Magento 1 End Of Life:
How To Stay Secure & Compliant
If you’re reading this article, there is a high probability you run a Magento 1 eCommerce shop and you haven’t yet completed the migration to Magento 2.
Speaking to Magento 1 store owners, there is some concern surrounding the approaching end of Life and how retailers can remain safe and ensure the continued protection of their customer’s data. To help Magento 1 merchants navigate the bumpy road ahead, we've compiled this article to outline what Magento 1 end of life means, how it will impact your store and how you can take steps to try to maintain PCI compliance beyond June 2020.
What is End of Life?
End of life is a very dark and daunting term, but what does it mean in this context? The majority of software in e-commerce, and in the broader computing industry in general, has a lifespan. With updates, patches, bug-fixing and general up-keep, software can continue to grow and thrive, gradually improving over time. This support system also allows the publishers to address any major concerns, security being one of the most critical. Additionally, customer-facing software is able to offer the best possible solution as quality-of-life changes are made to keep the platform stable and the user base satisfied.
With software, End of Life (EOL) is a cut-off point, where after a specific date, no more updates of any kind, are going to be released. For Magento 1, the official EOL date is 30th June 2020. This means that all the bug-fixing that kept the platform stable, as well as the security patches that kept everything secure are going to cease. This absence of internal updates and major fixes puts the software in an incredibly unstable and vulnerable position, leaving it susceptible to a vast array of cyber-attacks.
In the eCommerce industry, security is paramount to ensure the safety of customer data. Failure to do so successfully can damage your brand image as well as incur heavy fines from the Information Commissioners Office (ICO). Because of this, continuing to operate on Magento 1 after EOL, with the lack of security updates, can pose a multitude of threats to sensitive customer data.
Magento 1 Open Source End Of Life
|Magento Open Source Release||End of Magento-provided
bug fix maintenance
|End of Magento-provided
|Community Edition 1.0||01 March 2009||01 March 2010|
|Community Edition 1.1||01 July 2009||01 July 2010|
|Community Edition 1.2||December 2009||December 2010|
|Community Edition 1.3||March 2010||March 2011|
|Community Edition 1.4||February 2011||February 2012|
|Community Edition 1.5||February 2012||June 2020|
|Community Edition 1.6||August 2012||June 2020|
|Community Edition 1.7||April 2013||June 2020|
|Community Edition 1.8||September 2014||June 2020|
|Community Edition 1.9||May 2015||June 2020|
|Community Edition 2.0||March 2018||March 2018|
|Community Edition 2.1||June 2019||June 2019|
|Open Source 2.2||September 2019||September 2019|
Potential threats you face by not upgrading
Prior to EOL, Magento regularly released security patches to their platform, as well as offering tools to scan your sites and check for any security risks. For example, in the latest security patch for Magento 1, they introduced a new CSP (Content Security Policy) to help identify Cross-site scripting and Injection attacks. After EOL in June however, these updates will end, meaning that, without additional third-party protection, all unsecured Magento 1 sites will be left in a state of vulnerability.
Although current Magento 1 sites will continue to function following EOL, operating as normal and not sourcing additional security measures will not sufficiently protect your data, exposing you and your customer’s information to potentially serious security breaches. It is highly likely that some of the most common forms of cyber-attack, which were previously protected against, could be directed at your site, and without the correct level of protection, the chances of these attacks being successful increases.
A successful SQL injection consists of injecting a malicious SQL query into an unprotected website, via a web form. The site then processes this request in the same way it would any genuine SQL request and releases data that should normally be kept private. This allows hackers to trick un-secured websites into releasing a range of sensitive information such as names, addresses, card details and passwords.
DDoS (Distributed denial of service) attacks are very common, yet they can cause a staggering amount of damage to a web service, including an eCommerce site. By overwhelming a server with a vast amount of automated traffic, a hacker can bring the server offline resulting in website downtime. During this, you can incur heavy financial losses and subsequent attacks can steal information. After EOL, a DDoS attack on an unprotected Magento 1 store would be critical, due to the absence of security patches to mitigate the DDoS traffic. This means the loss of service would be more severe and getting the server back online would take significantly more time.
