Baseline profile
Magento-specific Security and Maintenance Checks
Magebean reviews the Magento areas that commonly create security and operational risk: admin exposure, file permissions, production settings, risky modules, dependencies, cache, cron, logs, and third-party integrations.
This is the full Magento baseline view, designed for security reviews, maintenance planning, release checks, and weekly operational confidence.
What this baseline checks
The Magento-specific baseline runs across the full Magebean control catalog.
File and folder permissions
Magebean checks whether sensitive files and code paths are protected from unsafe write access or public exposure.
Examples:
No chmod 777
- Secure app/etc/env.php permissions
- No executable code in media/upload paths
- No directory listing
- Webroot hygiene
Admin hardening
Magebean reviews common Magento admin security controls.
Examples:
Non-default admin path
- Admin 2FA enabled
- Strong password policy
- Session timeout
- Admin exposure limits
- Login rate limiting
Secure coding practices
Magebean checks custom code for common risky patterns.
Examples:
Raw SQL usage
- Missing escaping in PHTML templates
- Unsafe unserialize usage
- Command injection patterns
- Unsafe file upload handling
- Missing authorization checks
- Hardcoded secrets
HTTPS, TLS, cookies, and headers
Magebean reviews browser and transport security controls.
Examples:
Force HTTPS
- HSTS enabled
- TLS 1.2 or higher
- Secure cookie flags
- No mixed content
- Security headers baseline
Production mode and deployment hygiene
Magebean checks whether the Magento environment looks production-ready.
Examples:
Magento in production mode
- Xdebug disabled
- Display errors off
- Static assets deployed
- Compiled DI enabled
- No development configs in production
Cache, indexing, and cron health
Magebean reviews Magento operational health signals that affect stability and security.
Examples:
Full Page Cache enabled
- Redis or Varnish configured
- Indexers ready
- Hardened session storage
- Cron entries present
- Cron heartbeat healthy
- Cron backlog under control
Extension and dependency risk
Magebean checks Magento extensions and Composer dependencies for vulnerability and maintenance risks.
Examples:
Known CVEs
- Core module advisories
- High-risk surface modules
- Abandoned extensions
- Archived repositories
- Composer audit issues
- Wildcard constraints
- Dev branches in production
Third-party configuration security
Magebean reviews integration settings that may expose secrets, PII, or unsafe external communication.
Examples:
No secrets in VCS
- HTTPS-only endpoints
- Webhook signature validation
- Outbound allowlist
- API keys stored safely
- Third-party logging sanitized
- SaaS integrations restricted by ACL
Sample command
./magebean.phar scan --path=/var/www/magento
# Or from the project root
./magebean.phar scan --path=.
Example output
Magebean Security Scan
Profile: Full Baseline
Target: /var/www/magento
Findings:
[CRITICAL] MB-R007 Admin 2FA is not enabled
[HIGH] MB-R002 app/etc/env.php permissions are too open
[HIGH] MB-R052 High-risk module surfaces detected
[MEDIUM] MB-R047 Cron heartbeat is stale
[MEDIUM] MB-R039 Indexers are not ready
How to use the result
The full baseline is best used as a repeatable Magento security and maintenance review.
- Run Magebean before release or during weekly maintenance.
- Review Critical and High findings first.
- Separate security issues from maintenance hygiene issues.
- Fix what can be fixed immediately.
- Document accepted risks where immediate remediation is not possible.
- Re-run the scan and compare the result over time.
Good fit for
- Weekly Magento maintenance
- Pre-release security checks
- Agency handoff reviews
- Merchant technical audits
- Production hardening reviews
- Dependency and extension risk review
- Operational confidence checks
A Magento store needs more than one-time hardening
Magento risk changes over time. New modules are installed, dependencies drift, admin settings change, cron jobs fail, logs grow, and checkout behavior evolves.
Magebean turns these checks into a repeatable baseline so teams can keep attention on the things that matter.