources.


Parts of this article were inspired by real-world solutions that were shared by community members. The resulting article incorporates content from the community, with input from our team.