Is your Magento store slow, unstable, or less profitable than it used to be? Most of the time, the cause is not one big issue. Small problems add up, such as heavy frontend assets, misconfigured caching, outdated modules, failing cron jobs, and security gaps.
This Magento 2 audit checklist helps you find and fix the most common performance, security, and stability problems before they hurt rankings, user experience, and revenue.
What exactly is a Magento audit (and why it is non-negotiable)?
A Magento audit is a systematic review of your store’s end-to-end setup. The process covers frontend performance, backend infrastructure, code quality, extensions, security posture, and technical SEO. Running PageSpeed once is not enough. A proper audit identifies what slows the store down, what could break next, and where risk is increasing.
This guide is a Magento 2 audit checklist you can repeat. Many teams also refer to it as a Magento technical audit. The same approach applies to Adobe Commerce stores, so you can treat it as an Adobe Commerce audit as well.
Why it matters: small performance delays and technical errors create real business loss. Akamai’s retail research found that even a 100-millisecond delay can hurt conversion rates by 7%. Performance is not a vanity metric. It protects revenue. Source
Magento audit scope at a glance
| Area | What we check | What you get |
|---|---|---|
| Performance | Core Web Vitals (LCP, INP, CLS), TTFB, caching (Varnish, Redis), JS/CSS, images, third-party scripts, search performance | Faster key pages and fewer regressions |
| Security | Version and patch status, extension risk, admin hardening (2FA, roles), malware signals, TLS/SSL posture | Lower breach risk and safer upgrades |
| Stability | Cron health, indexers, queues/consumers (if used), error logs, checkout flow, integrations | Less downtime and fewer random failures |
| Technical SEO | Indexability, canonicals, sitemap, hreflang, structured data, Search Console CWV groups | Better crawl and stronger SERP features |
Targets to aim for (Core Web Vitals + TTFB)
Before you fix anything, define what “good” looks like. Google’s Core Web Vitals are LCP, INP, and CLS. FID is legacy. Web Vitals thresholds · INP introduction
| Metric | What it means | Target |
|---|---|---|
| LCP | Loading speed for the main content | ≤ 2.5s (75th percentile) |
| INP | Responsiveness and interaction delay | ≤ 200ms (75th percentile) |
| CLS | Visual stability and layout shifts | ≤ 0.1 |
| TTFB (supporting) | Server response speed (not a CWV metric) | ≤ 0.8s as a practical goal |
TTFB guidance: Improving TTFB. PageSpeed Insights reference: About PSI.
Want a quick benchmark of your Magento 2 store?
Send us your homepage URL plus one category and one product URL. We will review Core Web Vitals, TTFB, and the most common performance blockers. You will get a short list of the top 5 actions to prioritize.
Measure Magento performance correctly (lab vs. field)
- Lab data (Lighthouse and PageSpeed) helps you debug why a page is slow in a controlled test.
- Field data (Search Console Core Web Vitals report and CrUX) shows how real users experience your store over time.
- Best practice: prioritize using field data, then validate root causes and fixes with lab tests.
Helpful reading: Lab vs. field data differences.
The complete Magento 2 audit checklist
Use this checklist as a repeatable process. The best audits produce three outputs: (1) a baseline KPI snapshot, (2) a prioritized backlog, (3) a fix roadmap you can execute over 2 to 8 weeks.
Magento audit deliverables (what “good” looks like)
- Executive summary: top issues, quick wins, and expected impact
- Baseline KPIs: CWV (field and lab), TTFB, error rate, checkout success rate, top revenue page performance
- Prioritized backlog: Critical, High, Medium, Low with effort and impact notes
- Fix roadmap: a 2 to 8 week plan with milestones
- Validation plan: which URLs to retest and how to prevent regressions
Pillar 1: Performance audit (frontend + backend)
1) Frontend performance
- Run baseline tests on homepage, top category, top product, cart, and checkout:
- PageSpeed Insights (mobile and desktop)
- Lighthouse (Chrome DevTools)
- Real user data (Search Console CWV report and CrUX)
- Core Web Vitals triage: find what breaks LCP, INP, and CLS on your key templates (category, product, checkout).
- Images: convert heavy images to WebP/AVIF, use correct sizing, lazy-load non-critical images, and reserve dimensions to reduce CLS.
- JS/CSS: reduce render-blocking resources, remove unused CSS, defer non-critical JS, and reduce bundle size.
- Third-party scripts: audit tag manager, chat widgets, heatmaps, and A/B tools. Remove what does not earn its keep. Delay loading where possible.
- Cache behavior: confirm Full Page Cache works (Varnish or built-in) and invalidation is correct. Avoid stale cart and checkout states.
2) Backend performance
- Server response (TTFB): measure and reduce slow backend response times, especially on cache misses.
- PHP + OPcache: confirm supported PHP version, OPcache settings, and memory limits are tuned for your workload.
- Redis sessions + cache: verify Redis is correctly configured and stable under load.
- Search: review Elasticsearch/OpenSearch health and query speed. Slow search hurts conversion and user satisfaction.
- Database: check slow queries, table bloat, missing indexes, and lock contention during peak traffic.
- Cron jobs: review schedule, failures, and long-running tasks. Cron failures often cause unstable indexing, missing emails, and broken automation.
