Magento 1 end of lifePradip Shah
June 2020 is a few weeks away and many stores are not ready to move away from Magento 1. But wait, you don’t have to update – now or in the long run.
COVID-19 Update : We find many customers have had to delay their Magento 2 launch in these uncertain times. We also know many of them did not have plans to keep Magento 1 uptodate. In fact, we know agencies that have stopped support for Magento 1.
Starting at a low cost of $200 per month with no long term contract. It includes reviewing your current hosting for security, moving your website to the latest Magento 1.9 and latest php supported as well as adding additional security measures to your website. It also includes help signing you up for Mage One or Open Mage projects for support beyond Magento 1 EOL, if required.
Signup now (no credit card required) and we will be in touch with you.
What does end-of-life for Magento 1 mean?
Magento 1 End-of-Life does not mean your website will stop working. It means Adobe will stop giving fixes for Magento 1, even security patches. As php version in use goes out-of-life, no upgrades will be given by Adobe.
However, being an open source platform, your Magento 1 website will not stop working. The code and license do not restrict you from running the website.
Stay on Magento 1 for short or even long term
That is a valid option and many customers are choosing this. Makes sense if
- You have a lot of investment in the customizations which may be difficult to replicate anywhere
- You have a stable money generating store and any change looks like a risk
- Are in the process of migration, but the migration may take some time
What are the options to stay on Magento 1?
- Use paid support plan from Mage one (https://mage-one.com).
luroConnect is a partner and we will apply the patches for you as they are released.
- Use open source Magento 1 fork (https://github.com/OpenMage/magento-lts) with support from the community.
What are the risks?
- Support from either of the above reduces over time as many websites move out of Magento 1
- Developer support may reduce as most developers move to Magento 2
- Plugin vendors have already stopped support or are stopping support.
Magento 1 and PCI
Many merchants received email from or read their post and advice move to another platform after June 2020.
It refers to PCI / DSS Requirement 6 – excerpted here with highlighting for relevance of discussion.
Your Magento 1 store software has many vendors, including Adobe / Magento for the core, but also plugin vendors. Since it is open source, you are free to modify the core and take the responsibility and other requirements may apply.
By switching to an alternative vendor for the Magento 1 core – such as Mage-One or Open Mage, in our non-legal opinion, you are not on Magento 1 any more and do not have Adobe as your vendor. If a plugin vendor does not give security patches to your Magento 1 plugin any more, it is important to take over the plugin code responsibility as a separate contract.
PCI does not have a vendor approval process. However, your vendor may need to justify satisfying some other requirements for safe and secure coding practices.
However, by not recognizing your core application, you may need to talk to PayPal as a merchant to get PCI approval. This would include scans.
luroConnect Support for Magento 1 past EOL
We have built add-on package for Magento 1 EOL support. We have a 4-point plan to support you.
From USD 50*
Inbuilt into our Nginx, with M1 rules, protects from OWASP Top 10, with the ability of virtual patching.
From USD 50*
Staging environment to ensure patches are tested before taken live.
* This is in addition to our fees for WAF and staging environments if not included in your support plan. Customer pays for hosting costs of staging server.
How we protect you
- File system security to prevent 0-day or new unknown vulnerabilities. Strict file and folder permissions prevent uploads to folders that execute code
- Support for Magento 1 Nginx rules not allowing execution of php from skin and js or php from media. This rule will prevent many malicious code to fail as they depend the ability to upload malicious code and execute.
- WAF – Web Application Firewall – with strict Magento 1 rules. This prevents SQL Injection and cross site scripting related attacks from being allowed.
- Virtual patching – block URLs that are known to have vulnerabilities. For example, we do not allow saving of the “miscellaneous” header and footer section from being written from the admin login.
- Partnership with mage-one to get the latest patches and keep your site uptodate.
- Admin login protection via dual password. The first is a basic http challenge. This reduces password guess of the admin URL as 2 passwords have to be guessed.
- Password guess prevention by restricting how many failed attempts are allowed in a day from the same IP – implemented at the application server level without changing Magento code.
- Staging environment to test patches from open mage or mage one or any other source you may have. Also support php version upgrade first on staging before upgrading production.
- Protect source code by using secure deploy process
- Secure backup With a proven restore strategy
- Support for our secure deploy process that ensures 0 downtime during code deploy and not have git folder in the hosting folder. An ability to rollback by switching to any previous deployed version is an added advantage.
- System components upgrade – including php. As versions of php approach their security end-of-life and support for higher versions appear in patches, php version will also be upgraded.
- Partnership with Sansec for their eCommscan scanning product.
Hosting help moving to Magento 2
When moving to Magento 2, to reduce the downtime during the move, luroConnect has plans for you.
- Staging server support plans.
- Magento 2 transition plan with minimum downtime. Our care even includes URL rewrite rules to ensure SEO value is not lost during transition.