There are numerous open-source tools you can use to perform a simple security test.
First of all, you can check if all critical Magento security patches are in place. For this matter, you can use Patch Tester. Input your site URL and click the Run button to get results. The unpatched areas will be marked with red/orange depending on the severity of the issue, while the areas secured with patches will be green.
So even if you’re not a tech specialist, you’ll be well informed about Magento security test results.
Some retailers prefer not to enable security patches right after they are deployed. As a rule, the release of a security patch is followed by the release of a new Magento version, which integrates the patch. However, a full upgrade is valid in case you plan to update your store. It requires a detailed check of the store code, including the templates, and validating them for compliance with the new Magento code. So in case you don’t plan big updates, it’s better to enable patches to save time and effort.
You can also go beyond this simple Magento security patch check with MageReport. This tool verifies if you have the patches and also tests your store for threats and vulnerabilities, such as:
This tool is user-friendly as well: all problematic areas are marked with red/orange while well-protected areas are green. MageReport can also run the Magento security test on some 3rd-party extensions.
Though the tools are handy and easy-to-use, they don’t offer 100% accuracy. They have no access to your store code. So to make sure the store is secure, you should address your Magento devs to verify the results.
There is one more valid security testing tool - Security Scan developed by Magento. The tool is free and monitors your store security in real-time. Apart from patches, the tool checks the store configuration, reports on potential vulnerabilities and offers fixtures. You can also enable a daily/weekly automated Magento security check.
To enable Security Scan:
After that, you will be able to track your Magento 2 store, analyze security risks, get security notifications right in your Magento account. If you have multiple websites with different domains, you can track all of them from one dashboard.
Though the tool was made for Magento 2, it can be used for testing Magento stores. Some adjustments are needed, but there are detailed instructions provided. Another pro of the tool is that it doesn’t hamper the store performance, though it’s run in the admin.