- Code + extensions: identify heavy observers/plugins, inefficient loops, and outdated modules impacting category, product, and checkout pages.
Need a professional Magento 2 performance audit?
We can profile your store end to end, including frontend, server, database, cron, and search. You get a prioritized roadmap with effort and impact, so your team knows exactly what to fix first.
Pillar 2: Security audit (patches + access + server)
Security is not optional. Magento and Adobe Commerce receive ongoing security updates. Patch hygiene reduces risk and protects customer trust. Adobe security bulletins
1) Platform and extensions
- Version + patches: confirm your Magento/Adobe Commerce version and apply relevant security updates. Track updates via Adobe’s official bulletins.
- Extension inventory: list every installed module, remove unused ones, and replace anything unmaintained or from unknown vendors.
- Admin security:
- 2FA enabled and enforced for all admin users
- Least-privilege roles (no shared super admin accounts)
- Custom admin URL + IP allowlisting where feasible
- Review admin users for unknown accounts and unusual access patterns
2) Server and data security
- Malware scan: use a reputable scanner and investigate unexpected admin users, file changes, and suspicious cron entries.
- File permissions: validate file and directory permissions follow Magento best practices. Avoid writable public code paths.
- SSL/TLS: confirm certificates, redirects (HTTP to HTTPS), and modern protocol support.
- Payment posture: review how card data is handled. Prefer tokenization and hosted fields where possible to reduce exposure.
EU/DACH note: If you sell in the EU, include audit checks for cookie consent behavior and tracking scripts. Confirm what loads before consent. Treat this as a technical trust and risk item. This is not legal advice.
Pillar 3: Technical SEO + stability audit
1) Technical SEO health
- Indexability: validate robots.txt and meta robots are not blocking important pages.
- XML sitemaps: ensure they are clean, updated, and submitted in Google Search Console.
- Canonicals: prevent duplicate content across layered navigation, sorting parameters, and pagination.
- Hreflang: if you run multi-language/multi-country stores, verify hreflang is correct and consistent.
- Structured data: validate product schema (price, availability, rating) using Google’s Rich Results Test.
- Core Web Vitals reporting: use Search Console CWV groups (LCP/INP/CLS) to prioritize pages with real user issues.
2) General health and stability
- Error logs: review Magento logs and server logs for PHP errors, 500 errors, and recurring exceptions.
- 404 + redirects: fix broken internal links and ensure product/category URL changes redirect correctly.
- Mobile UX: test real devices for navigation, filters, product interactions, and sticky UI overlaps.
- Checkout walkthrough: run test purchases (guest and logged-in) with top payment and shipping methods. Confirm tax, order creation, email delivery, and post-purchase pages.
Common Magento audit findings (and fast fixes)
- Bad LCP on product and category pages: oversized images and render-blocking assets. Fix compression, defer non-critical files, and reduce bundles.
- High INP: too much JavaScript or heavy third-party scripts. Delay non-critical tags and reduce client-side work.
- CLS spikes: missing image dimensions or late-loading fonts. Reserve layout space and improve font loading strategy.
- Slow TTFB: cache misses, slow database queries, heavy blocks. Improve caching, profile database queries, and optimize critical rendering paths.
- Random instability: cron failures or stuck indexers. Monitor, fix failing jobs, and prevent long-running tasks.
- Security risk: patch lag and unsupported modules. Create a patch routine and remove risky extensions.
From audit to action: your post-audit game plan
The audit is only valuable if it turns into execution. Here is an approach that actually ships:
- Score + baseline: capture CWV (field + lab), TTFB, error rates, checkout success rate, and top revenue pages.
- Prioritize ruthlessly:
- Critical (fix now): security vulnerabilities, checkout failures, and site-down incidents.
- High (fix this month): major LCP/INP issues on revenue templates and severe SEO indexation problems.
- Medium (fix this quarter): optimizations, cleanup, and conversion improvements.
- Low (backlog): cosmetic tweaks and nice-to-haves.
- Create a roadmap: convert findings into tickets with an owner, effort estimate, and expected impact.
- Validate impact: re-test the same URLs and compare against the baseline after each release.
FAQ
How often should I run a Magento 2 audit?
Quarterly is a good default for performance and technical SEO. Run an audit after major releases, new modules, theme changes, or traffic spikes. Security patching should be continuous.
Is PageSpeed Insights enough for a Magento 2 performance audit?
No. PageSpeed Insights is a great starting point, but you also need real user data (Search Console Core Web Vitals), server/database profiling, and extension/code review to find Magento-specific bottlenecks.
What should I get at the end of a real Magento 2 audit checklist?
You should get a prioritized issue list, a 2 to 8 week fix roadmap, measurable KPIs (before/after), and clear recommendations for hosting, caching, code, and extensions.
Supercharge your store with a professional Magento audit
This checklist gives you a strong DIY framework. Most Magento stores also have issues that only show up with deeper profiling, like slow database queries, cron failures, heavy plugins, and caching misconfigurations.
Ready for a faster, more secure Magento store?
StageBit specializes in Magento and Adobe Commerce audits. We turn findings into an execution roadmap covering performance, security, stability, and technical SEO.
Schedule a free, no-obligation consultation and we will map the fastest path to measurable improvements.