Baseline profile

Magento-specific Security and Maintenance Checks

Magebean reviews the Magento areas that commonly create security and operational risk: admin exposure, file permissions, production settings, risky modules, dependencies, cache, cron, logs, and third-party integrations.

This is the full Magento baseline view, designed for security reviews, maintenance planning, release checks, and weekly operational confidence.

What this baseline checks

The Magento-specific baseline runs across the full Magebean control catalog.

File and folder permissions

Magebean checks whether sensitive files and code paths are protected from unsafe write access or public exposure.

Examples:

No chmod 777
- Secure app/etc/env.php permissions
- No executable code in media/upload paths
- No directory listing
- Webroot hygiene

Admin hardening

Magebean reviews common Magento admin security controls.

Examples:

Non-default admin path
- Admin 2FA enabled
- Strong password policy
- Session timeout
- Admin exposure limits
- Login rate limiting

Secure coding practices

Magebean checks custom code for common risky patterns.

Examples:

Raw SQL usage
- Missing escaping in PHTML templates
- Unsafe unserialize usage
- Command injection patterns
- Unsafe file upload handling
- Missing authorization checks
- Hardcoded secrets

HTTPS, TLS, cookies, and headers

Magebean reviews browser and transport security controls.

Examples:

Force HTTPS
- HSTS enabled
- TLS 1.2 or higher
- Secure cookie flags
- No mixed content
- Security headers baseline

Production mode and deployment hygiene

Magebean checks whether the Magento environment looks production-ready.

Examples:

Magento in production mode
- Xdebug disabled
- Display errors off
- Static assets deployed
- Compiled DI enabled
- No development configs in production

Cache, indexing, and cron health

Magebean reviews Magento operational health signals that affect stability and security.

Examples:

Full Page Cache enabled
- Redis or Varnish configured
- Indexers ready
- Hardened session storage
- Cron entries present
- Cron heartbeat healthy
- Cron backlog under control

Extension and dependency risk

Magebean checks Magento extensions and Composer dependencies for vulnerability and maintenance risks.

Examples:

Known CVEs
- Core module advisories
- High-risk surface modules
- Abandoned extensions
- Archived repositories
- Composer audit issues
- Wildcard constraints
- Dev branches in production

Third-party configuration security

Magebean reviews integration settings that may expose secrets, PII, or unsafe external communication.

Examples:

No secrets in VCS
- HTTPS-only endpoints
- Webhook signature validation
- Outbound allowlist
- API keys stored safely
- Third-party logging sanitized
- SaaS integrations restricted by ACL

Sample command

./magebean.phar scan --path=/var/www/magento

# Or from the project root
./magebean.phar scan --path=.

Example output

Magebean Security Scan
Profile: Full Baseline
Target: /var/www/magento

Findings:
  [CRITICAL] MB-R007 Admin 2FA is not enabled
  [HIGH] MB-R002 app/etc/env.php permissions are too open
  [HIGH] MB-R052 High-risk module surfaces detected
  [MEDIUM] MB-R047 Cron heartbeat is stale
  [MEDIUM] MB-R039 Indexers are not ready

How to use the result

The full baseline is best used as a repeatable Magento security and maintenance review.

  1. Run Magebean before release or during weekly maintenance.
  2. Review Critical and High findings first.
  3. Separate security issues from maintenance hygiene issues.
  4. Fix what can be fixed immediately.
  5. Document accepted risks where immediate remediation is not possible.
  6. Re-run the scan and compare the result over time.

Good fit for

  • Weekly Magento maintenance
  • Pre-release security checks
  • Agency handoff reviews
  • Merchant technical audits
  • Production hardening reviews
  • Dependency and extension risk review
  • Operational confidence checks

A Magento store needs more than one-time hardening

Magento risk changes over time. New modules are installed, dependencies drift, admin settings change, cron jobs fail, logs grow, and checkout behavior evolves.

Magebean turns these checks into a repeatable baseline so teams can keep attention on the things that matter.