Brute Force attacks
As far as hacking goes, a brute force attack is fairly low tech and simple. To try and gain access to restricted information that they don’t have access to, a hacker runs a script that attempts millions of different combinations of usernames and passwords to hopefully find a successful match. Once this combination is found, they can log in successfully and use another users account, as well as access any sensitive data that user may have stored on the site. This method is fairly easy to defend against, however on an un-supported platform, brute-force attacks can pose a very real threat.
Cross-site scripting, often referred to as XSS, is a very simple method of hacking, but can still be devastating if successful. It involves a hacker injecting a malicious script into an otherwise trusted website. This script then waits on the system and activates when a different innocent user visits the site. The script then sends various data to the hacker based on the innocent user’s session. This information can vary from cookie data, session tokens to more serious assets like username and passwords.
All of these methods are widely used and can pose a genuine threat to websites if their cyber-security doesn’t provide full coverage. Maintaining a Magento 1 site after end of life opens you up to be exploited by these common hacking methods, putting all of your customer’s data at risk.
PCI DSS Compliance
The Payment Card Industry Data Security Standard, or PCI DSS, is the standard that all online stores are held to in order to process online card transactions securely. To obtain full PCI compliance there are a number of requirements that your site must successfully meet, many of which refer to having an adequate level of security.
To guarantee safe monetary transfer and to demonstrate to customers that they can shop on your site without worrying about their sensitive credit card data, full PCI compliance is an essential accolade for an eCommerce business to possess. If you fail to achieve PCI compliance but still process online transactions, you run the risk of being fined vast amounts of money by the PCI Security Standards Council, should an issue like identity theft occur. For any eCommerce business, it is truly an essential status to have and maintain.
In a warning issued by VISA regarding the Magento 1 end of life, they announced that any Magento 1 store currently operating will no longer meet PCI Compliant status after June 2020. This is because, once support ends and security falls behind, any Magento 1 stores (without additional cyber-security) will fail to meet the following PCI requirements:
This is critical for any eCommerce business owners that are currently operating on a Magento 1 store as, after June 2020, you will no longer be able to securely process card transactions on your site unless you take extra steps to bolster security.
Fortunately, you can still achieve full PCI compliance by ensuring that your site is protected by high-quality external security solutions. HTTPShield offer a host of security products and services aimed at enforcing full site protection and ensuring full PCI Compliance, allowing merchants to continue to process online card transaction securely.
Upgrading to Magento 2
If you wish to continue operating a Magento 1 store after June 2020, there are methods available to do so securely. Despite this, the simplest and most efficient method to continue your online store is to upgrade to Magento 2. When Magento 1 reaches its EOL in June 2020, Magento 2 becomes its sole successor, benefiting from all of the updates and security patches/features that Magento 1 once offered.
Magento 2 is a completely separate platform when compared to Magento 1, despite some of its functionality remaining the same. Since its initial inception in 2015, Magento has been focusing primarily on M2 as its primary ecommerce solution by integrating a wide array of unique functionality. The differences between Magento 1 and Magento 2 make migration significantly more complex than simply transferring data. A full new site needs to be built and configured and then migrated to professionally, to ensure that the new platform can be set up correctly. This is a multi-layered process that can be very complex depending on current store/product configurations. Migration can also be a costly process depending on a multitude of variables such as site complexity, quantity of data to be migrated as well as the number of third-party extensions required.
Enlisting the help of a professional digital agency to handle your migration is essential. Despite the cost and time-consuming process, migrating to Magento 2 guarantees a secure and stable platform on which to build your business. It also future proofs your content, ensuring that you benefit from regular updates and the full range of support offered by Magento in the future.
How To Secure Magneto 1.XX
If you wish to stick with your current Magento 1 store, there are a plethora of security solutions available to you, all of which are provided by HTTPShield, to ensure that you offer a fully secure experience whilst operating passed EOL. It is important to weigh the pros and cons between the platforms before deciding which is the best option for the future operation of your online store.
Web Application Firewall
To ensure you are protected from hundreds of the most common methods of hacking, a powerful WAF, such as Cloudfence, is an essential feature to have on your Magento 1 store. A WAF (or Web Application Firewall), filters the traffic that travels between users and your web server, to identify any suspicious requests. This then isolates the threat, remembers it and instantly recognises it in future. By analysing all HTTP requests, a WAF can prevent any injection-based hack or any attack that involves disguising a malicious script as a genuine request. As far as security goes, it is the strongest form of protection for a web application.
