How to Install Magento 2 Security Patches?
Security patches are released to protect Magento stores from possible attacks.
Around 62% of Magento stores may have at least one security issue.
The common issues are caused by outdated versions and not installing security patches.
The Magento team quickly develops a patch to fix the version when a vulnerability is found.
This tutorial explains how to install security patches in Magento 2.
What Is Magento Security Patch?
A Magento security patch is a piece of code that fixes security loopholes.
The patch acts as a software upgrade to fix bugs and improve security.
Installing the Magento patch ensures the site is protected against potential exploits.
Magento releases updates quarterly for Magento Commerce and Magento Open Source.
You can also expect quick releases for high-security threats based on priority.
There are two types of Patches in Magento:
- Official Patches - patches published on Magento Security Center.
- Custom Patches -These patches are available to download from a git commit.
What is a SUPEE Patch
SUPEE Security Timeline
A Decade of Defending Magento Stores Against Evolution of Threats
SUPEE-11346
Final major security patch coinciding with Magento 1 end-of-life, addressing multiple critical vulnerabilities
SUPEE-11219
Critical security update addressing triple threat vulnerability combination
Triple Threat Combo
Critical Insight
These patches cover versions from 2011's 1.5.0.0 to 2020's 1.9.4.4, meaning thousands of legacy Magento 1 stores still in operation are vulnerable without them. With Magento 1's end-of-life status, no new patches are forthcoming—making these final updates critical for any remaining M1 installations.
A SUPEE patch has a self-installing script that contains updates to all the security issues.
The SUPEE patch comes with a number at the end, such as SUPEE -11346.
The patch details are posted on Magento’s official website. It describes what the patch does for the version and the vulnerability it solves.
The patch files contain the code to update the existing Magento code files.
Why are Magento 2 Security Patches Essential
4 Horsemen of Unpatched Magento
From Customer Theft to Total Blackout - Each Threat Can Trigger Business Failure
Average Retail Data Breach Cost: $3.86 Million
Quarterly patches leave stores exposed 25-50% of each quarter when delayed 30-60 days
Security patches act as a first-line defense against several cyber attacks. Without the patches, your store is at high risk for data breaches like-
1. Credit card information
Customers can get their credit card data stolen. Payment integrations like PayPal and Stripe and other third-party Magento 2 extensions are susceptible to attacks.
2. Ransomware
Ransomware is malicious software that encrypts your code. It denies access to your system until you pay the hackers.
3. Web server attacks
The server hosting your website can get compromised by hackers. It can be sending traffic bots to block genuine traffic, spamming, and so on.
4. Malware
Malware damaging your site as well as the visitors. The website can get blocked by search engines until the security is restored.
It can lead to profit loss and brand reputation damage. Or in critical cases, you may lose sensitive customer data.
Security patches ensure that your site is not vulnerable to such attacks.
Steps to Install Magento Security Patch
Choose Your Patch Path
From 1-Click Safety to Full Integration – Match Method to Urgency
Without SSH
1 StepDirect upload of pre-patched files to server. Perfect for urgent fixes and shared hosting environments.
Best for: Emergency patches, shared hosting
GitHub Method
3 StepsVersion-controlled patching through GitHub repository. Ideal for development teams using Git workflows.
Best for: Team environments, version control
SSH Method
4 StepsTraditional command-line patching with direct server access. Standard approach for most installations.
Best for: Standard installations, experienced users
Composer Method
5 StepsComplete dependency management integration. Most comprehensive but ensures long-term patch tracking.
Best for: Long-term maintenance, systematic updates
Pro Tip: Choose based on urgency – Without SSH for immediate threats, Composer for systematic long-term security
1. Using SSH
-
Upload the local patch file into the
<Magento_root>on the server. -
Log in to the server and verify that the file is located in the correct directory.
-
In the command-line interface, run the following commands.
patch < patch_file_name.patch
The command assumes that the file to be patched is located relative to the patch file.
If you see “File to patch” in the command line, it may not be located in the intended file.
The command line terminal will display a box with the required file. You can copy and paste the file into the File to patch.
- Refresh the cache in the Admin under System > Tools > Cache Management
2. Using Composer
It is essential to perform testing before deploying any custom patch. Once the patch is tested, you can use the following steps to apply the patch.
-
From the command line, access your project directory.
