If you own or work on a Magento website, you’ve undoubtedly come across messages from one source or another alerting you to upgrade your website. However, according to the numbers, many Magento merchants are not keeping up with crucial upgrades.
Stats & Dates
Magento users enjoy what is, by far, one of the most innovative and robust eCommerce content management systems. Since Magento 2 launched in 2015, many storefronts have made the transition to Magento 2 or other eCommerce platforms. However, there are still many that remain on the Magento 1.x version. Additionally, businesses that have made the move to Magento 2 may still be in need of an update as they are on an early unsupported iteration of Magento 2, which includes 2.0, 2.1, and is soon to include 2.2.
According to BuiltWith, as of December 2019, there are 190,000+ live Magento websites, but only 7,000+ are on Magento 2.3.x, the latest version of Magento, which was released in 2018.
As it stands, Magento users are facing end of life dates for Magento 1.x, as well as for early versions of Magento 2. Here’s a quick breakdown:
- Magento 1.x: Will reach end of life in June of 2020.
- Magento 2.0: Reached end of life in March of 2018.
- Magento 2.1: Reached end of life in June of 2019.
- Magento 2.2: Reached its end of life on Dec 31st, 2019.
Back to the stats, Builtwith reports that 9,000+ sites are on Magento 2.2, which sunset last month. Almost 5,000 are on Magento 2.1, and 400+ on Magento 2.0, all of which are no longer supported. Even if these stats are imperfect, there’s a clear trend. There are far more M1.x sites still live than Magento 2.x sites. Just looking at the stats for Magento 1.9, the latest version of the Magento 1.x family, Builtwith is reporting 42,000+ sites.
“…Then you better start swimmin’ Or you’ll sink like a stone For the times they are a-changin’’” – Bob Dylan
As a Magento user, it’s up to you to patch and upgrade your website and keep up with security requirements, even if you aren’t rushing to adopt every new feature and functionality that Magento releases. In that sense, Magento is like other open-source platforms. You get a lot of room to innovate, customize, and be the master of your destiny, but there’s some maintenance involved.
What happens when you’re on a version of Magento that’s gone end of life? Magento stops providing you with security patches and software updates to install. This invariably means that, as hackers find new ways to exploit websites, you can’t count on Magento to provide you with solutions.
How many security updates could be needed? The most recent patch for Magento 2, for instance, had 75 security fixes, while the most recent patch for Magento 1 addressed a dozen security vulnerabilities. Tracking and solving security threats is not something that individual website owners should be taking on. Keep in mind that all eCommerce websites are targets, not just large enterprise websites.
In addition to your Magento software, you also need to upkeep your Magento extensions and integrations. Those too may reach their end of life. In essence, extension developers won’t necessarily be providing security updates for their old patches. In some cases, SaaS providers and other vendors may even discontinue their services for Magento 1 websites.
For example, Adyen, a major payment processor, has already announced that they will not be supporting merchants on Magento 1 after its end of life. They published the following messages for their customers:
“To keep your business secure and compliant and continue processing payments with Adyen, you need to migrate to Magento 2 or another platform… Furthermore, using Magento 1 after June 1, 2020 makes you unable to comply with the Payment Card Industry Data Security Standards (PCI DSS), which can result in non-compliance fines.”
In essence, if you weigh the risks that a major security incident could have on your customers, your brand, your employees, and your overall business, it’s very likely that you’ll choose to leverage an up-to-date version of Magento. In doing so, you’ll also get access to new features that can help your business differentiate against competitors.
If you’re on a deprecated version of Magento or your version is soon to be sunset, the best thing to do is to plan to upgrade. Be sure to upgrade to a compatible Magento hosting environment when you do.
If you do find yourself on an unsupported version of Magento, be sure to take advantage of services and best-practices that will help you minimize your risk as much as possible. While this won’t take away your risks, it may, at least to some limited extent, lessen them. For instance, you can:
- Deploy a Web Application Firewall (WAF), such as from Cloudflare.
- Leverage additional website monitoring and scanning, such as from Sucuri and Sanguine Security.
- Utilize 2-factor authentication to help protect your Magento admin while following other security best practices
- Take advantage of Magento Security Auditing services
Or, you can get a Magento web host that assists with these services in tandem with your Magento web developers.
Other Magento 1 Buzz in the Community
There are small groups in the Magento Community that have been championing solutions like OpenMage and Mage-One. Both are suggesting that they’ll provide support (ie. Patches) for Magento 1 sites after the official end of life. Whether or not any of these projects will be successful is still yet to be seen.
Many merchants have spent a lot of time and treasure honing their Magento 1 websites and would like to get as much return on their investment as possible before upgrading to Magento 2. This builds a certain allure for solutions that suggest they can help you avoid replatforming to Magento 2. However, I’d kindly direct your attention back up to the “Why Upgrade?” section of this article.
Even if you build a completely custom frontend to your Magento 1 website to avoid security vulnerabilities that will inevitably be found in Magento’s native frontend, such as by using a modern PWA solution, you’ll have to contend with extensions and integrations sunsetting.
Remember that Magento 1 first launched in 2008. As far as website software goes, it’s had a very long life. Continuing to operate this software (safely) once it’s deprecated would be challenging at best, and highly damaging to your business at worst. It’s something that shouldn’t be done without prudent research and risk analysis with your Magento developers, web hosts, and other solution providers that integrate with your site.
Additional Recommendations & Resources
If you’re still on Magento 1 and aren’t sure what’s so great about Magento 2, you’ve missed four years of releases and improvements to Magento 2. You may want to read up on some of those Magento 2 features and functionalities that have rolled out. This may also be a good time to consider switching to Magento Commerce, the enterprise version of Magento, but be sure to check out these helpful questions to ask before upgrading to Magento Commerce before you do.
Still hoping for more insights? Check out The JetRails Podcast! Episode 1 is about the End of Life of Magento 1, Episode 2 tackles the Progression of Magento 2, and Episode 19 tackles Magento 2.x End of Life Dates.
Robert Rand is the Director of Partnerships at JetRails, a mission-critical ecommerce hosting service. Robert has over a decade of experience in helping merchants benefit from sound ecommerce and digital marketing strategies, assisting organizations of all types and sizes to grow and succeed via digital commerce. Robert is a frequent author and thought contributor in the ecommerce industry, and hosts The JetRails Podcast.