As you will know Adobe announced that Magento 1 (M1) will reach end of life June 2020.
Store owners will be quite rightly concerned about how this impacts their site and what they should be doing now. While we know that many of you have re-platforming well in hand we are aware that others will be with M1 for a while to come.
Here are the main issues you need to consider and to mitigate against:
After this point there will be no more official security releases for future releases of M1 from Adobe.
This does not mean your M1 site will cease to function, nor will it become insecure over night. It does however, require that you should have a solid plan in place to move over to Magento 2 (M2).
While “no more security patches” does sound significant this is not the most immediate concern. There have only been a few vulnerabilities in M1 core over the past 10 years. The real danger is third party extensions. Every attack we have seen has been via a 3rd party module. These are the key attack vectors you need to watch for.
There are a few projects that have been set up to address potential M1 core vulnerabilities eg https://mage-one.com/, http://www.openmage.org/. The latter will allow publically accessible fixes to the core should these be required.
You may find that some Hosts are offering to apply possible future patches to the core as part of an increased hosting fee while charging a premium for basic security features. There is no avoiding the fact that attacks against the core of M1 are the least of the problem and no one can promise to patch an almost unlimited list of third party extensions leading to a false sense of security. This money is better spent on your new platform.
In the short to medium term there will be little impact on the functionality of your site. However, over time this will cause problems eg
- Third parties you swap data with will update APIs which may prevent your site from communicating with them.
- Payment gateways will change protocols and there will be no support from those who coded the extension to keep up with these changes.
- As older versions of php are retired you will have a site running on php with no security updates.
In the short term you will need to demonstrate that you have mitigated security concerns. However, over time this will not be possible as php versions etc also fall out of support.
In addition to the usual routes for financing projects like this there are a few others you may like to consider.
Paypal working capital : For paypal users you can use the a percentage of the income from your usual sales to repay a loan direct from paypal. Full details here : https://www.paypal.com/uk/smarthelp/topic/PRODUCTS_AND_SERVICES
Companies affected by Corona virus can access Bounce Back Loans Up To £50,000 From Your Bank. This enables business to borrow between £2,000 and £50,000 (up to 25% of a business’ turnover) and repay over 6 years, 2.5% interest rate, no early penalty, interest free for the first 12 months. Further details here: https://enablefinance.com/blog/covid-19-bounce-back-loans/
- If you have not already done so; make preparations to replatform your site. Many of our M1 customers have successfully made the transition to M2 either by working with an agency (https://dx3webs.com/partnerships/development-agencies.html) or setting this up themselves. Any of our Agency partners will be more than happy to discuss your site and to offer a quote. Magento 2 is now 5 years old (Magento 2.0 launched fully in November 2015) and has matured into an excellent eCommerce platform and is an easy recommendation. If you want a blank copy of M2 setting up on your server just let us know. For shared hosting, customers can purchase a dev hosting package (£7.99pm) and start to explore this platform and take a look at the Migration Tool : https://devdocs.magento.com/guides/v2.3/migration/migration-tool.html
- While we run regular anti-virus scans we strongly recommend that customers consider installing a dedicated Magento security scanner eg https://sansec.io/
- Make your file system read only. This will prevent any changes to your code base. Just raise a ticket and we will implement this for you.
- Regularly check your site for 3rd party extensions with known vulnerabilities eg using : https://github.com/sansecio/magevulndb. Update or remove as needed. As usual raise a ticket if you wish us to trigger a scan.
- Remove all 3rd party extensions that are not in use to limit attack vectors.
- Revisit basic security practices. Is your admin locked down to only whitelisted IPs? Have you removed old admin accounts? Rotated password recently? etc
- Check your site against free scanning tools https://magereport.com, https://sitecheck.sucuri.net and magento’s own security checking tool https://magento.com/security
Consider a 3rd party WAF like Cloud Flare or Securi.
- Configure CONTENT SECURITY POLICY headers for your site. This is a significant tool in the fight against injection attacks. This means that only those resources listed in the headers are allowed to be called from your site and will prevent the majority of this type of attack.