Table of Content

How to Run an Internal Magento 2 Audit: Everything You Need to Know

Magento Audit Checklist

Let’s say you decided you need to audit your Magento 2 store and find out if everything works properly. Where to start? One approach is to hire someone to do it for you.

But let’s assume you want to do everything on your own. It’s not rocket science, right? How hard could it be? Well, let’s find out.

First, we need to make clear what the Magento audit is. It’s a thorough examination of every aspect of your store that results in an actionable, ready-to-use report that you can then use as a guide to fix your site. Magento technical audit examines 6 key areas of the store:

Once we’ve outlined available options, let’s see how you can make your store audit a success.

1. Magento 2 Code Audit

Code-wise, Magento is a complex platform with lots of components. This is the most technical audit of all. If you want to review code, deep technical knowledge is essential.

In addition to core Magento files, dozens of third-party extensions will require lots of work. Actually, 90% of all effort goes into third-party extensions review.

1.1 Magento Core Integrity Review

Magento consists of Magento Core which is surrounded by extensions. It’s bad coding practice to modify Magento Core directly. Nevertheless, some developers still do this.

Modified Magento Core poses one complex problem for your website: it’s hard to upgrade or patch a modified Magento. Something, somewhere, will inevitably break. This way, every upgrade to a newer Magento version becomes a thrilling adventure of code reviews, endless tinkering, and debugging. You don’t want that to be a part of your life.

How to pass: make sure your Magento is unmodified. This is a vital audit for your future security and peace of mind. If it turned out that your core is modified, invest in to isolate these customization changes into third-party extensions instead of keeping them inside.

1.2 Browser Compatibility Audit

Extensive browser testing is something you should do but probably don’t. Even though it might seem like a minor issue, poor performance on specific browsers will cost you conversions. Review how your store handles web browsers that your visitors are using. See where they drop off and try to figure out why. Outline technical challenges for each browser and fix them.

Check for at least these 4 browsers: Google Chrome, Mozilla Firefox, Safari, Microsoft Edge.

If you want to be extra vigilant, test the last two most recent versions of each browser to ensure you take care of both updated users and those who lag behind.

1.3 Bugs and Glitches Review

Customers do notice if your store is clean and works well. They are more likely to leave if it’s buggy. Finding and fixing bugs and glitches is not as fun as adding new features to the store. But it’s an important task.

Make sure you track and document all issues into the team’s bug tracker. Write down the steps to reproduce each bug. Give more attention to the bugs that the user will encounter on the critical path: that is the path they have to take to find a product and successfully purchase it from you.

Critically important areas:

  • homepage;
  • search;
  • product list;
  • product page;
  • cart;
  • checkout.

We can’t stress this enough. Make sure your users can go all the way from the homepage to checkout and make an order!

1.4 JavaScript/CSS/HTML Review

a) General codebase audit

Checking that your code actually makes sense is a great way to develop stuff. Shocking and unorthodox, we know.

Audit your code to ensure it’s robust, mistake-free, comprehensive, secure, and easy to maintain. Check for conflicts with other components. We understand it’s uncommon for developers to dedicate time and resources to refactor the existing code, adhering to modern coding standards.

It’s twice as hard because Magento is developed as an open-source free-for-all platform with thousands of contributors with their own coding techniques, backgrounds, and experiences. At the same time, we believe that you still need to review your codebase from time to time to make necessary yet small changes to maintain decent code quality.

How to pass: minimize effort and maximize impact. Focus on recommending easy changes that will help you reap the most benefits. Understand that the code doesn’t have to be perfect. It needs to work well and be secure. That’s all.

b) CSS/HTML Audit

CSS, more so than HTML, requires an to load quickly. Inexperienced teams neglect best practices in CSS use and inadvertently make a lot of mistakes. Cleaning up after these developers is a necessary but laborious task.

Refactoring CSS following best industry practices will , reduce confusion during further development, save bandwidth, and make the code easier to maintain in the future.

How to audit: Like any other code, CSS needs to be bloat-free, maintainable, and efficient. Your task for the audit is to find weaknesses, inconsistencies, redundant CSS lines and highlight them. 

1.5 Third-Party Code Review

Magento is all about customization. With thousands of available extensions, you can make your store whatever you want. You can also mess it up pretty badly if you install poorly optimized and insecure extensions from novice developer teams.

