With security being top-of-mind for all responsible ecommerce merchants, vendors, and agencies, it is important to have the tools to detect any vulnerabilities that might exist on your site.

Related: Magento Commerce B2B release strengthens DEG’s ecommerce arsenal.

Magento has just released a tool that will check against its defined best practices and known/patched vulnerabilities and will notify you when a failure occurs. Getting set up is easy.

  1. Log into your Magento Account

If you do not have an account, creating an account is free at magento.com

  1. Agree to the Terms of Service

The terms of service boil down to the following, but please read them carefully.

  • Only scan things you have the license to scan.
  • You can’t blame Magento for anything the tool does.
  • Use the tool at your own risk.
  • Nothing is Magento’s fault.
  • Magento can cancel this tool at any time.

Magento’s Security Scan will check against defined best practices to notify users when a failure occurs.

Verify That You “Own” a Magento Site

To verify a site, you need to enter the site URL and set the given confirmation code onto the page. This can be done using the instructions given on the right.

Add site to security scan

Configure the Security Scans

It looks like the scans will continue to evolve with the option of a deeper level of scanning through SSH connections, which will look through your database and code for malware that may have been injected.

In this section, you can also set up the frequency of the scans and who gets the notification of scan results.

Scans will evolve with the option of a deeper level of scanning through SSH connections.

set up security scan

Run the Security Scan

If the scan is not run on a schedule, you can run the scan from the main security page. Under the Actions menu, select “Run Scan.” This will queue up a process that will run the scan. Once it is complete, it will appear as “complete” under the scan status. Running the scan one time is not good enough to ensure the security of your site. The scans should be run on a regular cadence so that any new security checks that Magento put in place will run against your site.

security scan monitored webistes

View the Security Scan Results

The scan results are split into two sections—failures and successes. If it is not obvious, you should pay close attention to the “Failed Scans” section and address those as soon as possible.

security scan failed scans report

successful security scans

To read more about Magento security, or to sign up for its security newsletter, visit its security page.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


  • Kristian Pedersen

    Kristian Pedersen

    4 years
    Thanks for the guide. I recently inserted the code into the mis. script field under design, I just can't make it verify the code. It's a little strange. https://www.screencast.com/t/m7dhcdfeWdE A few days earlier, I inserted a Facebook pixel script the same place, it was verified instantly. You have any idea why Magento won't verify that code? Could it be a hosting issue of some kind? Thanks
    • Ben Robie

      4 years
      I don't see your code when I view the page source. My guess would be that 1) You didn't get it saved into the misc script (or it was under the wrong scope), or 2) You need to flush your cache. Good luck and let me know what you find.