Magento 2 Security Checklist

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

When you prepare to launch your Magento 2 website, security is one of the primary areas of concern. Whether you plan to accept credit card data directly on your website, or on a payment provider’s pages – you are required to achieve PCI compliance.

Otherwise, you’ll find your business at risk of being banned from the use of payment gateways. And sure enough, that is simply a risk you can’t afford to take.

PCI compliance may seem a tricky subject because most of the material you can find online will lack concrete measures you have to take on a given server. I’m here to fix this 🙂

Let’s go through a quick security checklist for Magento 2 servers to give them the ultimate security lift without compromises.

1. Use a VPS or dedicated server

It is common knowledge that the shared hosting type is not secure. If you are hosted with Siteground, Bluehost, Godaddy, Dreamhost, etc. – there’s a big chance that you’re on a shared hosting plan.

Shared hosting plans are vulnerable to attacks coming from neighbor accounts on the same physical server. And of course, shared hosting is the worst thing for performance.

Transitioning away from shared to a VPS or dedicated server will yield security benefits and increased performance.

Recommendation: Linode VPS 4GB plan and plans above.

2. Run a secure OS with a minimal set of software

RHEL (or its free counterpart, CentOS) is great for running Magento 2. This operating system is known for its stability, and security fixes are backported to the stable versions regularly. What else to want?

Do not install any web panel like cPanel. This will ruin your performance and bring vulnerabilities. Running on the minimal stack is the most efficient and secure approach.

The de-facto standard stack for Magento 2 consists of this software:

  • Varnish
  • PHP-FPM 7.x/8.x (go with the highest your Magento 2 version supports)

If you run an older version of Magento 2 that only supports PHP 7.0, be sure to upgrade to the latest Magento. PHP 7.0 is “End of Life” and should be avoided.

2. Use ModSecurity

With the arrival of libmodsecurity, you can, and should, use the NGINX ModSecurity connector module. It is now easy to install ModSecurity to your existing NGINX installation.

This is your shield from incoming attacks.

3. Use Security Headers

Security headers are the ones present in the HTTP response of your website. They are typically used to protect from XSS attacks.

Recommendation: score at least B with SecurityHeaders test. Make sure to only add the necessary headers to non-HTML file headers. More info here. You can use ngx_security_headers module to do it.

4. Remove Software HTTP Headers

It is not enough to hide server version information. The best path is having no information disclosure done by HTTP headers.

Recommendation: remove Server header and any other headers which directly report the software you use. The ngx_security_headers module mentioned earlier is up for the task as well.

5. pub is your webroot

Setup your web server’s web root to point to the pub directory of your Magento 2 installation. This will ensure that the only entry point PHP files required for running Magento will be accessible for public access:


root /path/to/m2;


root /path/to/m2/pub;

6. Whitelist allowed PHP files

To complement the previous item, ensure that only a whitelisted set of .php files can be run from your web root directory.


location ~ \.php {


location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ {

7. Install and use CLI security scanners

If you happen to install a plugin with a vulnerable upload endpoint, software like Malware Detect is capable of finding the breach and quarantine the offending script.

This is your server’s “immune system”.

Additional scanners are recommended for Magento 2:

8. Run Magento 2 under special user

Follow the basic principles of the proper NGINX and PHP-FPM permissions model.
You have to allocate a special Linux user account on your server that will own and “run” Magento files. That same user account will be the one that the PHP-FPM pool runs under.

Bad /etc/php-fpm.d/some.conf:

listen.owner = nginx
listen.group = nginx

Bad /etc/php-fpm.d/some.conf:

listen.owner = www-data
listen.group = www-data

Good /etc/php-fpm.d/some.conf:

listen.owner = magento2
listen.group = magento2

All files of your Magento website have to be owned by that user.

Bad listing (ls -al /path/to/m2):

-rw-rw----   1 nginx nginx     1370 Nov  7  2018 index.php
drwxrwx---   4 nginx nginx     4096 Oct 25  2018 lib
-rw-rw----   1 nginx nginx     10376 Oct 25  2018 LICENSE_AFL.txt
-rw-rw----   1 nginx nginx     10364 Oct 25  2018 LICENSE.txt

Good listing (ls -al /path/to/m2):

-rw-rw----   1 magento2 magento2     1370 Nov  7  2018 index.php
drwxrwx---   4 magento2 magento2     4096 Oct 25  2018 lib
-rw-rw----   1 magento2 magento2    10376 Oct 25  2018 LICENSE_AFL.txt
-rw-rw----   1 magento2 magento2    10364 Oct 25  2018 LICENSE.txt

9. Secure Magento 2 admin area using IP whitelisting

NGINX allows you to easily set up IP whitelisting for your Magento 2 admin area.

10. Work with trusted developers and set up Git workflow

It is crucial to work with trusted web developers. You also must:

  • set up a Git workflow for pushing changes
  • disallow any allow direct changes on the live website by developers

Otherwise, you may end up with developer-made malware like magento1-core-observer.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.