Hell, even experienced developers release products that are far from perfect. After all, they won’t test them on your specific hardware and extension list. They test the performance on a default Magento install with just this extension added to the mix.

Their performance results might be good. But add another 30 extensions that your store needs daily, and we have a slow, unreliable mess that’s hard to speed up or upgrade.

Your goal here: pay extremely close attention to third-party extensions. They are the weakest spot in your Magento store setup and present huge issues in performance and security.

1.6 Database Audit

Databases need to be secure and fast. And this is what we are going to look for when we analyze them. One of the components of a good database is security. To eliminate security breaches, make sure your store is updated to the latest version of Magento, has adequate protection against SQL injections and manipulations to gain unauthorized privileged access, etc.

What to look for: potential database breaches that allow users to get access to unauthorized writes, illegal permissions to change tables, objects, and other users, retrieve sensitive data, manipulate the network, and otherwise cause trouble.

Another big task is to make sure your Magento database is fast enough to handle the required workload and not create bottlenecks during your daily activities. Check our guide on to get a clear understanding of what to do to improve your store's speed. 

2. UI/UX Review

Even though it’s generally more beneficial to have someone else conduct a Magento UX audit, you can still do it yourself. Just beware of the so-called “blurring” effect. This is when you’ve seen your store so many times you become desensitized to its shortcomings in user experience and navigation.

It’s a combination of knowing the product too well and not empathizing enough with the users looking at it for the first time. The good news is, it’s still possible to look at your store 1000 times and see where you need to improve. 

Important note: Starting from June 2021, Google considers page experience metrics a ranking factor. So-called (FID, LCP, CLS) are now taken into account in the SERP. What does it mean for store owners? Now, if you want to get ahead of the competitors, you need to pay attention to what your customers feel when interacting with your store.

So let’s get started.

2.1 Navigation Audit

Please, don’t assume you know what your users are thinking, how they interact with your website, or what they want. This is the fundamental mistake of all novices. Just keep an open mind about things and move forward.

If you involve other people in your audit, prepare to be amazed at how unexpectedly and differently they all navigate through your store, how they interact with menus and UI elements. You get a lot of insight this way that can bring a new perspective into your vision and maybe even change your mind about a few things.

Your goal: create typical tasks for the users who are going to test your store. Ask them to find some information about a product, buy a gift for their significant other, find something specific, or navigate to a distinct part of the store.

Be open-minded and optimistic about their feedback. Look for common complaints that a few users expressed independently and center your audit attention around them.

Note how fast and efficient your search and navigation are. See how long it takes users to find stuff. Where they succeed and where they fail.

2.2 Key Pages Analysis

Every website has a handful of key content pages. For a typical Magento store, key content is located on a homepage, contact us page, delivery, warranty, about us, and product pages.

These are the pages that users visit the most when they first do research and then make a decision whether to buy from you or not.

What we are looking for: whether your key pages have convincing and concise content that answers the main question of the user (How do I contact these guys? What are they selling? Do they have what I need? How long they have been around? Are they any good? etc.)

2.3 Sales Funnel Review

Examine your sales funnel and look closely at how users usually move through your store from landing to cart to checkout, where they stumble or exit altogether.

It’s not an easy task to gather this data from the get-go but with a small budget to purchase the necessary tools and a bit of patience, you’ll have enough information to draw your first conclusions.

What needs to be done: be patient, gather enough data, look at user behavior, analyze pages where users bounce the most and see where you can do better. Improving your sales funnel directly improves your bottom line. There’s a lot at stake here.

2.4 Content Audit

Content must sell. The idea of a content audit is to find out how much content you have and how well it sells. While it might be hard to figure out how effective your content is, we still need to give it a try.

Look at user behavior in detail: how your visitors interact with the page, what they read more and what they skip, whether they look at anything at all. Remember that content is so much more than just text. It’s the whole combination of data on your page: photos, videos, text descriptions, links to documents, and brochures.

Your goal: analyze and find underperforming content, think through how it would improve it. Find out gaps in your content that need to be filled.

3. Speed Review

Good performance is the cornerstone of your good sales. We’ve covered how to for both frontend and backend. But before you fix the stuff you need to know which issues cause the most problems and where your pain points are. So welcome to .

