Magento 1 has had a long life as far as software goes. Initially released in 2008, Magento 1 was scheduled to sunset 10 years later in 2018. This would be 3 years after the release of Magento 2. However, Magento extended the support of its original platform until June 30, 2020. In other words, Magento has continued to invest resources into patching, maintaining a directory of extensions, and providing support for licensed enterprise users of Magento 1.
When Magento 1 reaches its end of life, there will be +/-100,000 sites still operating on top of this eCommerce platform. The good news is that these websites will, by and large, continue to operate come July 1st, 2020. The bad news is that there are consequences for running unsupported software, for which website owners will need to compensate.
The 3 things to watch:
- Security: Without Adobe (parent company of Magento) releasing security patches and other critical software updates, there is a risk of not being able to adequately protect a Magento 1 website when new security exploits are discovered. Magento patches have been released multiple times per year in recent years, and that will no longer be the case.
- Compliance: Many Magento based businesses are subject to compliance regulations, whether they realize it or not. If you accept credit cards, for instance, you have liabilities related to PCI DSS Compliance. Payment Card Industry (PCI) regulations are, among other things, intended to protect credit card holders from fraud. If you’re on an unmaintained and unsupported website, you are violating these terms. As a result, you can find your business or organization subject to fines, barred from accepting credit cards, or in the case of a data breach, responsible and penalized in otherwise avoidable ways.
- Vendor Support: Not all credit card processors, web developers, extension makers, web hosts, and other vendors are prepared to support you on Magento 1 after its end of life. Just because they haven’t informed you of their intention to distance themselves from Magento 1 does not mean that you’re in the clear. For example, PayPal began sending notices to clients in May 2020 warning them to migrate to another platform before June 30th, 2020, and other payment processors have publicly suggested that they may soon be forced to take similar action.
So, if you’re still on Magento 1, and you will be for some time after June 2020, what can you do to protect your business? A lot. To simplify this, we’ve put together a quick checklist of action items that you should discuss with your key vendors:
- Make sure that your site has all available Magento 1 patches.
- Select a new source for Magento 1 patches. There are two independent sources of patches that you can consider:
- Mage-One is an organization that was founded to pick up where Adobe leaves off in June 2020. For an annual fee, they will provide you with security patches moving forward.
- OpenMage is an open-source fork of Magento 1 that’s already up and running. It’s available for free on GitHub. In essence, the OpenMage community took Magento 1 and created their own variation of the platform, which they’re continuing to maintain.
- Make sure your hosting environment is ready.
- Verify that your web host is ready to keep supporting you on Magento 1.
- Ensure you’re on a supported and up-to-date version of PHP.
- Make sure you have a well-configurable Web Application Firewall (WAF).
- Schedule frequent Malware Scans.
- Use intrusion detection systems to monitor for suspicious activity.
- Make sure your web host is monitoring your security alerts 24/7.
- Apply least-privileged access rules to better secure your Magento admin.
- Make sure that your web developers are prepared to support you once Magento 1 reaches its end of life. This also includes having them ready to help you switch to OpenMage or leverage patches from Mage-One.
- Make sure to remove unnecessary Magento Extensions, and update any remaining extensions.
- Reach out to your payment processors to check their security posture regarding support for Magento 1 starting in July of 2020.
- Identify compliance requirements or issues that you’ll need to take extra steps to address.
- Consider an overall Magento 1 Security Audit to check for security vulnerabilities.
- Speak with any remaining vendors that support your Magento 1 site. These would be vendors for apps or integrations. You want to make sure that they will continue to provide services moving forward.
- Consider your options for replatforming to Magento 2 or another platform. While you’d be hard-pressed to migrate before a June 30th, 2020 deadline, that doesn’t mean you’ll necessarily want to stay on Magento 1 forever, even if you can address your basic security needs on this aged platform.
At JetRails, we’ve honed our web hosting to better protect our Magento users, and we’ve identified several vendors that can help to keep your Magento 1 safer after Magento 1 becomes unsupported by Adobe. We have partnerships with companies like Mage-One, Cloudflare, SanSec, and Sucuri that enhance our ability to protect the websites of our web hosting clients. We’ve also been identifying agencies and payment processors that will continue supporting Magento M1 merchants for the foreseeable future. If you need help or advice, we’d welcome you to request a complimentary Magento 1 end of life consultation.