How to Install Security Patches in Magento

November 18, 2021


Once a software security flaw becomes public knowledge, a potential attacker can exploit the vulnerability within hours.

Online stores need to work tirelessly to protect customer information and keep ecommerce security threats at bay. Magento releases official security patches regularly to help merchants eliminate known software vulnerabilities.

Find out how to install security patches in Magento 2 and protect your store and customers without delay.

Installing a new Magento security patch.

Prepare Magento Environment for the Security Update

Before installing a security update in Magento 2:

  • Review Release Notes - Visit the Magento Security Center and read the official patch release notes. Determine how the new security features affect your Magento installation. Also, check if the patch is backward-compatible or has known issues with third-party modules.
  • Create Store Backup - Technical problems during the installation can lead to excessive downtime and loss of valuable data. Back up your Magento 2 store and restore it to a previously saved state if necessary.
  • Enable Maintenance Mode - Set the store to Maintenance Mode to prevent bootstrapping during the patch installation process. While the store is in maintenance mode, customers are redirected to a default Service Temporarily Unavailable page.

How to Install Security Patches in Magento (Step-by-Step)

After downloading a patch file locally, you can apply the update using the command line interface or the Composer application.

Install Security Patch From Command Line

To install Magento security patches using the command line:

1. Establish an SSH or FTP connection with the Magento server.

2. Upload the security patch file to the Magento 2 installation directory.

3. Use the command-line interface (CLI) to access the Magento root directory:

cd /var/www/html/magento2.4
Command to access the Magento root directory.

Modify the path to reflect the directory path on your system.

4. Utilize the patch command to apply the Magento security patch:

patch < patch_file_name.patch

Enter the name of the patch file used in your installation.

Patch command for a Magento 2 security update.

The patch file name in this example is PRODSECBUG-2198-2.4-CE-2021-10-17-09-22-17.patch.

5. Once the update is complete, clean the Magento cache:

php bin/magento cache:clean

Test store functionality and components extensively before disabling Maintenance mode.

Use Composer to Install Security Patch

Composer enables merchants to reduce PHP compatibility issues, track dependencies, and automate updates in Magento 2.

Note: It is mandatory to install Composer when updating to Magento 2.4 or subsequent versions.

To install a security patch in Magento 2.4 with Composer:

1. Access the Magento root directory from the command line:

cd /var/www/html/magento2.4 

2. Add the cweagans/composer-patches plugin to the composer.json file:

composer require cweagans/composer-patches

The plugin helps resolve potential dependency conflicts in the composer.json file

Add cweagans plugin to Composer.

3. Use a preferred text editor, like nano, to access the composer.json file:

sudo nano composer.json

Edit the existing extra object to specify a Composer package to apply the patch or patches. Enter a description of the patch and a reference to its location.

  "extra": {
      "composer-exit-on-patch-failure": true,
      "patches": {
          "magento/module-uri": {
              "PRODSECBUG-2432: Security Update For Potential Vulnerability in Magento Admin URL location": "patches/composer/github-issue-100644.diff"

The module in this example is "magento/module-uri". While "PRODSECBUG-2432: Security Update For Potential Vulnerability in Magento Admin URL location" and "patches/composer/github-issue-100644.diff" represent the title and path to the patch file.

Contents of the composer.json file.

If a patch affects several modules, create a patch file for each module, and reference each file within the extra object.

4. Apply the patch:

composer install

To review debugging data, use the same command and append the -v option.

5. Update the composer.lock file:

composer update --lock

The composer.lock file keeps track of patches applied to each Composer package in an object.

6. Clean the Magento cache:

php bin/magento cache:clean

Set the store operation mode to Production after testing store components and functionality.


You now know how to install security patches in Magento 2 using two different methods. Applying patches as soon as they become available is an essential task that keeps your store safe in the long run.

Consider introducing CAPTCHA to your contact forms to improve store security even further. By adding CAPTCHA to the Magento contact form, you eliminate spam and block bots from using contact forms as a gateway to compromise core services.

About the author
Vladimir Kaplarevic
Vladimir is a resident Tech Writer at CCBill. He has more than 8 years of experience in implementing e-commerce and online payment solutions with various global IT services providers. His engaging writing style provides practical advice and aims to spark curiosity for innovative technologies.
Talk to a Merchant Support Specialist