All About Applying Magento 2 Security Patch for Beginners


All About Applying Magento 2 Security Patch for Beginners

If you search “Magento 2 security patch” or “apply Magento security patch,” you’ve come to the right post.

As usual, security is one of the most crucial factors of an ecommerce store that every store owner concerns. Especially when digital fraud has been growing at an alarming rate that can threaten ecommerce businesses, this aspect becomes more noticeable. 

Any security hole or vulnerability can potentialize risks. And for the worst consequence, a website may be broken. More than keeping a website alive and related database safe, security also vastly impacts the online business’s revenue. A report by Gartner implies that a trustworthy online store can generate 20% more sales in comparison to less secure stores. 

Magento offers different versions of security patches to minimize security holes that can hurt websites using the platform. Don’t skip this post as it includes an easy-to-understand introduction to security patches with a complete guide on how to install a Magento 2 security patch. 

I – An Introduction to Magento 2 Security Patch

What is Magento Security Patch? 

A Magento security patch is basically an update of the software which addresses issues and the newest release. It caters for fixing major bugs or incorporating new functionalities in your old version of the software. In general, it is developed to enhance the store’s overall performance and ensure security to the website. 

DON’T SKIP another topic on Magento Security Patch to recognize a compromised site and check if your site has been set up a security patch yet. 

Along with upgrading your store to the latest Magento version, installing security-related patches is recommended as soon as they are available roughly every few months. In this way, your Magento website can avoid vulnerabilities that result in small to serious database losses. Please access the official Security Center of Magento to get the latest patches, security updates, and best practices for your Magento website. 


What does SUPEE Patch mean? 

If you visit Magento Security Center, you will find different versions of released patches that include “SUPEE” in their name, for example, SUPEE-11295. And here comes the reason. 

As patches are released to provide EE support tickets, Magento security patches are named as SUPEE Patches. A SUPEE patch includes a self-installing script containing updates to all the security issues. The patch files contain the code to update the existing Magento code files and save the result.  

How does a patch work? 

In general, Magento 2 security patches are divided into two types based on their origin: official patches and custom patches. Official patches are published by Magento through Magento Security Center. Depending on your Magento version and installation type, you can pick a proper security patch there. On the other hand, custom patches are unofficial patches that can be created from a git commit. 

A patch file is a technical document that addresses the file(s) to be changed and details of changes, including in the line where the change begins and the alternative piece of code. Once you run the patch program, this file will be read and the specified changes will be implemented. 

Including a bug fix from GitHub in a Magento 2 composer release may be not as smoothly as expected. In this case, you can totally create a patch from GitHub using the cweagans/composer-patches plugin to apply it to your Magento 2 installation. 

How to create a custom patch? 

While creating a custom patch, it’s safer to use simple text editor with changes because the ones that automatically eliminate trailing whitespace or insert new lines can break your patch.   

  • Step 1: Firstly, create a patches/composer directory in your local project.
  • Step 2: Identify the GitHub commit or pull request to use for the patch. This example uses the 2d31571 commit, connected to Magento 2 GitHub issue #6474.
  • Step 3: Append the .patch or the .diff extensions to the commit URL. For a smaller file size,  you should use .diff. Look at this example to understand:
  • Step 4: Save the page as a file in the patches/composer directory. For example, github-issue-6474.diff.
  • Step 5: Edit the file and eliminate app/code/<VENDOR>/<PACKAGE> from all paths so that they are relative to the vendor/<VENDOR>/<PACKAGE> directory.

II – Complete Guide on How to Apply Magento 2 Security Patch 

Magento 2 security patch can be applied in two ways: 

  • Using the command line 
  • Using Composer 

Using the command line 

Step 1: Use FTP, SFTP, SSH or your normal transport method to upload the local file into the <Magento_root> on the server 

Step 2: Log in to the server as the Magento admin user to verify that the file is located in the correct directory. 

Step 3: In the command-line interface, run the following commands according to the patch extension: 

patch < patch_file_name.patch 

The command that assumes the file to be patched is located relative to the patch file.

