For many retailers, the looming end of life for Magento 1 is mixed with concerns and uncertainty to what it will mean to their online business. The transition over from version 1 to 2 hasn’t been the simple, smooth process you would have expected when doing an upgrade within version 1.
Magento 2 has not been an upgrade of the current version but more of a rewrite of its core. When you have a business that has reached some stability with their current setup, configs, custom modules, and integrations, moving to Magento 2 is an involved undertaking and daunting prospect given none of the existing code can be reused. Because of this, for many businesses, the ability to be successfully moved over to the new platform might not be achievable by the Magento 1 ‘end of life’ date of June 2020.
So what does this mean if you are one of those retailers, and should you be concerned? Are you a sitting duck to hackers or are there proactive things that you can do?
End Of Life For Magento 1
The ‘end of life’ for Magento will mean that they will not be releasing any more security patches for your site. The internet is a forever evolving landscape with hackers becoming more sophisticated in identifying backdoors into sites.
eCommerce sites are prime targets because of the potential reward a hacker could get for their efforts. Once a vulnerability is found with Magento 1, then there will be essentially nobody there to plug the hole. One way of counteracting this would be to have developers looking for the vulnerabilities and patch them before they become a problem. Unless you’re a major retailer with dozens of developers at your disposal, this isn’t going to be a feasible option.
Fortunately, there are things you can do that will secure your site which are very cost-effective – this is where a WAF (Web Application Firewall) comes in.
For those of you unfamiliar with WAF, a simplistic way to describe it is a filter that sits between the site and the site visitor. The filter assesses the visitor and decides if they should be able to access the site. Its criteria is sophisticated enough to ensure genuine users are not prohibited, and essentially it will look at what that user is trying to do. If they are trying to access hundreds of pages per second or visit URLs that are not for public viewing, then the filter will determine that user is malicious – this could be one user or could be a ‘bot’. The filter will not only deny that user access, it will also record the activity for you to see. WAFs learn intelligently based on past activity so they become more effective at spotting malicious visitors as time goes on.
Also, bear in mind that not all WAFs are equal.
You can indeed sign up to a cheap mass-market WAF online and assume your site is going to be safe. This is not always the case, and we have seen many sites with WAFs still being hacked.
One of the main reasons for this is because of the information that sits behind the WAF. A WAF is only as good as the data it has on known threats online – how up-to-date this data is dictates the effectiveness of the WAF. The best collator of this type of information would be a company that deals with security vulnerabilities and threats as its core specialism. If your site gets hacked, then the banks would appoint a Forensic team to investigate your site. These forensic investigations work at an extremely detailed level and normally the investigators have specialist experience with eCommerce and specialist platforms such as Magento.
Protect Your Site With Foregenix
Foregenix is a company that provides such Forensic services and for the Magento platform in particular. Because of their exposure to threats and exploits used to attack Magento sites, they have a gold mine of information that is then fed into their WAF (and website security solution) which then gets customised per client. Because of this, their WAF is extremely sensitive to blocking threats unknown to other WAF providers.
As a Magento eCommerce agency, Media Lounge is all too familiar with security issues faced with the platform. Over the last 10 years of working with Magento, we have been exposed to most types of security breaches. It’s an ongoing progressive threat which requires an agency to be both proactive and reactive.
Media Lounge and Foregenix have a dynamic relationship where their clients benefit from having the best of both worlds, where both sides have a deep understanding and expertise in Magento and eCommerce as a whole. Having this focus on the platform is what sets the service offering apart.
For any clients not able to move quickly enough over to Magento 2 within the ‘end of life’ date, Media Lounge is strongly suggesting that site owners protect their site with the Foregenix website security solution, FGX-Web, which includes their WAF and website security monitoring, as this will offer a strong barrier to hackers looking for an opportunity in Magento 1’s vulnerabilities.
Both Magento 1 and 2 websites owners should be doing more to protect their sites. In our experience, most eCommerce businesses do not realise they are already being targeted by hackers. We see a lot of customers surprised with the number of attacks our website security solution blocks daily. For them we provide peace of mind, as they can focus on growing their business while we protect their websites.
Our Own Experiences With Foregenix
Mike heads up the security side of things at Media Lounge and tells us how Foregenix has served our agency in the past when other services have let us down:
‘Over the years, we have taken on the support of sites built by other agencies on very old versions of Magento 1. Often these sites come to us unpatched with clients reporting unusual, inconsistent activity in their stores. They have often had a history of hacks on the site with credit card hijacking and malicious redirections. Because of this, they would have adopted the services of other WAF providers or server scanners to secure the site. We often see these services do little in detecting the files that are creating backdoors to future unauthorised access.’
‘One of the first steps is to have the Foregenix FGX-Web solution enabled on the site. This detects the malicious files hidden amongst the thousands of Magento files. Once these loopholes have been closed, we then implement the WAF to prevent any further attempts to inject malicious code. We have had great success with clients that have been plagued with security issues for years which has cost an enormous amount of time and loss in sales. Some of our clients are security conscious whilst others haven’t experienced the damaging effect for them to understand first hand the real threat.’
‘One of our clients, Lotta From Stockholm, has been on board with all security advice we have given them over the years whilst their business has grown from strength the strength. Their unique product range of clogs has attracted hundreds of thousands of lovers from all over the world. With their increased exposure from international trading, it does leave them more visible to opportunists looking to hack into their site. With the implementation of the FGX-Web solution from Foregenix, they have been able to focus on their business while bots and malicious hackers are taken care of.’
’In under 2 years, the WAF has blocked 87,014 malicious attempts. These range from efforts to guess and brute force the admin, access to RSS feeds, attempts to scrape content, searching of config files and more. The solution we added detects any file changes on the server so if we are not editing the site, an alert like this can be crucial in quickly spotting unauthorised access.’
To set any retailer minds at rest, whilst a move to Magento 2 should not be ignored despite the challenges that may be faced, you do have some options if your M2 store build overruns beyond the June 2020 deadline for Magento 1 support.
Security of your store shouldn’t be brushed under the carpet. Magento 1 stores will most likely be targeted, but with help from organisations like Foregenix, you can be more than prepared for that.
Want To Find Out More?
Speak to the Media Lounge Support team for more information on how we can protect your store.
Or sign up for a dedicated Magento security webinar hosted by Benjamin Hosack, the co-founder of Foregenix.