All About Applying Magento 2 Security Patch for Beginners

by Summer

If you search “how to install Magento 2 security patch” or “how to install Magento patches,” you’ve come to the right post.

As usual, security is one of the most crucial factors of an ecommerce store that every store owner concerns. Especially when digital fraud has been growing at an alarming rate that can threaten ecommerce businesses, this aspect becomes more noticeable. 

Any security hole or vulnerability can potentialize risks. And for the worst consequence, a website may be broken. More than keeping a website alive and related database safe, security also vastly impacts the online business’s revenue. A report by Gartner implies that a trustworthy online store can generate 20% more sales in comparison to less secure stores. 

Magento offers different versions of security patches to minimize security holes that can hurt websites using the platform. Don’t skip this post as it includes an easy-to-understand introduction to security patches with a complete guide on how to install a Magento 2 security patch. 

I – An Introduction to Magento 2 Security Patch

What is Magento Security Patch? 

A Magento security patch is basically an update of the software which addresses issues and the newest release. It caters to fixing major bugs or incorporating new functionalities in your old version of the software. In general, it is developed to enhance the store’s overall performance and ensure security to the website. 

DON’T SKIP another topic on Magento Security Patch to recognize a compromised site and check if your site has been set up a security patch yet. 

Along with upgrading your store to the latest Magento version, installing security-related patches is recommended as soon as they are available roughly every few months. In this way, your Magento website can avoid vulnerabilities that result in small to serious database losses. Please access the official Security Center of Magento to get the latest patches, security updates, and best practices for your Magento website. 


What does SUPEE Patch mean? 

If you visit Magento Security Center, you will find different versions of released patches that include “SUPEE” in their name, for example, SUPEE-11295. And here comes the reason. 

As patches are released to provide EE support tickets, Magento security patches are named as SUPEE Patches. A SUPEE patch includes a self-installing script containing updates to all the security issues. The patch files contain the code to update the existing Magento code files and save the result.  

How does a patchwork? 

In general, Magento 2 security patches are divided into two types based on their origin: official patches and custom patches. Official patches are published by Magento through Magento Security Center. Depending on your Magento version and installation type, you can pick a proper security patch there. On the other hand, custom patches are unofficial patches that can be created from a git commit. 

A patch file is a technical document that addresses the file(s) to be changed and details of changes, including in the line where the change begins and the alternative piece of code. Once you run the patch program, this file will be read and the specified changes will be implemented. 

Including a bug fix from GitHub in a Magento 2 composer release maybe not as smooth as expected. In this case, you can totally create a patch from GitHub using the cweagans/composer-patches plugin to apply it to your Magento 2 installation. 

How to create a custom patch? 

While creating a custom patch, it’s safer to use a simple text editor with changes because the ones that automatically eliminate trailing whitespace or insert new lines can break your patch.   

  • Step 1: Firstly, create a patches/composer directory in your local project.
  • Step 2: Identify the GitHub commit or pull request to use for the patch. This example uses the 2d31571 commit, connected to Magento 2 GitHub issue #6474.
  • Step 3: Append the .patch or the .diff extensions to the commit URL. For smaller file sizes,  you should use .diff. Look at this example to understand:
  • Step 4: Save the page as a file in the patches/composer directory. For example, github-issue-6474.diff.
  • Step 5: Edit the file and eliminate app/code/<VENDOR>/<PACKAGE> from all paths so that they are relative to the vendor/<VENDOR>/<PACKAGE> directory.

II – Complete Guide on How to Install Magento Security Patch 

Magento 2 security patch can be applied in two ways (install Magento security patch) 

  • Using the command line 
  • Using Composer 


Using the command line 

Step 1: Use FTP, SFTP, SSH or your normal transport method to upload the local file into the <Magento_root> on the server 

Step 2: Log in to the server as the Magento admin user to verify that the file is located in the correct directory. 

Step 3: In the command-line interface, run the following commands according to the patch extension: 

patch < patch_file_name.patch 

The command that assumes the file to be patched is located relative to the patch file.

In case you see “File to patch” in the command line, you should know that it cannot locate in the intended file, even if the patch seems correct. The command line terminal will display a box including the file to be patched in the first line. Your job is to copy the file patch and paste it into the “File to patch.” 

Step 4: For the changes to be reflected, refresh the cache in the Admin under System > Tools > Cache Management.

Using Composer 

When using Composer to apply Magento 2 security patches, it’s crucial to perform comprehensive testing before deploying any custom patch. Once this step is completed and there’s no found issue with your coding, you need to follow these steps to apply a custom patch. 

Step 1: Open your command line application and access your project directory.

