Written by

Ramesh Bhudia

Ecommerce Specialist

Securing your Magento 2 website is paramount to safeguarding sensitive information. Let’s dive into comprehensive measures to fortify your eCommerce fortress.


1. Stay Updated

Regularly update Magento to benefit from the latest security enhancements. Check your version’s support status, conveniently displayed at the bottom right of your Admin Panel. Magento releases security patches for supported versions, ensuring protection against evolving threats.


2. Principle of Least Privilege

Adopt the principle of least privilege by limiting user access to essential tasks. In your Admin Panel, navigate to System > Permissions > User Roles to set role-based access. Then, assign roles to users in System > Permissions > All Users. This mitigates potential damage from accidental misconfigurations or malicious intent.


3. Change Admin URL

Enhance security by customizing your Admin URL. In Stores > Settings > Configuration > Advanced > Admin > Admin Base URL, set a unique URL. This minimizes the risk of brute force attacks, as default URLs are well-known and easily targeted.


4. Admin IP Restriction

Control Admin Portal access by restricting it to approved IP addresses. Discuss potential challenges with remote work or dynamic IP addresses with your agency or hosting provider to strike a balance between security and accessibility.


5. Password & 2FA

Prioritize strong password practices, including at least 12 characters with a combination of uppercase, lowercase, numbers, and special characters. Utilize password generator tools like LastPass for added security. While Magento no longer provides an inbuilt 2 Factor Authentication Module, consider installing a separate one for an additional layer of protection.


6. Minimise Extensions

Extensions, while beneficial, can pose security risks. Keep only essential extensions to reduce the attack surface, making it easier to manage updates and patches. Refer to a detailed guide on extensions for more insights.


7. 3rd Party Access

Grant access to 3rd parties selectively and promptly revoke it after tasks are completed. Forgotten access can be a potential vulnerability. Stay vigilant to manage access effectively.


8. Retain Logs and Backups

Prepare for the worst-case scenario by retaining logs and creating backups. Collaborate with your agency or hosting provider to establish an effective backup strategy, potentially leveraging hosting providers that offer backup services.


9. Managed Servers

Ensure server security, a critical aspect of overall website protection. Regularly update servers with the latest versions, ideally managed by your hosting provider. Engage someone proficient in server management to oversee this crucial aspect.


10. Firewall Protection

Invest in a robust firewall to control access and defend against unauthorised entry. A firewall acts as a gatekeeper, determining who gets through and adding an extra layer of protection to your site.


Signs of a Hack

Watch for signs such as unexpected behavior, slow performance, unexplained errors, frequent crashes, new and unauthorized users, unfamiliar content, unexpected redirects, and suspicious scripts or code. Customer complaints about suspicious emails or unauthorized transactions may also indicate a security breach.



As the merchant, you are ultimately responsible for your store’s security. Stay actively involved, even with trusted developers and agencies. Regularly assess and audit your Website Security Protocol to maintain a proactive stance against potential threats.


For a comprehensive Website Security Protocol audit, feel free to get in touch. We’re here to help you ensure the security and resilience of your Magento 2 website. 🛡️

Want to discuss your website?

Email or call me. What if I can help?