Magento 1.x End of Life – Steps to Protect Your Store
The end of life for Magento 1.x is fast approaching. June 30th 2020 will be a sad day for many as support for the most successful eCommerce open-source platform over the past decade comes to an end.
While merchants have known about this looming date for several years, plenty of companies have yet to make the move away from Magento 1.x. Today we’ll discuss what this means for you and the steps that you can now take keep your data safe.
At Space 48 we take a four-step approach:
Preparing your store against malicious attacks and shoring up your defences is a sound strategy. Particularly in the short-term.
A significant number of the official vulnerabilities discovered in Magento over the past few years have been predicated on access to the Magento admin area – making it one of the more vulnerable avenues on your site. A straightforward step you can take to protect your store is to hide the administration area behind access controls such as an IP restriction. If your team frequently works from home, use a product like Perimeter 81 to implement a secure VPN for them to connect to. Or use a tool like Cloudflare Access to force authentication before hitting your servers. Drop us a call and we’ll talk you through it if you’re unsure.
If adding IP restrictions to your admin area is not possible then consider, as a bare minimum, adding a basic authentication check to any requests for the admin area. This will act as a basic defensive line, validating requests before they are allowed to interact with Magento or PHP.
Proactively monitor your store with automated scanning. We recommend implementing two types of scanning: external and internal.
The external scanner should be an automated vulnerability scanner, ideally from a PCI ASV. In our experience, the scanner should be configured to bypass any security devices you already have in place to unearth the real vulnerabilities on your platform. When you get the report through, you should review the mitigation that the disabled security measures provide. Build up a complete picture of your risk and prioritise the remediation steps.
As an internal scanner, we recommend a tool such as eComscan from Sansec. eComscan acts like a virus scanner for your Magento store, frequently reviewing the file system and the database for any malicious code. With over 60% of comprised Magento stores being as a direct result of a vulnerable third-party extension, eComscan also scans your codebase for any of these extensions.
Using internal and external scanning of the store will give a more complete picture to give you time to patch any issues before anyone can exploit anything.
As a response to Adobe no longer providing Magento security patches, a company called Mage One has stepped in to fill the gap. Mage One will be running bug bounty programs whereby security researchers can be paid to identify and report security issues in the Magento codebase. In summary, any patches discovered will then be distributed to subscribers.
However, Mage One cannot support the Enterprise Edition codebase, meaning it is not a safe solution for larger stores.
It’s also not clear whether Mage One will count as a “vendor” when interpreting the PCI DSS requirements. This is important as it’s not clear that, by subscribing to Mage One, you are satisfying the requirement to install all critical vendor-supplied patches within one month of release. This is relevant for your PCI compliance. One of our partners, Sonassi, has written an interesting piece on this exact topic.
As a final mitigation step, add a WAF to your stack to protect your site from real-time attacks before they hit your server. We typically recommend Cloudflare to our customers to act as the CDN and a WAF. Cloudflare has a set of specific Magento rules that may be able to respond to Magento attacks quicker. Always handy.
Our final recommendation is that companies begin planning their migration away from Magento 1.x as soon as possible.
The eCommerce landscape (and your business!) has changed a lot since your store was first implemented. New tech, new expectations, and new opportunities exist, making this EOL date a perfect time to take stock and review the options available. Plus, you already know someone who’s great at BigCommerce, Magento 2.x and Shopify.
The Magento EOL Support Program
Discover the all-in-one, time-sensitive migration solution designed to effortlessly move merchants hosted on Magento 1.x to a safe and secure ecommerce platform of their choice. With Space 48, merchants get unparalleled access to the most powerful ecommerce platforms on the market: BigCommerce, Shopify and Magento 2.x.