Step 2: Add the cweagans/composer-patches module to the composer.json file.

composer require cweagans/composer-patches 

Step 3: Edit the composer.json file and add the following section to identify:

  • Module: “magento/module-payment”
  • Title: “MAGETWO-56934: Checkout page freezes when ordering with with invalid credit card”
  • Path to patch: “patches/composer/github-issue-6474.diff”

For example:

  "extra": {
      "composer-exit-on-patch-failure": true,
      "patches": {
          "magento/module-payment": {
              "MAGETWO-56934: Checkout page freezes when ordering with with invalid credit card": "patches/composer/github-issue-6474.diff"

If a patch has an effect on multiple modules, you need to create several patch files targeting different modules.

Step 4: Apply the patch. Use the -v option only if you want to see information about debugging.

composer -v install 

Step 5: Update the composer.lock file. The lock file records which patches have been applied to each Composer package in an object.

composer update --lock 

III – What You Should Do Before Applying Magento 2 Patches 

Test all patches 

Testing all patches in a staging/development environment is strongly recommended before you deploy to production. It is mandatory to test the security patch from the user’s perspective, for correctness and smoothness before going live. By doing this, you can make sure that every aspect of your Magento installation can work well after applying a patch.

First of all, you should review the patch release notes and analyze how it can impact major areas that have been changed in both frontend and backend. 

As soon as the installation is completed, you can check if the patch has been successfully applied via The website is a really helpful tool that will scan your Magento store and help you recognize vulnerabilities. 

Backup your database

Don’t forget to backup your database and Magento installation before applying a security patch to prevent possible risks that can hurt your website, such as system crash or data losses.  

For those who don’t know how to start, Backups Management in Magento archives file system, database, media files. Store admins can easily access this feature from the backend by navigating to System => Tools => Backups then choose the type of backup as wanted. 

Enable maintenance mode 


Magento provides Maintenance Mode to disable bootstrapping. This mode can be used whenever you want to temporarily disable your store for testing before going live or for maintenance activities, including updating, fixing bugs, and so on. 

Once you enable maintenance mode, visitors coming to your websites will see a message like “Service Temporarily Unavailable.” 

GET OVERVIEW OF All About Magento 2 Maintenance Mode You Should Know for better practices on your Magento store. 

IV – Don’t Forget Audit & Maintenance

Full site audit  

Like other ecommerce platforms, Magento is not perfect and does not stand still through time. Whenever a new version is launched, the previous will gradually become outdated and more vulnerable. For this reason, maintenance activities play a very important role in the security of Magento websites. 

Some issues are easy to detect but some cannot be found without an in-depth audit into the system. They are usually be found when actually hurt your website. If there’s any bug be found or a serious drop in your indicators (sales, traffic, contacts, etc.), it’s time to consider maintenance for your website. In case you do not have a dedicated developer nearby to handle every bug arising, don’t hesitate to contact a Magento development agency for support. 

At BSS Commerce, we always help merchants to find the root of the problems by checking the whole site. Here are 7 points we will check

  • Core code integrity 
  • Code validation 
  • JS console errors 
  • 3rd-party module code 
  • Usability 
  • Speed 
  • Security 

After auditing all aspects of your website, we do not only list all the errors but also give clients suggestions about which points can be improved for better performance. 

> CHECK our Magento Website Maintenance Checklist to make sure your whole site is healthy 

Many store owners have reflected their satisfaction when working with BSS Commerce for Magento 2 Web Maintenance. From the professional process that covers every aspect of Magento sites, suggested solutions, coding quality, to dedicated support. At BSS Commerce, Magento Coding Standard is always followed very strictly. Thanks to this, Magento sites can avoid serious issues when going live and in future updates. 

Seek a partner to help maintain your site? Get a consultation from specialists HERE

Code audit 

When it comes to building an ecommerce site with Magento, it is very important to follow Magento Coding Standards and do not adjust the code core of the system. Any of the mistakes may make Magento websites buggy and vulnerable to upgrade. Code audit, for this reason, helps merchants to review website code and detect coding errors. 

When should we audit the Magento code? 

If a function does not work or your website does not display normally, the possibility is it has coding problems. You can conduct a code audit to figure what is happening with your code. 

Once you have a plan to upgrade the Magento version, a Code Audit is necessary to check if the code core has been edited. 

Lear more about Magento 2 Code Audit right now! 


Final Words 

More than a guide on applying Magento 2 security patches, the blog also addresses crucial steps to prepare for the process and extra notes to enhance Magento 2 website’s security.  

Thank you a lot for your interest in our blog. For any questions, feel free to share with us through the comment box below and we’ll respond as soon as possible.

BSS Commerce is one of the leading Multi-platform eCommerce solutions and web development services providers in the world. With experienced and certified developers, we commit to bringing high-quality products and services to optimize your business effectively. Talk to our expert now!

Next Reading Suggestions

© 2019 BSS Commerce owned by THANH CONG INTER ., JSC. All Rights Reserved.
Business registration certificate no. 0106064469 issued by Hanoi Department of Planning and Investment on 19 December 2019.
Legal Representative: Mr. Nguyen Quang Trung.