3.1 Frontend Performance Audit

Frontend makes up to 70% of all speed issues. From extremely unhealthy-looking JavaScript code to bulky CSS, the front end can become a nightmare to optimize on complex websites.

70% of all issues are a huge number. How do you approach it?One solution is to create a checklist in your head and go through each issue one by one, marking them off our imaginary performance audit list.

a) JavaScript Audit

Unoptimized JavaScript takes up the bulk of client-based processing. If it’s poorly implemented, it will hold up content loading, create unnecessary bottlenecks, and provide an awful user experience on slower machines.

Usually, JavaScript-heavy stores rely on the user’s web browser to process and present web pages fast enough so that user experience is not affected. But while having a modern machine can speed things up quite a bit, you should also know that JavaScript performance depends a lot on how you structure your code and where you place it on the web page load queue.

You want to tackle both of these issues to make your pages lighter and faster.

First, analyze closely how the page loads and which scripts hold up content rendering. Make recommendations on how to best position non-essential JavaScript code on the page so it stops blocking key content from the user.

This is a handy fix when you need to improve perceived performance without removing the code from the page. Just reorganizing the loading order in the document will help dramatically improve the load speed where it matters.

Use Google Lighthouse and Magento Profiler to create a meaningful picture of your load order and discover bottlenecks along the way. Both tools are helpful for specific applications and work well in tandem, so it’s wise to use both of them simultaneously.

Here is our guide on . Check it out to see an in-depth review of the metrics and target performance values.

Critical data measurements:

  • first contentful paint;
  • time to first byte;
  • time to interactive;
  • first CPU idle;
  • input latency.

b) Extensions Speed Impact Review

Magento’s magic is in extensions. But the more modules you have, the more speed you lose. Some of them make too many database queries; others run cron too often, slowing down everything. Some extensions are just poorly optimized.

First, make a list of all installed extensions. Measure how they impact your store. Make sure you know what each module does. If you experience slowdowns during specific operations or at a particular daytime, analyze which third-party extension eats up precious resources.

Second, make a list of extensions you can toss without a significant loss in functionality — something you never use or have no idea what it does. Just be careful when you remove cross-dependant extensions. It’s a growing trend on the marketplace to build a “master” extension that serves as a foundation to a few “child” extensions. And deleting the master extension before the child will cause issues.

Review to-do list:

  • make a list of all third-party extensions you have installed;
  • mark unknown or rarely used extensions for removal;
  • outline which of the remaining extensions eat up most of your resources;
  • decide to either leave them as they are, optimize them, or find a better alternative.

c) Plugins and Event Observers Analysis

This is an in-depth look at how plugins and event observers behave in the system. Magento is in the process of switching one for the other. But today both methods are present in the platform yet not all of them are made equal.

Event observers are considered slower and less efficient than plugins. Nevertheless, many third-party extensions use observers to extend basic Magento functionality. You can review observers in the events.xml file. It will require in-depth expertise, though, to know which ones are the most taxing on your performance and how you can replace them.

Your goals here:

  • review existing plugins and event observers;
  • measure their performance;
  • see which of them slow you down the most;
  • make recommendations on how to improve.

d) Magento 2 Theme Review

Magento themes can be heavy. If you’ve installed an old theme that is no longer supported, you can encounter a whole host of speed issues.

If your theme has become heavily customized, changing it to something lighter and better is not always an option. Most of the time, you have to deal with what you already have.

In that case, analyze how well your theme is optimized for speed: whether it uses optimized images, neatly stores CSS files, what the mobile performance and UX are like.

e) Configuration Optimizations Review

Magento offers developers the opportunity to improve performance in dozens of small ways:

  • check if you can exchange default catalog structure for flat catalogs;
  • make sure your store uses lazy loading for images and a CDN;
  • measure if the use of Elasticsearch can speed up search results;
  • review your frontend cache configuration, install Redis if you haven’t already;
  • see if JS bundling, HTML minification, CSS compression, etc. can get you better speed.

3.2 Backend Performance Audit

Magento backend optimization makes up 30% of all speed issues. Magento backend is a massive set of challenges that range from server environment to correct cache configurations and everything in between. When we are talking backend, we mean the stuff casual users don’t even know exist.

