How to Perform External And Internal Magento Scanning?

According to the Federal Office for Information Security (BSI), over 6,000 online stores running on the Magento platform have been hacked from 2015-17. Even today, hacking a Magento-based website is easy if unpatched or unsecured.

Therefore, Magento scanning is the most important task for store owners.

Reasons why Magento gets hacked

  1. Execute code
  2. SQL injection
  3. Directory Traversal
  4. Bypass Something
  5. File Inclusion

Considering the fact that 85% of all the compromised e-commerce is on Magento, the importance of scanning becomes critical. You can protect your Magento store via Internal Scanning and External Scanning.

Internal Scanning

Internal scanning is codebase malware scanning. You can use several free tools to scan your Magento website.

Magento Internal Scanning Tools

Magento Malware Scanner

Magento Malware Scanner is a tool that helps you keep Magento installation secure.

You can easily scan a codebase for malware easily.

grep -Erlf mwscan.txt /path/to/magento

External Scanning

External scanning is equally important for your Magento. It is necessary to scan your database malware.

This is a common attack as the hacker can install malware by simply accessing the admin panel and updating CMS block or “miscellaneous htm”.

How to Perform External Scanning?

  • Download contents of the page via wget
  • Send the returned HTML to Magento malware scanner
wget -O result && grep -Elf mwscan.txt result


#1 Malware not inlined

wget -O will miss the malware if it is referred via a <script> tag. You can use the -p flag to download the “page requisites”. This will catch all the scripts referred via a <script> tag.

wget -p && grep -Erlf mwscan.txt

#2 Malware Hosted Elsewhere

If the host is different, -p flag won’t download the assets. For downloading, you need to combine it with the -H flag.

Use the -P flag to put everything into one folder.

wget -p -H -P scan && grep -Erlf mwscan.txt scan

#3 Malware in CMS

Issue: The Magento malware is in a static block and comes into action when on the checkout page.

Solution: Mpchadwick MwscanUtils. This is an open source and free tool that allows:

#4 Content Dump Endpoint

Send a request to It will delete:

  • Content from all CMS pages
  • Content from all CMS blocks
  • Miscellaneous Scripts
  • Miscellaneous HTML

#5 Fetch HTML via wget

You can fetch the HTML for the checkout through wget. The request gets redirected to a session not having any quote items.

But if you pass the mwscanutils_force param the page will still be loaded:


You can scan your Magento website with the help of Magereport.

Magereport is a free service that scans your Magento shop giving you quick insights on the security status and how to fix vulnerabilities.

It checks all the known vulnerabilities in Magento and also 3rd party extensions.

Bonus tips

  • While performing external scans, you can use wget’s -q installation to prevent it from making any noise.
  • Run external scans on a dedicated server (not the ones hosting the Magento installation).

Don’t wait till your Magento Store gets hacked.

Get a 30-min FREE consultation with our Magento Expert.

Magento Hosting banner

Latest Magento Tips, Guides, & News

Stay updated with new stuff in the Magento ecosystem including exclusive deals, how-to articles, new modules, and more. 100% Magento Goodness, a promise!

1 thought on “How to Perform External And Internal Magento Scanning?”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top

We can help you. Right now.

Fast growing merchants depend ServerGuy for high-performance hosting. Experience counts. Let's get started.

Talk to a sales representative

USA / Worldwide




Core Web Vitals Book COver

Is your website ready for Core Web Vitals?

Take this FREE book with you and optimize your store for speed.

Learn all about new Google new ranking factors and get that top ranking.