12 Ways to Improve Magento 2 Security and Performance
CEO at Elogic Commerce
12 Ways to Improve Magento 2
Security and Performance
Your Company logo
CEO and Co-Founder at eLogic Commerce
Vice president of International affairs at
Co-founder and chairman at Chernivtsi IT
Participant in international business
programs in Sweden and Norway
1. Environment settings: PHP
2. Job Que
3. DB solutions: Scaling
4. Client side features
5. Advanced caching
6. Images compression, CDN
7. Profiling instruments for code optimization
8. Catalog search optimization
10. Secure workflow/deployment
11. Server side logging configuration
12. Best practices of application configura
for security purposes
Recommended list of extensions
Sufficient memory_limit 768MB
XDebug adds extra 20% to response time
OpCache with recommended settings:
- Enough memory portion to fit the code [512MB]
- Max_accelerated_files_count 
- Timestamp validation / Consistency checks
Note: Max performance will be achieved only if
OpCache is enabled.
Environment Settings: PHP
php-gd | php-imagick
Integration with RabbitMQ.
Available only in Enterprise Edition.
Asynchronus jobs execution
DB Solutions: Scaling (EE)
Main (Catalog)Main (Catalog)
Available only in Magento 2
DB Solutions: Scaling (EE)
Adding a Slave database:
CLI: magento setup:db-schema:add-slave
Moving a separate part to a separate master database:
CLI: magento setup:db-schema:split-quote
CLI: magento setup:db-schema:split-sales
Configuration: Client side features
Minification (CSS, JS, HTML)
JS resources bundling
Caching of static content
CLI: magento catalog:images:resize
Magento 2 EE provides the support for
Solr – a robust catalog search engine
Elasticsearch utilizes the RESTful web
interface as well as uses schema-free
JSON documents. Merchants prefer this
search engine, because it offers real-time
search, high scalability, and enterprise-
The owner of the Magento file system: Must have full control (read/write/execute)
of all files and directories.
Must not be the web server user; it should be a different user.
The web server user must have write access to the following files and directories:
var app/etc pub
In addition, the web server's group must own the Magento file system so that the
Magento user (who is in the group) can share access to files with the web server user.
All directories have 770 permissions.
770 permissions give full control (that is, read/write/execute) to the owner and to the
group and no permissions to anyone else.
All files have 660 permissions.
660 permissions mean the owner and the group can read and write but other users
have no permissions.
Limit the access to the production server. Ideally, with the help of CI, so
nobody will have access to the live container
Limit admin access (use different roles)
Only 1 person should have the access to merging commits and deploying
them to the live environment
Purchase extensions from verified extensions providers
Configure the logging in a way that it detects all of the suspicious
activities on your server
Configure the firewall
Use Fail2Ban to ban all of the suspicious activities on your server
Change the default admin url path
Change the default downloader url path
Use only secure communications protocol (SSH/SFTP/HTTPS)
Use strong, long, and unique passwords, and change them periodically.
Immediately install patches when new security issues are discovered.
One more thing
Close all of the unnecessary ports on your server
Restrict SSH access by IP
Use password managers like LastPass, PassPack etc to
store password securely
8/ - How to configure Magento with http/2
https://elogic.co/blog/magento-security-lifehacks/ - Magento security
https://github.com/magento/magento2-zray - Magento2 z-ray plugin
bulletproof-your-magento-security - 22 Ways to bulletproof your magento