Without security support coming from Magento, sophisticated DDoS protection is also required to defend against a DDoS attack and maintain uptime around the clock. A DDoS Platform such as Hostguard protects a website from malicious DDoS traffic by detecting it at the surface level, before it is able to access the server and flood it with requests. Volumetric attacks of this nature are one of the most common, yet disruptive methods of hacking used. Without the adequate protection, your website is susceptible to being taken offline, which can then lead to further attacks while your server is vulnerable, or even ransom demands from the perpetrators.
Although website security is paramount on any online store, when operating on an eCommerce platform passed EOL like Magento 1, the importance of being vigilant with security increases ten-fold. In the absence of support and regular patches, security audits are critical to ensure that your web-security is sufficient. A security audit is a test of your system to analyse your current security, check for viruses and malware, and identify any weak points that may pose as an opportunity for a hacker to exploit. Prior to EOL, Magento routinely ran checks of their systems to scan for things like malware or any suspicious software. However, without this support, you will need to run regular internal audits to ensure there is nothing that could compromise your site or your data. These audits can be completed internally if you have a security team, or externally by a reputable cyber-security company like HTTPShield.
Documentation is an important aspect of web security. Being protected is important, however it is essential that you have the appropriate professional documentation to prove the extent of your security. This can help in the event of an attack to demonstrate to the ICO that you have taken the appropriate steps to fully safeguard your data. Before EOL, Magento provided full security reports and reviews of your web security so that you could see exactly how your site was protected in conjunction to any extra security measures you have in place. After EOL, that documentation will no longer be provided, so finding an external provider of security documentation is important. Security reviews and audits carried out by HTTPShield provide a detailed breakdown of your site security, displaying all security solutions you have in place. Additionally, any threats are given a comprehensive rating based on severity, so that you can prioritise the most severe issues first.
These security solutions are applicable to any website, however, on an un-supported platform like Magento 1 after EOL, their inclusion is crucial to avoid data-leaks and stay protected around the clock.
Although maintaining a Magento 1 store after the EOL in June is a possibility with adequate security, it still comes with a number of risks. Operating after 30th June 2020 leaves your online store, and by proxy all of your customer data, vulnerable to a breach due to the lack of internal security updates. Successful cyber-attacks happen daily so running on an un-supported platform after EOL requires an expansive level of security in order to remain protected at all times, against all types of attacks. Additionally, with no updates or bug-fixing, over time the platform will become more unstable, and discovered issues will take longer to resolve.
Any successful breaches can result in a hefty fine from the ICO. Although this applies to all eCommerce sites, because running on an un-supported platform is risky in itself, the fines are often larger. This is due to the fact that the platform is known to be vulnerable and upgrading is heavily advised. To combat this, it is important to detail exactly what security measures are in place to protect your site against hackers. Being able to prove to the ICO that you have gone to the necessary lengths to keep your site secure can work in your favour should data-loss occur.
- Magento 1 End of life Blog Post (Magento.com)
- ICO - Security Requirements for Digital Providers
- ICO - Small Business Assement
- ICO - Guide to GDPR
- European Commission - EU Data Protection Rules
- Visa Acquirer Advisory, Urgent Action Required - Magento 1 support to end after June 2020
- PayPal Magento 1 End of Life Announcement
- PCI Security Standards Council - General Information
- PCI Security Standards Council - Self Assessment
- HTTPShield Web Application Firewall Solution
While there is no guaranteed way to protect a Magento 1XX platform beyond June 2020, there are valid steps you can take to boost overall security. If you currently own a Magento 1.XX platform and you do not intend to upgrade before End of Life, we strongly recommend you:
- Read through the useful links section above
- Implement internal documentation / procedures relating to Infastructure, testing, auditing & compliance inline with ICO requirements
- Implement a Web Application FireWall solution**
- Ensure your store is not using the standard /admin login URL
- Restrict Magento Admin access to only a specific IP Address - This can be implemented through the HTTPShield Platform
- Undertake a full port scan of the server hosting your website to ensure all ports are IP restricted
- Update all plugins / modules to the latest version prior to Magento 1 End of Life
**Sourcing and implementing a Web Application firewall is crucial. A WAF is an essential security measure, however, keep in mind that a $20 firewall is unlikely to provide the resilience needed to operate prior to Magento 2 migration. Carefully shop and research Web Application firewall solutions and implement the product that provides the maximum amount of protection.