Feel free to check our guide on . It is a very useful read that will help you hit all the bases.

a) Hardware and Config Review

Servers make stuff happen. And most of the time you want to pay for the optimal hardware, not just waste money. The server should be neither too powerful nor too weak, just right.

Backend optimization allows you to make your servers more cost-effective. Here’s what you can do to optimize the server for your Magento store:

  • test cache instructions in .htaccess (Apache) or server config (nginx);
  • check how your server deals with peak loads and if it needs an upgrade;
  • ensure you run the latest server software supported by your version of Magento;
  • check if you have switched from HTTP/1.x to HTTP/2 protocol.

These steps constitute the bare-bones backend optimization, yet they are important.

What to look out for:

  • make sure Magento runs the latest server software (PHP7.1.x+, MySQL 5.7+);
  • request that you upgrade to HTTP/2 or even HTTP/3 once it’s available;
  • set up more powerful backend caching tools such as Varnish;
  • make sure the server features at least 4-8 Gb of RAM.

b) Backend Cache Speed Audit

Full-page cache has been introduced with Magento 2.0 as a default alternative to third-party solutions. FPC as a whole is a great choice when you don’t want to invest a lot of resources in supporting infrastructure or tinker with the config files.

At the same time, Varnish offers much better speeds when you customize it correctly to your needs. It’s the recommended option for websites where users request many duplicate files that are easy to predict and call from the Varnish cache instead of the system SSD.

Since it’s more flexible than the standard full-page cache, Varnish can be configured to offer 2x the speed boost depending on your use case.

What to look out for: see how well caching is implemented on the website, how much time it saves for your users, whether it makes sense to switch from a full-page cache to Varnish or vice versa. Review cache configuration to make sure it is optimized for your use case.

c) CDN Speed Assessment

CDN, or Content Delivery Network, is one of the optimizations that doesn’t get enough recognition. Sign up for a CDN service to see if in your particular use case it makes a difference.

CDN is best used when your audience is fractured and comes to your store from all over the world. So even if you can offer good latency and service to local customers, who are located close to your physical servers, others will experience long waiting times and worse user experience.

As with any business decision, though, make sure the CDN delivers more value than it costs to implement and maintain.

Best CDN criteria:

  • ensure CDN has data centers in regions where users come to visit your store;
  • check latency, throughput, and make a cost-benefit analysis;
  • check that the features you’ll need are available through the CDN;
  • measure speed before and after CDN implementation;
  • install monitoring tools to check CDN performance periodically.

Get a Free Magento 2 Audit Example

Dive into our Magento 2 audit report on identifying typical Magento 2 issues.

4. Magento Security Audit

You don’t need to be the master pen tester to do of your store. Not that that wouldn’t help. It would. But a solid understanding of what to look out for and a bit of persistence can go a long way, too.

You will need a few tools to scan your store:

  • Magento Security Scan Tool;
  • MageReport;
  • Magento Malware Scanner;
  • XSSer;
  • SQLmap.

4.1 Magento Vulnerability Assessment

One of the reasons Magento stores get hacked is because scammers know how to find a vulnerability in your store and use it. One of the most common sources of vulnerabilities is an out-of-date store.

Check which Magento version you run. If it’s something ancient such as Magento 1.4.x or Magento 2.0, update your store to the latest version ASAP. If it’s a more recent version, though, make the decision based on your resources.

We would still recommend that you update as soon as possible since hackers will scan and hack your store for recently described and patched vulnerabilities in the hope that you haven’t updated yet. And bear in mind that Magento is one of the most popular e-commerce platforms out there, so you automatically become the target of mass attacks.

Check if your third-party extensions are updated. No quick solutions here, either. You’ll have to manually check them one by one to see if they run the latest version. If some of them get abandoned, we recommend that you replace them with a regularly maintained alternative.

What to look out for:

  • check which Magento version you run in the Store Admin area. Keeping Magento up to date will easily protect you from most automated hacking attempts;
  • see if Magento uses the standard admin URL or a custom one to log in;
  • review third-party extensions and their level of security;
  • make sure all payment methods are PCI-compliant and safe.

4.2 Server and Database Security

Servers often have issues with folders and file permissions. Check how your file system manages this challenge. There are three main user groups in the system: the owner, the group, and everyone else.Use 770 for folders and 660 for files. If, for some reason, you can’t do that, at least use 755 for folders and 644 for files. Never let the folders /var/, /app/etc/, and /pub/ stay 777 which is something developers might leave from the Dev mode days.

