Magento 2 Security Hardening: A Production Checklist for 2026

Magento stores are high-value targets. They process payments, store customer data, and often run on shared infrastructure. A compromised store means payment card theft, data breaches, and regulatory fines.

This checklist covers the most impactful security hardening steps for a production Magento 2 store.

1. Change the admin URL

The default admin URL /admin is targeted by automated scanners within hours of a store going live. Change it to something non-obvious:

bin/magento setup:config:set --backend-frontname="your_secret_admin_path"
bin/magento cache:flush

Or in app/etc/env.php:

'backend' => ['frontName' => 'your_secret_path'],

Use something random and non-guessable. Not /manager, /backend, or /store-admin.

2. Enable two-factor authentication

Magento 2.4+ ships with 2FA built in. Enable it and enforce it for all admin users:

bin/magento module:enable Magento_TwoFactorAuth
bin/magento setup:upgrade

Supported authenticators: Google Authenticator, Authy, Duo Security, U2F.

For headless admin access (API), whitelist specific IPs instead of disabling 2FA:

bin/magento config:set twofactorauth/general/force_providers "google"

3. File permissions

Magento's recommended file permissions:

# Directories
find var generated vendor pub/static pub/media app/etc -type d -exec chmod 770 {} +

# Files  
find var generated vendor pub/static pub/media app/etc -type f -exec chmod 660 {} +

# bin/magento
chmod 770 bin/magento

# Never allow write on app/code
find app/code -type f -exec chmod 640 {} +
find app/code -type d -exec chmod 750 {} +

Critical: app/etc/env.php contains database credentials. Ensure it's not world-readable:

chmod 640 app/etc/env.php

4. Disable directory listing

In your nginx config:

autoindex off;

Or in Apache .htaccess:

Options -Indexes

Directory listing exposes your file structure to attackers.

5. Content Security Policy headers

Magento 2.4+ has CSP support. Enable report-only mode first to find violations without breaking your store:

bin/magento config:set csp/mode/storefront/report_only 1
bin/magento config:set csp/mode/admin/report_only 1

Configure your CSP whitelist in Admin → Security → Content Security Policy. Add your analytics, payment processor, and CDN domains.

Once violations are resolved, switch to enforce mode:

bin/magento config:set csp/mode/storefront/report_only 0

6. Security headers

Add these to your nginx config:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

# Only once CSP is configured
# add_header Content-Security-Policy "..." always;

7. Keep Magento patched

Magento releases security patches regularly. Subscribe to the Magento security alert RSS feed and the Adobe security bulletin.

# Check current version
bin/magento --version

# Check for available updates
composer outdated magento/*

Apply security patches within 2 weeks of release. Critical patches within 48 hours.

8. Restrict admin access by IP

If your team accesses admin from predictable IPs, whitelist them at the nginx level:

location ~* ^/your_admin_path {
    allow 1.2.3.4;  # office IP
    allow 5.6.7.8;  # developer IP
    deny all;

    try_files $uri $uri/ /index.php$is_args$args;
}

This stops brute-force admin attacks even if the attacker knows your admin URL.

9. Disable unused payment methods and modules

Every enabled payment method is potential attack surface. Disable anything you don't use:

bin/magento module:disable Magento_Paypal
bin/magento module:disable Magento_Braintree
# etc.
bin/magento setup:upgrade

10. Monitor for malware

Magento stores are targeted by card-skimming malware (Magecart attacks). Malware is typically injected into:

• JavaScript files in pub/static/
• PHP files in app/code/ or templates
• Database (inline scripts in CMS blocks or product descriptions)

Set up file integrity monitoring:

# Create a baseline hash of all PHP files
find app/code vendor/magento -name "*.php" -exec md5sum {} \; > /var/integrity/baseline.txt

# Run daily and alert on changes
find app/code vendor/magento -name "*.php" -exec md5sum {} \; | diff /var/integrity/baseline.txt - | grep "^>" 

For database-injected malware, scan CMS blocks and product descriptions weekly:

SELECT * FROM cms_block WHERE content LIKE '%<script%' AND content NOT LIKE '%requirejs%';

11. Secure env.php

app/etc/env.php contains your database password, Redis password, and encryption key. Never commit it to version control:

echo "app/etc/env.php" >> .gitignore

Use environment variables or a secrets manager for CI/CD pipelines:

export DB_PASSWORD=$(aws secretsmanager get-secret-value --secret-id prod/magento/db --query SecretString --output text | jq -r .password)

Security audit checklist

• [ ] Admin URL changed from /admin
• [ ] 2FA enabled for all admin users
• [ ] File permissions set correctly
• [ ] env.php not world-readable, not in git
• [ ] Directory listing disabled
• [ ] Security headers configured (X-Frame-Options, X-Content-Type)
• [ ] CSP in report-only mode (working toward enforce)
• [ ] Admin IP restriction (if team has static IPs)
• [ ] Unused modules and payment methods disabled
• [ ] File integrity monitoring running
• [ ] On latest Magento security patch
• [ ] SSL/TLS 1.3 enabled, TLS 1.0/1.1 disabled

Security is never "done" — it's an ongoing process. Schedule a quarterly security review against this checklist.

Originally published on magevanta.com