Magento Store Health Checklist

For a self-assessment first pass, yes. For a final sign-off audit, no — that’s a 1–3 day paid engagement.

Here’s the honest breakdown of what these 50 questions can and cannot do:

• What 5 minutes covers: the questions a senior Magento operator can answer from memory + a quick admin-panel glance — patch level, 2FA on/off, FPC enabled, indexers in schedule mode, cron running, composer audit last result, sessions on Redis. About 35–45 of the 50 questions fall here.
• What 5 minutes can’t cover: things requiring code-reading or query-running — how many custom modules use deprecated APIs, whether a quote workflow still validates after the last patch, whether canonical tags are correct on every layered-nav permutation. Skip those, then ask your dev team. About 5–10 of the 50.
• What this checklist deliberately doesn’t do: custom-module security review, slow-query log analysis, dependency vulnerability deep-scan, ERP integration data-integrity check. Those are the deep-audit territory.

So: 5 minutes for the self-assessment, then a paid 1–3 day deep audit ($1.5k–$3k) if your overall grade is C or below, or any single category is at D.

No. The 50 questions and your scoring run 100% in your browser — nothing is sent to my server, nothing is logged, nothing persists if you refresh. Open dev tools and watch the network tab while you take the audit; you won’t see a single XHR until you optionally submit the “Get a deeper audit” form at the bottom (which is itself opt-in and asks only for the score summary, not your individual answers).

Why this matters: many of the questions are sensitive (patch level, fail2ban presence, encryption status). Operators are rightly hesitant to type those answers into a marketing tool. So the architecture deliberately doesn’t give me a place to leak them from. Reload the page → everything resets.

If you decide to send a deeper-audit request, you choose what to include. The form captures your overall grade + the weakest category + your free-text notes — not the raw 50 answers. You stay in control of how much detail crosses the wire.

Yes — skip honestly. The scoring is built around it: any skipped question is excluded from both the earned and the possible total for that category. Skipping doesn’t hurt your grade, and guessing “Yes” when you don’t actually know just gives you a falsely-confident result that hides real risk.

The pattern I see most often: operators answer 35–45 questions confidently in 5 minutes, then have 5–10 they need to ask their dev team about. Those 5–10 become a written follow-up email (“is question seo-3 actually true on our store?”) and a fresh re-take a week later with proper answers.

The honest skip-strategy:

• If you’re an operator without dev access: skip anything starting with “does app/etc/env.php…” or “is the slow-query log…”. Take the visible-from-the-storefront questions, then circulate the rest.
• If you’re a senior dev: very few skips needed. If you’re skipping more than 10 of the 50, your team probably needs more visibility into the production environment.
• If you’re skipping more than 25: your team isn’t close enough to the store. That alone is a finding.

Weights reflect real-world failure-cost, not theoretical importance. Drawn from incident data across 200+ Magento stores I’ve audited or remediated since 2017.

• Weight 3 (critical): something whose failure puts the business at material risk inside a 90-day window. Missing security patches, no daily backup, no 2FA, FPC misconfigured causing TTFB spikes, no production monitoring. These are the “will hurt you in a quarter” failures.
• Weight 2 (high): something whose failure compounds over 6–12 months. Slow indexer mode on a big catalog, no hreflang on multi-region, missing Companies feature for B2B, no log alerting. Will erode revenue or operator efficiency steadily, not catastrophically.
• Weight 1 (medium): something whose failure is meaningful but recoverable, often a “could be better” rather than a “is broken.” Image alt-text below 80%, llms.txt missing, no requisition lists, image optimization not yet automated. Roadmap items, not ticket-now items.

The weights are fixed, not user-tunable. The reason: experience shows operators consistently under-weight critical security and ops items (because they haven’t personally been bitten yet) and over-weight visible front-end items (because those get noticed at the executive level). Holding the weights independent of operator opinion is the point.

I started with ~140 candidate questions drawn from 9 years of incident logs, then iteratively cut to the smallest set that:

• Catches 80%+ of real production incidents in advance. Adding more questions hits diminishing returns fast — each marginal question above 50 catches less new variance.
• Covers the 5 categories evenly (10 questions each). Real Magento ops failures are roughly evenly split across security / performance / SEO / B2B / ops; an 8-question SEO category and a 14-question security category would skew the overall grade.
• Is answerable in 5 minutes by a senior operator without code-reading. If a question would require running a query or grepping a log, it becomes a “skip if unsure” question instead of being on the list.
• Avoids vendor-specific bias. No “are you using product X.” Yes/no/skip on real engineering checks, not marketplace endorsements.

