Magento Security Check & Patch Tester & Vulnerability scanner

At this page you can check if your store is vulnerable to the most recent security issues and verify Magento security patches installation on your store.

To check Magento security patches applied enter Frontend URL of your store:

Magento Patch installation service
16 votes, 4.72 avg. rating (95% score)
  • Tom Calpin

    Hey Magentary, this tool is brilliant, thanks.
    One thing I’m getting when testing one shop is ‘Path disclosure: Magento root directory leaked:’, but it seems safe with all the other tests. Which vulnerability does this warning relate to?

    • Rashid

      Make sure that phpinfo file does not exists.

      • Brian Sirois

        what do you mean ? theres a phpinfo.php file in the public_html ? should I remove it ?

        • Rashid

          Yep. I had the same issue.

  • Jayme Jayme

    SUPEE-6788: Unknown, can not determine patch status.

    What does this mean? according to another patch tester, it is saying 6788 is installed and OK.

  • Sejda Hajji

    i need to integrate this tool in my laravel 5.2 application how can i do this can any one give me the source code thank you in advance

  • Emma Natacha Bernard Schneider

    After PAtch installation, Slider on homepage is lost!! How to reset the patch????

    • magentary

      To fix slider you may need to whitelist slider blocks after patch installation or correct the extension as per release notes/known issues section in instructions. To revert patch you can use –revert option for patch script or rollback all files replaced, depending on the way you applied the patch.

    • Michel Van de Wiel

      Hello Emma, Reset a patch is not very easy, also you need to remove something in the database! Can you tell me which package you want to Remove ?

  • Aaron McGuire

    I’m getting SUPEE-6788 is not installed, however it is. The others report it too. Not sure why this doesn’t catch it…

    • magentary

      Most likely SUPEE-6788 is applied against default theme only (by default only base and default themes are patched) and custom theme is still unpatched. You can refer to and for details on patching custom theme.

      • Aaron McGuire

        Thanks for the reply – are there any other possible patches required in the custom theme directory? Registration was previously patched and I am not overriding the password reset template.

        • Aaron McGuire

          You got me going on the right track and likely resolved issues I hadn’t received reports on yet, so thank you. I found the missing edit that your tester was catching:


          – <form action="getUrl(‘*/*/resetpasswordpost’, array(‘_query’ => array(‘id’ => $this->getCustomerId(), ‘token’ => $this->getResetPasswordLinkToken()))); ?>” method=”post” id=”form-validate”>
          + <form action="getUrl(‘*/*/resetpasswordpost’); ?>” method=”post” id=”form-validate”>

          Thanks for your help!

          -edit: sorry about the code formatting :/

  • Phonix Team

    Hello, thank you for your work, very professional and quick. thank you!

    Greetings from Switzerland
    Phonix Team

  • Jason Riner

    Hello, thank you very much for providing everyone with these. Regarding SUPEE-7405, how is that tested? For some reason despite applying the patch and triple checking everything, it keeps failing for some of our sites while others are ok. Magento version passed successfully, but and do not. I’ve checked our custom templates as well to ensure those are updated, which they are. Any ideas?

    • Jason Riner

      I should also note that all of the sites check out fine for that patch on another tool

    • magentary

      Thank you for the notification about it. We have recently found false-positive triggering of SUPEE-7405 in some cases, like multi-stores or non-default path of default store view. It should be corrected now.

  • chewieros

    Hi guys, your Magento Security Patch Tester said that i have infected with Visbot malware infection: Credit Card Hijacking detected. Checkout process (including all payment details) is COMPROMISED, data hijacked. But Magereport said that my site is clean. I checked all the steps of this post: and all is fine on my site. What can i do to check this in a better way ?

  • Spring Katze

    Good job.
    Unpatch store with morphed obfuscated code is not detected.

  • niceguys23

    is there no good automated tool to check against security vulnerabilities? it seems that extensions / modules can be very abusive and very easily “patch” abusive code into some core functionalities of magento…

  • Ed Washburn

    I have magento installed and I get Path disclosure: Magento root directory leaked: /home/www/ It is my understanding that the patch SUPEE-10266 is already applied. Please advise on what may be causing this. Thanks in advance.

  • r83


    what the path disclosure test does?
    I got “Magento root directory leaked”.
    How i can test and fix this by myself?


  • Martin

    Hi i paid for your install service. But ive not heard anything from you.

    • magentary

      Thank you for the notification about it. It seems you have not received messages from our side requesting access info and other details. According to our mailserver logs these messages were delivered to your mailserver. In the meantime, your payment transaction has been refunded in full, all funds should be returned to your account.

  • Mark Buchan

    Does this check take into account all the updates in the latest Magento ver. ?