Magento is one of the most popular platforms of choice for an e-commerce website to create a virtual storefront for their business. It is so widely used because of its simple-to-use interface, the potential for extendability through the use of modules and it is trustworthy as it was launched in early 2009. Due to Magento’s popularity, it paints a rather large target on its back. Often hackers will attack the surface and the damage that can be caused can have a massive effect on the business on the receiving end, quite often producing a reproducible attack vector applicable to many different stores. There are many things that you can do to make sure that your Magento website is safe and secure from hackers, however, the most effective is making sure that you upgrade from Magento 1 to Magento 2.
On June 30th, 2020, Adobe (Magento owners), announced that they had ended support for the Magento 1 platform as they were moving forward with Magento 2. Magento 2 was released in 2015 and they initially committed to 36 months of continued support however, this was later extended to 55 months. After this period had concluded it meant that security patches for Magento 1 sites were no longer available and therefore left people more susceptible to cyber-attacks.
What are the risks of Still Being on Magento 1?
There are many risks associated with running out of date, unsupported, and therefore unpatched software suites, more so when said software is publicly facing. Publicly facing software is open to interrogation, penetration tests, and lots of different scans. Whilst this does occur regardless of whether or not there is support and patching available when support and patching are available vulnerabilities can be fixed in the form of small patches or bundled in with a release.
Running Magento 1 in today’s world is a dangerous prospect, online retailers have legal obligations to fulfill in order to trade and accept payments, which so happens to be the number 1 target area for the previously mentioned cyber attackers.
- PCI DSS
PCI DSS is a security standard (The Payment Card Industry Data Security Standard), it requires merchants that take payments to do so in a secure manner and protect the card processing environment and keep it secure. Unfortunately, running out-of-date, unsupported software which is known to be now riddled with unpatched security vulnerabilities is in direct contradiction to this standard.
With regards to GDPR, running Magento 1 does not necessarily directly indicate a lapse in GDPR compliance, however, it does make maintaining that compliance both difficult and unpredictable. With the nature of e-commerce platforms revolving around customer data in order to function as such, any violation of the integrity of the environment will almost always lead to a breach.
What Can Be Done To Mitigate The Risks?
It is possible to mitigate many of the various security holes present in Magento 1:
- Make sure at a minimum, the last available security patch released is installed
- Use a WAF! (Web Application Firewall) – A WAF inspects traffic to the site and what they do and will often filter out and block what it believes is a threat, certain actions for example that might indicate an attempt at SQL injection and can do GEO IP blocking to filter out any countries you wouldn’t reasonably trade with
- Obscure any admin portal
- Use Captcha systems such as Google ReCaptcha – This will allow most forms to filter out any automated systems or ‘bots’
Whilst the above measures are not an exhaustive list, it is an examples of some of the good mitigations you can do to put your store in a better position than just running a vanilla install with no extra protections, the best step forward would be to migrate to Magento 2 or another well-supported and patched platform (preferable in addition to the above measures!) – and keep up-to-date in accordance with the platforms release and support cycle.
Speak to us today to see how we can help your business succeed and remain secure.