Magento Security - complete overview

Sansec has investigated Magento breaches since 2015. We run the largest eCommerce forensics practice in the world and take apart dozens of hacked stores every week. This guide distills what we see in those investigations into the controls that actually keep attackers out.

Magento is powerful and flexible, and that complexity is exactly what attackers target. A default install is not safe by itself. The stores that stay clean are the ones that patch fast, lock down admin access and watch their own files.

How Magento stores get hacked

These are the attacks we see most often in our incident response work.

1. Unpatched core vulnerabilities. Attackers weaponize Adobe security releases within hours of publication. SessionReaper (CVE-2025-54236), an unauthenticated remote code execution flaw, was used in automated attacks against more than half of all stores worldwide. PolyShell lets attackers upload executable files through the REST API, and we have seen exploitation attempts against 79.5% of stores. Earlier, merchants who waited more than two weeks to apply the June 2024 patch had their crypt keys stolen through CosmicSting, which we confirmed on more than 4,200 stores. With a crypt key, an attacker mints an admin API token, exports customer data and injects skimmers into CMS blocks.

2. Template code execution. The TrojanOrder attack runs arbitrary code by abusing Magento's email template parsing. Adobe fixed it in 2022. We still find newly hacked stores running the vulnerable code years later. An attacker places a crafted order, and the malicious payload fires when the confirmation email renders.

3. Outdated system libraries. A read-only attack often escalates to full server access through outdated Linux libraries such as glibc. Attackers chain this to drop backdoors directly on the host.

4. Stolen or guessed admin passwords. Leaked and reused credentials let attackers log straight into the admin panel. Weak passwords and missing two factor authentication turn a credential leak into a full breach.

5. Vulnerable third party extensions. Most stores run dozens of extensions, and that code is rarely audited. Skimmers and webshells hide in extension files and writable directories, where no version check will find them.

The targets are not small. Sansec has cleaned up breaches at Swatch, Ray-Ban, Cisco, Carlsberg, Segway, Whirlpool and many other well known brands.

Best practices for Magento security

1. Patch within days, not weeks

Apply every Adobe security release as soon as it ships. Attackers reverse engineer patches the same day, so a store that waits two weeks is a store that gets hit. Track the Adobe security bulletins and treat each one as urgent.

2. Enforce two factor authentication

Turn on Magento's built-in two factor authentication for every admin account. Require strong, unique passwords. If you suspect a leak, reset all admin passwords at once.

3. Lock down admin access

Restrict the admin panel to known IP addresses where possible, and rename the default admin path. Use role based permissions so each staff member only gets the access they need.

4. Keep the host system updated

A patched Magento on an outdated server is still exploitable. Keep the operating system, PHP and libraries like glibc current so a database-level flaw cannot escalate to code execution.

5. Scan your files for malware

Adobe's free scan only checks core Magento and runs from the outside. It cannot see private extension code or writable directories, which is where most malware lives. Run eComscan on the server to detect skimmers, backdoors and known vulnerable extensions across the full codebase.

6. Block attacks in real time

Sansec Shield stops exploitation attempts before they reach Magento, including attacks on flaws you have not patched yet. It buys you time when a critical release lands during business hours.

7. Set a Content Security Policy

A Content Security Policy limits which scripts the browser will run and stops many skimmers from exfiltrating card data even after an injection. See our Magento CSP guide.

8. Monitor and back up

Watch admin logins and file changes for anything unexpected, and keep automated off-site backups so you can recover fast after an incident.

Conclusion

Magento security comes down to speed and visibility: patch before attackers exploit, and know what is in your files. Combine prompt patching, locked-down admin access and server-side scanning to keep your store off our forensics caseload.