Magento 1 finally reached the end of its supported lifetime at the end of June. As a result, the business risk profile for companies still using the platform has increased, making site security a pressing issue.

Magento 1 websites will no longer receive security patches and Mastercard and Visa will no longer consider them as PCI DSS compliant, making merchants and payment providers liable in the event of a payment card data breach.

 

The end of the road for Magento 1

Although the end of life for Magento 1 has been expected since 2017, Magento acknowledged that users of this popular ecommerce platform would need more time to migrate to an alternative. In September 2018 it was announced that support for Magento 1 Enterprise and Community Editions would end in June 2020.

In the meantime, support continued for versions 1.9 to 1.14, released between 2010 and 2014, along with security patches for some earlier editions and an updated version of Magento’s scripting language (PHP) for businesses with third-party extensions.

In the longer term Magento 1 users will need to consider the future, but the impact of the coronavirus outbreak around the world has undoubtedly affected the response to this ecommerce milestone for many organisations.

 

Ongoing risks for Magento 1 sites

According to payment security specialists, Foregenix, there are still over 200,000 Magento 1 sites in use. In a recent webinar, their Chief Commercial Officer and founder, Benjamin Hosack, discussed the latest intelligence they have gathered on Magento 1-related ecommerce threats and what businesses can do to mitigate the risks related to Magento 1’s end of life.

 

Based on ongoing security scans of over 8million sites, Foregenix WebScan figures suggest that just over 2,500 Magento 1 sites migrated to new platforms in May 2020, leaving the majority facing security risks.

Level of risk for Magento 1 sites

Over 205,000 Magento 1 sites were at high risk according to Foregenix. This means that a competent cyber-criminal could access their site in around 30 minutes.

Over 2,000 were at critical risk, having already been infiltrated. This figure is almost two-thirds of all the hacked sites identified by Foregenix, even though Magento 1 sites represent only 3% of the total. The figures show an increase of 24,000 high risk Magento 1 sites and 248 critical sites during April and May, so the level of threat for Magento 1 sites is increasing.

 

Almost 95% of the sites critically at risk were subject to skimming activity to steal customers’ payment information.

Most ecommerce businesses are aware of the risk, but don't think it will happen to them. However, the impact of a breach can be drastic, with 60% of businesses that are hacked closing within six months.

Mitigation for Magento 1 end of life risks

While businesses can use compensating controls, these can be complex to implement and ultimately your business is still inherently more risky.

In many cases businesses are unaware of how to establish high-quality cyber security measures and practices, including basic cyber hygiene and housekeeping. Without understanding, prioritising and implementing ongoing malware screening and patching, businesses will be vulnerable.

Eventually, the solution will be migration to a new, more secure platform. However, this isn’t easy or risk-free, especially for businesses that have made a major investment in search engine optimisation (SEO), which could be lost if the move isn’t properly planned and implemented.

While many business owners were aware that the end of life for Magento 1 was on the horizon, they have not yet made important decisions about their next steps. Measures to protect people’s health during the coronavirus outbreak are also affecting the ability of many businesses to address their current level of exposure in the short term. However, there are two important steps that can be taken to mitigate the risks.

 

  1. Insure - it’s estimated that eight out of 10 businesses don’t have insurance to cover data breaches due to cyber-crime. Whatever ecommerce platform you are using, it can be vulnerable to attack, making your business a potential target. Cyber insurance can help to compensate clients who are affected by a breach and can cover the costs of getting your business up and running again.
  2. Secure - basic security hygiene and proactive security measures can be done inexpensively and without any specialist technical skills. In many cases they can often be transferred to a new platform once your business has migrated. Along with essential cyber protection like secure hosting, payment security and staff training, this can help to identify and remedy exposures and actual breaches quickly.

Many providers offer a warranty for breach protection, which means their own insurance company will assess and pay for damage caused by any new threats. However, businesses that experience a breach are likely to undergo a forensic investigation of what happened to understand future risks and necessary measures to prevent a similar incident.

Your next steps

Magento recommends a migration path to Magento Commerce as the next obvious step. It has been designed to address Magento 1 performance issues and to improve search engine optimisation. It undoubtedly offers a comprehensive suite of functions, there are thousands of extensions available, and updates are delivered each quarter.

However, recognising how much technology has changed in the last five to ten years, this is an ideal opportunity for ecommerce companies to reconsider what they are looking for from their platform.

Depending on your industry sector, you can realise extensive benefits by integrating your enterprise, stock control, production and distribution systems with your ecommerce portal to deliver a genuine end-to-end experience for your customers. In a highly competitive global environment this makes your choice of ecommerce platform business critical.

The Williams Commerce team of ecommerce consultants has a wealth of Magento experience and can help discuss your options as you move on from Magento 1, so please get in touch.