The full candidate list (the 140) lives in the deep-audit. If your in-page checklist score is C or below, the 90 extra questions in the deep audit are probably where the real failures hide.

No, but you’re in “stop building features, fix foundations” territory. I’ve cleaned up 40+ stores in F-grade state since 2017; every single one was recoverable. The pattern:

1. Week 1: ticket every weight-3 critical fail. Apply the missing security patch, enforce 2FA, set up daily backup, fix FPC. These are mechanical fixes, not architectural rebuilds. ~$2k–$8k of dev time.
2. Week 2–4: work through weight-2 highs in priority order. Indexer mode, slow-query monitoring, Companies feature if doing B2B. ~$5k–$15k.
3. Week 4–8: book a paid 3-day deep audit ($3k–$5k) so an external senior takes a fresh look at custom-module security, B2B data integrity, ERP handshake. Fixes from the audit go on the next quarter’s roadmap.
4. Week 8 onwards: retake the in-page checklist monthly, watch the grade climb. F → D is usually 30 days; D → B is usually another 60.

What kills F-grade stores isn’t the F itself; it’s denial. If you’ve scored F honestly, you’re already past the hardest step.

For the moment, yes — you’re ahead of ~85% of Magento stores at A. But A doesn’t mean “done forever”:

• Re-audit every 90 days. Adobe ships a security patch roughly quarterly. Your dependency tree shifts. New extensions get installed. The store that’s A in May can be C by August if you don’t maintain.
• Watch for the things this checklist doesn’t cover. Custom-module security, slow-query patterns on growing catalogs, ERP-handshake drift, edge-case checkout bugs — none of these show up here. An annual paid deep audit ($1.5k–$3k) catches them.
• Plan ahead. If you’re on Magento 2.4.6 today and 2.4.10 ships in 6 months, plan the upgrade now while you’re A-grade and have engineering bandwidth. Upgrading from A is cheap; upgrading from D after foundations rot is expensive.
• The A-grade trap: complacency. I’ve seen A-grade stores skip patches for 9 months because “everything is fine” — until APSB-2026-XX drops a CVSS 9.8 and they have 48 hours to patch with no rehearsal. Your A is a privilege you re-earn quarterly.

A deep audit is the 1–3 day paid engagement where I clone your repo and look at the things 50 yes/no questions can’t. The full deep-audit checklist runs to ~140 questions plus several diagnostics. Specifically:

• Custom-module security review (~25 checks): SQL injection, CSRF, XSS, IDOR, hard-coded credentials, deprecated crypto, PHP 8.3 compatibility, vendor-specific anti-patterns.
• Slow-query log analysis: 7 days of slow-log data parsed, top-10 worst queries diagnosed, indexer staleness mapped to specific table-scan queries.
• B2B data integrity audit: companies, quotes, segment pricing, requisition lists — check for orphan records, broken FKs, stale customer-group sync.
• ERP handshake validation: diff inventory + price + customer between Magento and ERP, identify drift, document the canonical source per field.
• Performance deep-dive: Lighthouse on top-20 URLs, INP audit, LCP per template, cache-warm coverage report, CDN hit-rate analysis.
• Composer + extension audit: every dependency’s actual maintenance status, abandoned-package detection, security-advisory match-up.
• Custom code documentation: a written map of every app/code/Vendor/Module directory with risk + criticality + handoff notes.

Output: a 20–40 page written report with prioritized fix list, fixed-price scope per item, and a recommended 30/60/90-day execution plan. Roughly $1.5k–$3k for the audit, plus separate fixed-price quotes for the actual remediation work.

Three pricing tiers depending on the store’s complexity:

• 1-day audit ($1,500): single-store, no B2B, no ERP. Around 80–100 of the deep checklist’s questions, slow-query review, top-10 fixes prioritized. Output: ~10-page report. Best for stores doing $500k–$2M GMV with a clean architecture.
• 2-day audit ($2,400): single-store with B2B or ERP, OR multi-store without B2B. Full deep checklist, performance deep-dive, custom-module security review of 5–8 modules. Output: ~20-page report. Best for $2M–$10M GMV stores.
• 3-day audit ($3,200): multi-store + B2B + ERP, or any store with significant custom-module footprint (15+ modules). Full deep checklist, security review of all modules, ERP handshake diff, B2B data integrity, 30/60/90-day execution plan. Output: 30–40 page report. Best for $10M+ stores or any “crisis-grade” remediation.