Things to consider:

  • minimize Magento-specific vulnerabilities with a dedicated Magento hosting;
  • check files and folders permissions;
  • install Security-Enhanced Linux to segregate users from applications they run;
  • mark for removal server software that you don’t need.

4.3 User Permissions Audit

The human factor keeps offering hackers an easy way to enter even the most secure systems. Magento is particularly vulnerable to malicious user behavior because it can host dozens of user accounts with multiple privileges and can’t really manage user permissions precisely enough.

For example, a poorly configured Magento 2 will offer your content manager permission to change the price and other sensitive product attributes.

Things to analyze:

  • review account names, permissions, and login attempts;
  • block users that you either don’t remember or can’t recognize;
  • limit all existing user accounts to permissions they need to do their job;
  • whitelist known IPs such as your office to block login attempts from hackers;
  • install a permission extension when you need to designate user permissions with more precision.

5. Mobile Magento Audit

Mobile browsing is huge in e-commerce. That’s why we decided to look at the mobile part of your store separately. There are two focus points here: usability and performance. To a degree, performance is a part of the usability challenge, but we’ll review it independently to bring your attention to a few critical details.

5.1 Mobile Performance Review

Speed is everything. Users need it to browse faster, to shop faster. Your customers literally don’t have all day to look at your goods.

They came either with a certain need or are window shopping. Both types of customers want your attention and care simply because you have no idea which ones are which. Let’s make sure all of them get the best service possible:

  • measure key performance values (same as in the store performance review);
  • check for HTML <picture> tag and other mobile-specific optimizations;
  • look for outside metrics tools such as Google Speedtest to get instructions on how to fix key issues;
  • use Google Lighthouse and Magento Profiler to gain more in-depth speed metrics.

Mobile speed depends as much on standard frontend and backend optimizations as its desktop counterpart but the desktop will always show better results. That’s why even if you have a decent desktop Speedtest rating, prioritize what the Mobile Speedtest shows you.

5.2 Mobile UX Review

In mobile UX, we concentrate on the same issues and meet the same challenges as in desktops. But with a few notable exceptions:

  • smartphones have small screens, which means you need to tailor your info to that limitation;
  • smartphones use mobile data, which is slower and more expensive than wifi, so you have to make your store lighter and more agile;
  • smartphones have only ~25% of the CPU performance of a desktop PC meaning your processor-heavy JavaScript code will be extremely taxing on slower devices;
  • smartphones use taps and swipes instead of significantly more different precise mouse movements and keyboard buttons to navigate the store and fill in data.

Low speeds, slow processors, and a different UI create significant challenges in the mobile user experience. In order to combat that, Google introduced a mobile-first website design. Besides, starting from 2015, progressive web applications come into play. The websites that look and feel like native apps while still run in browsers are a real catch for eCommerce. You can browse what look like in our recent article. What this means is the website needs to prioritize user experience on slower, smaller, less powerful devices instead of the ones that are powerful, large, and easier to use.

It’s a healthy vision when you consider that more than 50% of online shopping is done using smartphones.

What to look out for:

  • check the metrics to see where mobile users leave the store, especially if mobile browsing shows significantly larger numbers. The biggest perpetrators here are the Checkout page (too many forms to fill in), Product Lists, and your Homepage;
  • understand where speed affects user behavior the most and focus on these spots first: make sure that your homepage loads in a heartbeat, that you can add products to the cart quickly, how long and complex is the checkout process, whether the main menu is easy and fast to use;
  • confront UX challenges that are unique to mobile browsing with a mobile-first mentality: make users fill in fewer forms, create larger buttons, focus on delivering content better for a small viewport, reduce pop-ups and pop-unders;
  • complete common user scenarios on mobile from the beginning to the end to see where users might get stuck or frustrated.

6. Magento SEO Audit

Magento and SEO have a complex relationship. Most generalist SEO teams don’t know all the intricacies of engine optimization so you aren’t losing much by doing the SEO audit yourself. After all, you’ve been using Magento and know a thing or two about its SEO challenges.

Schematically, will include 3 main parts: on-page, technical SEO, and links. For our case, though, we are going to review Magento-specific issues and challenges.

