Back to blog
2026-06-29Sécurité

Magento 2 security audit: 15 points to check in 2026


Why a security audit is essential


In 2026, attacks against e-commerce sites are more sophisticated than ever. Adobe Commerce/Magento 2 remains a prime target for hackers due to its popularity and the sensitive data it handles.


A regular security audit is not an option — it's a necessity. Here are the 15 points to check without fail.


1. Versions and security patches


Make sure your Magento 2 instance uses the latest available version. Adobe publishes regular security patches:


  • Check the Adobe security bulletin
  • Apply patches within 48 hours of release
  • Automate updates with Composer

2. Admin access configuration


  • Enable two-factor authentication (2FA)
  • Use strong passwords and a password manager
  • Limit login attempts
  • Change the default admin URL

3. File and folder permissions


Incorrect permissions are an open door for attackers:


  • Files: 644
  • Folders: 755
  • app/etc/env.php must never be publicly accessible

4. Database security


  • Change the default table prefix
  • Use strong passwords for SQL access
  • Limit authorized IPs for database connections

5. Redis and Varnish configuration


  • Authenticate Redis access
  • Limit authorized IPs for Varnish
  • Use TLS for cache connections

6. XSS and CSRF attack protection


Magento 2 includes native protections, but verify:


  • XSS validators are active
  • CSRF tokens are generated for all forms
  • Your custom modules respect these mechanisms

7. Payment security


  • Verify your payment modules use PCI DSS
  • Enable 3D Secure (SCA) for card payments
  • Never store credit card data on your server

8. Web API and GraphQL


APIs are common attack vectors:


  • Limit API access by integration key
  • Enable rate limiting
  • Validate all GraphQL inputs

9. Logs and monitoring


  • Enable logging of failed login attempts
  • Use New Relic or equivalent for anomaly detection
  • Retain logs for at least 90 days

10. TLS/SSL certificate


  • Verify your certificate is valid and up to date
  • Use TLS 1.3 minimum
  • Redirect all HTTP traffic to HTTPS

11. Captcha and anti-bot protection


Magento 2 includes Google reCAPTCHA v3. Make sure it is:


  • Enabled on login forms
  • Enabled on registration forms
  • Enabled on the forgot password form

12. Backups and recovery plan


  • Back up files and database daily
  • Store backups offsite (S3, etc.)
  • Test restoration at least once per quarter

13. Inactive user accounts


  • Audit admin accounts every month
  • Remove or disable inactive accounts
  • Check API integration account permissions

14. CSP (Content Security Policy)


  • Implement a strict CSP to prevent XSS attacks
  • Test in report mode before applying blocking mode
  • Use the Magento 2 CSP module

15. External vulnerability scanning


  • Use a vulnerability scanner (Sucuri, Qualys)
  • Conduct annual penetration tests (pentest)
  • Follow CVE (Common Vulnerabilities and Exposures)

Your store's security is an ongoing process. I perform comprehensive security audits for Magento 2 and Adobe Commerce. Contact me to secure your site.