-
Add the cweagans/composer-patches module to the
composer.jsonfile.
composer require cweagans/composer-patches
- Edit the
composer.jsonfile and add the following:
- Module - magento/module-payment
- Title - “MAGETWO-56934: Checkout page freezes when ordering with Authorize. net with invalid credit card”
- Path to patch - “patches/composer/github-issue-6474.diff”
For example:
"extra": {
"composer-exit-on-patch-failure": true,
"patches": {
"magento/module-payment": {
"MAGETWO-56934: Checkout page freezes when ordering with Authorize.net with invalid credit card": "patches/composer/github-issue-6474.diff"
}
}
}
If a patch affects specific modules, you have to create several patch files for different modules.
- Apply the patch with the following command. The -v can be used to see the details on debugging.
composer -v install
- Update the composer.lock file. The lock file records which patches are applied to each Composer package.
composer update --lock
3. Github
-
Create a directory for patches -
Go to the website’s working directory and create a patch directory for storing the Magento security patches.
-
Copy the required patches to the generated directory.
You can use SSH, FTP-client, and other tools that are suitable.
-
Create a patch file - Run the following command.
git diff > ./patches/patchForModule.patch.
4. Without Using SSH
Extract the pre-patched files and upload them to the Magento root folder. There are also Pre-Patched files available on GitHub.
Some of the pre-patched files are shown below-
| Magento SUPEE Patch | Release Date | Affected Versions | Issue Details |
|---|---|---|---|
| Magento SUPEE 11346 | June 22, 2020. | 1.5.0.0-1.9.4.4 | Security improvements to protect online stores from cross-site scripting, arbitrary code execution, and sensitive data breaches. |
| Magento SUPEE 11346 | June 22, 2020. | 1.5.0.0-1.9.4.4 | Logging and monitoring issues. Protect sensitive data in HTTPS requests. |
| Magento SUPEE 11219 | October 8, 2019. | 1.5.0.0-1.9.4.2 | Request forgery, remote code execution, cross-site scripting, etc. |
Reverting an Installed Patch
You may have to revert the security patches installed if there are any issues.
You can use the same patch you used for reverting the patch and save the result.
You can use it with the -R flag and the following command.
sh patch_file_name.sh -R
Before Applying Magento 2 Security Patches
Phase 1: Pre-Installation
3 Critical Steps • Est. 15 minutes
Phase 2: Testing Validation
5 Validation Points • Est. 30 minutes
Phase 3: Final Site Audit
7 Audit Criteria • Est. 20 minutes
1. Test Patches
It is essential to test all patches in a staging or development environment. Check if the Magento system is working well after applying the patch.
Testing the patches includes-
- Reviewing patch release notes
- Analyze the effect of the patch on your system
- Frontend and backend changes
- Test if the patch is applied successfully
- Use Magento Security Scan to detect issues.
2. Backup Database
Magento backups prevent data loss while adding new patches.
If there is any damage to the website, you can revert quickly with database backups.
Magento archives file system, database, media files. Store admins can access the feature from the backend.
To create a database backup-
- Log in to the Magento Admin panel and go to System => Tools => Backups
-
Choose the type of backup you would like to create.
-
Click on one - System Backup, Database, and Media Backup or Database Backup.
3. Enable Maintenance Mode
The Maintenance mode temporarily disables your Magento store. It is usually enabled for testing the site before going live.
You can use it for activities like security updates and bug fixes.
Enable maintenance mode before applying the released patches. Visitors on your websites will see a “Service Temporarily Unavailable.” sign.
Site Audit and Maintenance
Site audits help evaluate the status of your store after the patches are applied. Any bug could affect traffic, sales, and search engine ranking.
Site audits allow you to detect the current performance of the store.
To perform a site audit, consider the following aspects-
- Site Speed.
- Core code integrity.
- Third-party module code.
- JS console errors.
- Code validation.
- Usability.
- Security.
Conclusion
Attackers are constantly looking for loopholes in your system.
An outdated system is an easy target for hackers to compromise your data.
Ensure that your store is secure with the latest security patches. We strongly recommend installing them as soon as they are released.
This tutorial covered methods to install the Magento security patches. Use the command line or directly apply pre-patched files.
Get more insights about the Magento platform on MGT-Commerce tutorials.