In case you see “File to patch” in the command line, you should know that it cannot locate in the intended file, even if the patch seems correct. The command line terminal will display a box including the file to be patched in the first line. Your job is to copy the file patch and paste it into the “File to patch.” 

Step 4: For the changes to be reflected, refresh the cache in the Admin under System > Tools > Cache Management.

Using Composer 

When using Composer to apply Magento 2 security patches, it’s crucial to perform comprehensive testing before deploying any custom patch. Once this step is completed and there’s no found issue with your coding, you need to follow these steps to apply a custom patch. 

Step 1: Open your command line application and access to your project directory.

Step 2: Add the cweagans/composer-patches module to the composer.json file.

composer require cweagans/composer-patches 

Step 3: Edit the composer.json file and add the following section to identify:

  • Module: “magento/module-payment”
  • Title: “MAGETWO-56934: Checkout page freezes when ordering with with invalid credit card”
  • Path to patch: “patches/composer/github-issue-6474.diff”

For example:

  "extra": {
      "composer-exit-on-patch-failure": true,
      "patches": {
          "magento/module-payment": {
              "MAGETWO-56934: Checkout page freezes when ordering with with invalid credit card": "patches/composer/github-issue-6474.diff"

If a patch has an effect on multiple modules, you need to create several patch files targeting different modules.

Step 4: Apply the patch. Use the -v option only if you want to see information about debugging.

composer -v install 

Step 5: Update the composer.lock file. The lock file records which patches have been applied to each Composer package in an object.

composer update --lock 

III – What You Should Do Before Applying Patches 

Test all patches 

Testing all patches in a staging/development environment is strongly recommended before you deploy to production. It is mandatory to test the security patch from the user’s perspective, for correctness and smoothness before going live. By doing this, you can make sure that every aspect of your Magento installation can work well after applying a patch.

First of all, you should review the patch release notes and analyze how it can impact major areas that have been changed in both frontend and backend. 

As soon as the installation is completed, you can check if the patch has been successfully applied via The website is a really helpful tool that will scan your Magento store and help you recognize vulnerabilities. 

Backup your database


Don’t forget to backup your database and Magento installation before applying a security patch to prevent possible risks that can hurt your website, such as system crash or data losses.  

For those who don’t know how to start, Backups Management in Magento archives file system, database, media files. Store admins can easily access this feature from the backend by navigating to System => Tools => Backups then choose the type of backup as wanted. 

Enable maintenance mode 


Magento provides maintenance Mode to disable bootstrapping. This mode can be used whenever you want to temporarily disable your store for testing before going live or for maintenance activities, including updating, fixing bugs, and so on. 

Once you enable maintenance mode, visitors coming to your websites will see a message like “Service Temporarily Unavailable.” 

GET OVERVIEW OF All About Magento 2 Maintenance Mode You Should Know for better practices on your Magento store. 

IV – Besides, Maintenance is Necessary to Keep Your Website Secure 


Like other ecommerce platforms, Magento is not perfect and does not stand still through time. Whenever a new version is launched, the previous will gradually become outdated and more vulnerable. For this reason, maintenance activities play a very important role in the security of Magento websites. 

It’s not necessary to implement maintenance activities periodically. But if there’s any bug be found or a serious drop in your indicators (sales, traffic, contacts, etc.), it’s time to consider maintenance for your website. In case you do not have enough team to handle every aspect of Magento 2 maintenance, let our Magento 2 Maintenance Service help. Our senior developers will help out with:

  • Code Audit
  • Troubleshooting & Fix Bugs
  • Security Update

Furthermore, BSS Commerce is willing to help if you request to add new features or optimize performance. CONTACT NOW and let us know your personalized requests! 

Final Words 

More than a guide on applying Magento 2 security patch, the blog also addresses crucial steps to prepare for the process and extra notes to enhance Magento 2 website’s security.  

Thank you a lot for your interest in our blog. For any question, feel free to share with us through the comment box below and we’ll respond as soon as possible. 

Write A Comment