6.1 Duplicate Content Check

Duplicate content is inevitable when you have dozens of identical items on display in the store. Magento suffers from duplicate content because it has inherent technical weaknesses that create identical pages without your knowledge.

For example, unless you specifically shield categories, search filters, and other common links from Google, they will clog up your search results and might even steal link juice from your original landing pages. 

What to look out for:

  • distinguish between user-generated and machine-generated content, learn how to minimize the number of duplicates on the site;
  • make sure you have only one domain to host your store, avoiding the pitfalls of www vs non-www links;
  • check if you have restricted service pages, such as categories, filters, and search results from Google indexing;
  • check for the multi-store trap where the same content lies unchanged on both pages, regardless of the store;
  • use Google Search Console to choose between HTTP and HTTPS protocols and instruct Google which one it should prioritize;
  • cut repetitive info on the page to a minimum. This is especially true for bloated footers and legal texts.

6.2 Content and Keywords Review

Magento store owners often neglect Google optimization guidelines. And usually, all owners fall into two extremes here. One group completely ignores content-based SEO in hopes that “a good product will sell itself”.

The other group fills the page to the brim with spammy text descriptions and meta tags chock-full of keywords.

Keep in mind:

  • research your keywords and use them according to Google SEO guidelines: this means 2-3 keywords per page in moderate amounts;
  • create a consistent strategy on how to fill meta tags with keywords;
  • analyze how your pages get indexed and crawled by Google, which of them are left out or underperform in the SERP;
  • work out the reasons for any sudden drops in traffic, especially around dates of new Google search algorithms announcements, and analyze whether your content has been affected by penalizing filters or not. 

6.3 Google Analytics Audit

is a treasure trove for a curious mind. This data can show you how customers use your site, where they like to stay for a bit longer, and where they drop off. Armed with this data, you can do a lot to make your store more engaging and valuable for your potential shoppers.

In contrast with other audits, Google Analytics might need a bit of time to create meaningful output. We advise you to , Goals, and Universal Analytics to accumulate more insights.

Your task here is to see your site with new eyes. Your customers' eyes. See where they click and, more importantly, where they don't click.

Google In-Page Analytics offers two ways to visualize data on the page. Both bubbles and color highlights provide exciting insights into where users look, what they click, which parts of the page work best, and where you need to improve.Your task here as an auditor is to see where users don't like to go and what links they don't notice.

Read the in-page heatmap:

  • understand the survivor bias: instead of concentrating 100% on the hot spots, take your attention to the areas of the map where traffic is light or non-existent, make these areas your primary focus;
  • study user navigation paths and see where users go from each page. Ideally, build a visual map of your typical customer journey, see the drop-offs and analyze how to improve them;
  • see what users read and where they click: examine which tags, categories, in-text links, and articles generate the most foot traffic;
  • work both with segments and the big data: lumping everyone together is an excellent way to see the big picture, but you'll need to separate users into groups to learn about separate trends, likes, and dislikes of different like-minded shoppers.


Ideally, every audit you make will result in at least two deliverables: a list of challenges and a list of actionable points. These deliverables will serve you as guidance on how to fix your Magento store step by step.

Taking the time to document your ideas and frustrations will help you later form more precise technical requirements for either the internal or the external dev team who will use it to fix stuff.

As an internal auditor, you don't act as an independent third party. Bear in mind that you will outline issues during the audit and monitor how they are fixed.

The more you write down, the easier it will be to guide the changes in your store in the future. Comprehensive DIY audit documentation is a good starting point to improve your Magento store in every aspect.

Not sure if you can handle such a large undertaking? No problem. Our team of developers, QA experts, SEO and UX specialists will share their expertise with you on fixing your Magento challenges. We can conduct a and provide comprehensive deliverables for your team to use as a ready-to-use guide on how to improve your store.

Related Articles

How to Carry out a UX Audit: Seven Essential Steps
Nadya PismennayaMary SysoiKate Parish
Three authors, Onilab LLC

How to Carry out a UX Audit: Seven Essential Steps

11 min
Oct 24, 2023
A Complete 7-step Website CRO Audit
Alex HusarMary SysoiNadya Pismennaya
Three authors, Onilab LLC

A Complete 7-step Website CRO Audit

10 min
Sep 4, 2023

Let’s stay in touch

Subscribe to our newsletter to receive the latest news and updates.