Magento 2 security audit: 15 points to check in 2026
Why a security audit is essential
In 2026, attacks against e-commerce sites are more sophisticated than ever. Adobe Commerce/Magento 2 remains a prime target for hackers due to its popularity and the sensitive data it handles.
A regular security audit is not an option — it's a necessity. Here are the 15 points to check without fail.
1. Versions and security patches
Make sure your Magento 2 instance uses the latest available version. Adobe publishes regular security patches:
- Check the Adobe security bulletin
- Apply patches within 48 hours of release
- Automate updates with Composer
2. Admin access configuration
- Enable two-factor authentication (2FA)
- Use strong passwords and a password manager
- Limit login attempts
- Change the default admin URL
3. File and folder permissions
Incorrect permissions are an open door for attackers:
- Files: 644
- Folders: 755
- app/etc/env.php must never be publicly accessible
4. Database security
- Change the default table prefix
- Use strong passwords for SQL access
- Limit authorized IPs for database connections
5. Redis and Varnish configuration
- Authenticate Redis access
- Limit authorized IPs for Varnish
- Use TLS for cache connections
6. XSS and CSRF attack protection
Magento 2 includes native protections, but verify:
- XSS validators are active
- CSRF tokens are generated for all forms
- Your custom modules respect these mechanisms
7. Payment security
- Verify your payment modules use PCI DSS
- Enable 3D Secure (SCA) for card payments
- Never store credit card data on your server
8. Web API and GraphQL
APIs are common attack vectors:
- Limit API access by integration key
- Enable rate limiting
- Validate all GraphQL inputs
9. Logs and monitoring
- Enable logging of failed login attempts
- Use New Relic or equivalent for anomaly detection
- Retain logs for at least 90 days
10. TLS/SSL certificate
- Verify your certificate is valid and up to date
- Use TLS 1.3 minimum
- Redirect all HTTP traffic to HTTPS
11. Captcha and anti-bot protection
Magento 2 includes Google reCAPTCHA v3. Make sure it is:
- Enabled on login forms
- Enabled on registration forms
- Enabled on the forgot password form
12. Backups and recovery plan
- Back up files and database daily
- Store backups offsite (S3, etc.)
- Test restoration at least once per quarter
13. Inactive user accounts
- Audit admin accounts every month
- Remove or disable inactive accounts
- Check API integration account permissions
14. CSP (Content Security Policy)
- Implement a strict CSP to prevent XSS attacks
- Test in report mode before applying blocking mode
- Use the Magento 2 CSP module
15. External vulnerability scanning
- Use a vulnerability scanner (Sucuri, Qualys)
- Conduct annual penetration tests (pentest)
- Follow CVE (Common Vulnerabilities and Exposures)
Your store's security is an ongoing process. I perform comprehensive security audits for Magento 2 and Adobe Commerce. Contact me to secure your site.
I can help you.
Let's discuss your project.