Performance & Security Improvement

for Magento 2 Store

e-commerce magento 2 store performance improvement




The client owns one of the popular B2C shops in their country. As their business grew, the customer’s developer worked on a new version of their e-commerce website powered by Magento 2 and needed to ensure their infrastructure can meet all performance and security requirements before the release.


+ developers had to manually deploy intermittent updates to the work-in-progress version of the website

+ deployment automation of the current website didn’t allow rollbacks, making every major update a gamble

+ soon-to-be-legacy version of the website struggled with traffic spikes and slowed down drastically with the amount of data increased over the years. Infrastructure for the new version must be scalable and reliable

+ current infrastructure had little to no means of collecting performance statistics which made it difficult to adapt to growing traffic. The majority of scaling decisions had to be made on-the-fly

+ due to the popularity of the website, it was a typical target of DDoS attacks. The client needed a reliable solution to sustain them with the new infrastructure setup

+ resources in the cloud provider account were managed separately by different teams, and it was difficult to keep track of infrastructure changes


Corewide team performed an audit of the existing setup, draw a diagram of the planned setup and suggested a work scope that covered all the found issues and client’s challenges. For the website, we aimed at containerization to make it easily scalable on top of existing technologies and toolkits the client’s engineers were used to.

+ First of all, we applied the Infrastructure as Code approach to managing cloud resources with Terraform code, making all changes transparent and traceable. From now on, the cloud state is described in the code that handles multiple environments (development, staging and production).

+ Parallel to IaC, the Corewide DevOps unit crafted a custom Docker recipe for Magento 2 following best practices in containerization and twelve-factor app principles.

+ For website sessions to persist between multiple containers during scaling, a highly available Redis cluster was used as session storage.

+ Magento 2 is one of the most resource-hungry PHP frameworks. Thus, performance issues had to be addressed from the very beginning. We have implemented flexible resource caching by means of Varnish to provide huge speedup to static content while letting dynamic parts of the web page still update separately.

+ We wrote a CI/CD pipeline to streamline the builds and deployments. The pipeline ran builds, unit tests and security analysis of the code, then deployed it to the development environment.

Once features reached enough stability they were rolled to staging. Upon completion of automatic end-to-end testing, the deployment could be approved for rollout to production. At the start of a production deployment, a number of atomic backups were made to ensure reliable rollback of data structure and not just the code.

In case of failure, deployment automatically restored the previous version of the code and (optionally) database entities. The average build took about 10 minutes (due to the number of maintenance operations Magento requires at build time), while the median deployment duration was 40 seconds. Rollbacks normally took the same time as deployments.

+ Tightly cooperating with the client’s developers, we wrote automated stress testing scenarios with Locust. As a result, a single instance of the website could handle up to 400 visitors without Varnish and up to 6000 visitors when backed by Varnish for caching.

We also defined a flexible autoscaling policy that spawned extra instances when the traffic load was close to reaching the scaling threshold – to prevent slowdowns from the requests that aren’t or can’t be cached, like shopping cart and checkout pages.

+ To ensure abnormal behaviour can be detected and addressed in time, we installed a monitoring system to collect performance metrics and website logs. All monitoring data were arranged into a custom neat dashboard that displayed vital statistics and the real-time state of the system. 

+ When all performance concerns were covered, we integrated a layer of CDN and DDoS protection from Cloudflare to ensure website access is secure. After another round of thoroughly testing WAF rules applicable to the client’s setup, we protected server management access with a VPN solution.

+ Initial diagrams of the setup were updated to include changes that were made during the implementation phase. The documentation for all the project layers (infrastructure, application, third-party services, CI/CD, security policies, disaster recovery) was delivered to the client by the release date.

Struggling to find an excellent DevOps services provider? Having custom business demands? Corewide’s got you covered! Leave us a message – we will contact you back ASAP.