What the audit fee does not include: the actual remediation work itself. The audit gives you a fixed-price quote per finding so you can budget the remediation separately and decide which items to ticket.

What it does include: 14 days of follow-up Q&A so your dev team can ask clarifying questions while they’re working through the fix list, and a one-call kick-off + one-call walkthrough.

Yes to retake, no to native save — by design.

Retake: the audit always runs fresh. There’s a “Reset” button on the result panel that clears your answers and lets you go again. Reload the page and you also get a fresh start. I recommend re-taking once a quarter at minimum to catch drift.

Native save: deliberately not built. The choice is between “your answers persist somewhere” (cookies, localStorage, server) and “your answers are private and ephemeral.” I picked the second — the trade-off is real but I’d rather lose “come back next week and resume” than introduce a place for sensitive answers to leak from.

The workaround for tracking over time:

1. After taking the audit, hit your browser’s Print button (or Cmd/Ctrl + P) on the result panel. Save as PDF. The result is timestamped and includes overall grade + per-category breakdown + fix list.
2. Repeat in 90 days. Diff the two PDFs to see grade lift per category.
3. If you want native tracking baked in (per-account history, team dashboards, fix-list assignment), that’s the deep audit + retainer combination, not the free in-page tool.

No — this is a self-assessment, not a compliance attestation. For PCI-DSS, HIPAA-adjacent, GDPR-Article-32, DSCSA, or any regulated context you need a paid third-party audit with proper documentation. This checklist gets you ~60% of the way to ready; the remaining 40% is paperwork, evidence-gathering, and external attestation.

What this checklist does for regulated stores:

• Catches the basic-hygiene items that would fail any PCI ASV scan (missing patches, weak admin auth, unencrypted backups, exposed env files).
• Surfaces the obvious B2B data-handling gaps (companies + quotes + segment pricing — relevant if you handle payment terms separately by buyer).
• Identifies ops gaps that compound regulator scrutiny (unmonitored production, no backup-restore drill, no log alerting).

What it doesn’t do for regulated stores:

• Generate the SAQ-A or SAQ-A-EP self-attestation document. That’s a separate process with your acquirer or QSA.
• Map findings to specific PCI requirements. The deep audit (separate engagement) does this.
• Replace your annual ASV scan from Trustwave / SecurityMetrics / similar. Required by PCI, not me.
• Cover DSCSA-specific pharma / regulated-product chain-of-custody. That’s domain-specific and needs a specialist.

If you’re in pharma / cosmetics / firearms / regulated finance, take the checklist for the engineering signal, then book a paid audit specifically scoped for your regulator (the audit fee does include compliance-mapping for these contexts).

Adobe ships several built-in audit tools that overlap with this checklist but don’t replace it. Quick comparison:

• Adobe Commerce Site-Wide Analysis Tool (SWAT) — ships in Adobe Commerce 2.4.6+, runs static analysis on your codebase. Catches code-quality issues, security smells, deprecation warnings. Strong on code, blind to ops + B2B + SEO config. Run it monthly — complements this checklist, doesn’t replace.
• Magento Marketplace Module Health — per-extension static analysis. Useful for vendor extensions, useless for custom in-house modules. One narrow slice.
• Adobe Experience Manager Best Practices Analyzer — primarily for AEM, partial overlap with Magento. Not really applicable.
• This checklist — covers the 50 cross-cutting checks an operator would run before signing off a Magento store as production-healthy. SWAT can’t answer “do you have 2FA enforced” or “is your daily backup test-restored quarterly” — those are operational state, not code state.

How they fit together:

1. Run this checklist quarterly. Get the cross-functional state-of-the-store snapshot.
2. Run SWAT monthly. Catch code-quality regressions between checklist runs.
3. Schedule a paid deep audit annually. Catches the things both miss (slow-query patterns, custom-module security depth, ERP drift, B2B data integrity).

Three layers, three time horizons, three different blind spots. None of them replaces another.