Shopware admin security starts with controlling access to the admin panel itself. Your Shopware admin panel is the highest-value target in your entire store. Anyone who gains access to it has full control over your products, customers, orders, and settings. As a result, admin panel security is always the first area to audit.

The default Shopware admin URL is well-known. Bots scan for it constantly. Beyond the URL, weak passwords and absent two-factor login (2FA) are also serious risks. They leave the admin panel exposed even when other protections are in place.

• ✓Change the admin URL from the default/adminpath to something unpredictable.
• ✓Enable two-factor login (2FA) on every admin user account.
• ✓Restrict admin access by IP allowlist — only your team’s IP ranges should reach the login page.
• !Turn on login rate limiting — throttle failed attempts after a set threshold.
• ✓Add an HTTP Basic Auth layer in front of the admin login as a second gate.
• ✗The admin login page has no IP restrictions — the public internet can reach it directly.

Running an outdated Shopware version is the single most common Shopware vulnerability found during audits. Shopware plugin security failures are a close second. When a CVE is published, it includes the exact version range affected. Attackers use automated scanners to find stores running those versions at scale.

Shopware plugin security is equally important. Plugins introduce their own code into your store. An outdated or abandoned plugin with a known CVE is just as dangerous as an outdated core version. According to the Shopware official security advisories, vulnerabilities in third-party plugins are a common attack vector.

• ✓Shopware core version matches the latest stable release in the 6.6.x branch.
• !Update all installed plugins to their latest versions compatible with your Shopware release.
• ✗Check that no plugins with known published CVEs remain installed and active.
• !Remove all inactive plugins entirely — do not just deactivate them.
• ✓Set up a process for tracking new Shopware security advisories and applying patches promptly.

Every Shopware store must serve all pages over HTTPS. This is a must. It protects customer data in transit, prevents man-in-the-middle attacks, and directly affects your Google search rankings. An expired or badly configured SSL cert is a critical Shopware store security failure.

Beyond the basic SSL cert, proper transport security means enforcing HTTPS redirects and setting HSTS headers. It also means ensuring mixed content does not appear on any page. Mixed content — where a secure page loads insecure resources — breaks the entire HTTPS setup.

• ✓SSL cert is valid and does not expire within the next 60 days.
• ✓All HTTP requests redirect on their own to HTTPS — no exceptions.
• ✓HSTS header is set with a minimum max-age of 31536000 (one year).
• !No mixed content warnings appear on any page — check with browser developer tools.
• ✓TLS version is 1.2 or 1.3 — TLS 1.0 and 1.1 are disabled on the server.

Incorrect file permissions are a common finding in any Shopware security audit. If your .env file is world-readable, sensitive login details including your database password are exposed to anyone with server access. Similarly, writable directories in the wrong locations create chances for malicious file uploads.

This area of the Shopware store security audit is about verifying that your server setup matches Shopware’s advised permission model. It also checks that no sensitive files are publicly accessible.

• ✓.envfile permissions are set to 600 — readable only by the web server user.
• ✓Directories are set to 755 and files to 644 across the Shopware installation.
• ✗No directories outside of/public/media/and/public/thumbnail/are world-writable.
• ✓/config/,/vendor/, and/.git/directories are blocked from public web access.
• !Shopware’svar/log/directory is not publicly accessible via direct URL.
• ✓PHP execution is blocked in the/public/media/directory via server setup.

Shopware admin security gaps caused by stale user accounts are easy to miss. Admin user accounts pile up over time. Developers, agencies, and former team members may still have active login details long after they stop working on your store. Each unused account is an an extra attack surface. This is especially true if the password has not changed since the account was first created.

This part of the Shopware security audit focuses on Shopware admin security basics. It is simple but consistently reveals problems. It requires reviewing every account in your Shopware admin and applying the principle of least privilege.

• ✓Every admin user account belongs to a current, named team member — no generic or shared accounts.
• ✗No accounts exist for former employees, freelancers, or agencies no longer working on the store.
• !Give each user only the minimum permissions for their role — never grant admin-level access by default.
• ✓All admin passwords were last changed within the past 90 days.
• ✓Confirm two-factor login (2FA) is active on every account — not just turned on at the system level.

Shopware exposes a powerful Store API and an Admin API. Check both in your Shopware security audit. The Store API is meant to be public. But it still needs rate limits and tight scope control. The Admin API is far more sensitive and should be tightly restricted.

Shopware security gaps involving API endpoints are especially dangerous because they bypass the browser-based login flow entirely. An attacker can probe your API without ever touching your admin login page.

• ✗Set up rate limiting on/store-api/account/loginand other sensitive Store API routes.
• ✓All active Admin API integrations use the minimum required permissions scopes.
• !Delete all unused Admin API integrations — do not leave them deactivated.
• ✓Rotate API access tokens on a regular schedule — at least every 90 days.
• ✗Check that API endpoints do not return verbose error messages that expose internal paths or stack traces.
• ✓Restrict Admin API access by IP address where your hosting setup allows it.

HTTP security headers are a fast-win area of any Shopware security checklist. They instruct browsers on how to handle your site content. Furthermore, they prevent a range of common attacks at the browser level. These include clickjacking, MIME type sniffing, and cross-site scripting.

Most Shopware stores have no security headers configured because Shopware does not set them by default. They need to be added at the server level. That means your Apache virtual host, Nginx server block, or hosting control panel.

• ✗SetX-Frame-Options: DENYorSAMEORIGINto block clickjacking attacks.
• ✗SetX-Content-Type-Options: nosniffto stop MIME type sniffing attacks.
• !SetReferrer-Policytostrict-origin-when-cross-originor a stricter value.
• ✗Define a Content Security Policy (CSP) header — even a basic one cuts XSS risk greatly.
• ✓Confirm the HSTS header includes theincludeSubDomainsdirective.

GDPR compliance is part of any complete Shopware store security audit. A store may be technically secure on the surface. However, if it leaks personal data through poor consent management or unlawful data retention, it is still legally exposed. Fines under Article 83 can reach 4% of annual global turnover.

This part of the audit focuses on data handling practices — not just the cookie banner. It covers how data is collected, stored, shared, and deleted across your entire Shopware setup.

• ✓Confirm the cookie consent banner blocks all non-essential tracking until the visitor gives consent.
• !Sign a Data Processing Agreement (DPA) with every third-party tool that handles customer data.
• ✓Customer data deletion requests can be fulfilled completely within 30 days.
• ✗Define and enforce a data keep policy — do not store old customer data indefinitely.
• ✓Your privacy policy accurately describes all data collected, processing purposes, and third parties involved.
• !Protect order and customer data exports — require admin login before any export runs.

Many Shopware stores that have already been breached do not know it. Attackers operate quietly — stealing data gradually or installing persistent backdoors that are only used sometimes. Checking logs is how you detect this activity before it causes damage that is hard to undo.

This final area of the Shopware security audit is about having a clear view. Without active log checks, you have no security cameras. You cannot see what is happening. Even the best protections fail when you have no visibility.

• ✗Review access logs at least weekly and set up alert tools to flag anomalies automatically.
• !Run Fail2Ban or an equivalent tool on your server — it bans IPs after repeated failed login attempts.
• ✓Shopware’s own log files invar/log/are checked regularly for errors and warnings.
• ✗Set up an alert for any new admin user creation or admin permission change.
• !Log failed login attempts and compare them against known malicious IP lists each month.
• ✓Define an incident response process — your team should know exactly what to do if a breach occurs.