Magento 1 End of Life Hosting Services ❯

    We can help you. Right now.
    Fast growing merchants depend on JetRails for high-stakes hosting. Experience counts. Let's get started.
    Your message has been received, a representative will be contacting you shortly. if you have an emergency, please call us at 1 (888) 997-2457 or email us at [email protected]









    Call us at:1 (888) 997-2457

    Magento 1 Security Since July 2020

    If you work with a Magento 1 website, you know that Adobe stopped publishing M1 security patches and software updates in June of 2020. While that has been a friction point for a large number of eCommerce store owners, other providers were ready to roll out security patches to give Magento 1 users more runway to continue to operate successfully before replatforming to a newer platform, like Magento 2. In this article, you’ll learn about what those patches look like.

    Who’s impacted?

    According to September 2020 data from security firm Foregenix, there are nearly 180,000 live Magento 1 sites. Foregenix had estimated well over 200,000 live M1 sites back in May of 2020. According to the data, the Magento ecosystem has retained a steady number of users overall, replacing M1 users with M2 users. 

    Foregenix Magento 1 and 2 Installation Tracker September 21st 2020

    A leading team of Magento security experts, Sansec, have data sets that align in trends, but not in total installations:

    Sansec Magento 1 and 2 installatoins as of October 20 2020

    Whether it’s +/-100,000 or 200,000 sites, it’s a lot of users. 

    At JetRails, we host many Magento 1 and Magento 2 sites, and we can report similar trendlines. We’ve seen a large number of M1 users migrate to M2 in recent months. Since we specialize in single-tenant, dedicated hosting environments, we understand that our user-base is more likely to be more established and therefore have the budget capacity to replatform to Magento 2. 

    How has a lack of security patches from Adobe impacted these users?

    So far, the largest security incident to impact M1 users since Adobe stopped supporting this platform, has been CardBleed. This hack infected thousands of sites with card skimmers over the course of a weekend and was discovered by the team at Sansec. While this was a zero-day event, it was not completely unpredictable. While many unmanaged and under-managed hosting environments were unprepared, JetRails configurations were secured against this attack, and our users were unaffected.

    What security solutions should your Magento 1 web hosting include?

    Here are a few things that your web host should be assisting with, in order to keep your site safe and secure. These countermeasures include both proactive and reactive solutions to block threats and to identify unusual activity before it turns into a serious problem.

    What about Magento 1 Security Patches?

    While a lot can be blocked with managed hosting and firewalling solutions, sites still need security patches for more holistic security and to achieve security compliance. If you’re not installing security patches, you’re not keeping your Magento site PCI compliant.

    The two authorities that are releasing patches for Magento 1 are Mage-One and OpenMage. 

    Mage-One

    Mage-One charges a subscription fee to access the patches that they produce. As of the authoring of this article, they have already released over a dozen patches:

    Forces login forms to disable autocompletion.

    Prevents parallel logins from the same user account by only allowing a single session at any given time. This applies to both frontend and backend (admin) users.

    Adds a new config option to only transmit cookies via HTTPS.

    Provides compatibility with PHP 7.3.

    Improves the clearing of session data with parallel logins.

    Addresses an observable timing discrepancy vulnerability in Magento’s hash compare functionality.

    Takes away the possibility of removing system attributes via SOAP API.

    Without this patch, an administrator with permission to access System > Permissions > Variables was able to add config paths for encrypted config fields to the allow list. This made it possible to view the decrypted value of private information.

    This improves the compatibility of 3rd party integrations by flagging cookies as SameSite=None. This SameSite Cookies issue is impacting all sorts of sites, and is not a Magento-specific vulnerability) 

    For users that don’t use a great host like JetRails that already addresses this, this patch will prevent access to your /downloader folder.

    Replaces the news feed URL in the Magento admin so that it receives patch notifications from Mage-One, since there are none coming from Adobe.

    This is an improvement for MO-18, and avoids incorrect form keys from creating error log entries.

    Blocks admin users that have permission to update product data from being able to store an executable file on the server and load it via the layout xml file.

    How is Mage-One finding these security vulnerabilities? 

    Mage-One is partnered with Magento security experts and stakeholders, from JetRails to Sansec, to OneStepCheckout and Amasty. Overall, they’re up to over 40 partner organizations in the Magento community. 

    They also have an active bug bounty program, which pays ethical hackers that find vulnerabilities and disclose them to Mage-One.

    MageOne Bug Bounty Program

    According to the Mage-One team, they have already written patches and paid bounties as a result of this program. This is competitive with what Adobe is offering through their own bug bounty program for Magento 2:

    Magento 2 Adobe Bug Bounty Program HackerOne

    OpenMage

    OpenMage is a free open-source fork of Magento 1. They too have been busy since Adobe ended their support of Magento 1. While Mage-One is focused on security-related solutions, OpenMage is addressing a wider range of updates for M1 users. They’ve had multiple releases since Magento 1 reached end of life on June 30th, 2020. These releases include general fixes and updates, as well as some security improvements. 

    OpenMage version releases since June 2020

    OpenMage is fast approaching 30 partner organizations. These include a wide range of partners, from payment processors like Heartland, to extension developers like OneStepCheckout, security firms like Sansec, and hosts like JetRails.

    They have been working on their own bug bounty program too:

    OpenMage is also making Magento 1 extensions available via GitHub now that the Magento Marketplace no longer offers these extensions. 

    Which Magento Agencies are continuing to support Magento 1?

    Whether for M1 or M2, and regardless of where you source your patches, a Magento site requires a merchant to have a great web host and great web developers. Some agencies have been moving away from Magento 1 to more exclusively focus on Magento 2. However, as the data at the beginning of this article highlighted, there are still more M1 than M2 sites out there, so while many dev teams may have considered working exclusively with M2, for practical reasons, few have gone this route. 

    Anyone that has tried to find the right agency before will undoubtedly agree that agencies are not one-size-fits-all and that just because some agencies will take on a project, doesn’t make them experts in that arena. That’s why we’ve launched our Magento Agency Matchmaker program – helping merchants to find agencies that our team has had positive experiences working with.

    With the right software, Magento host, and developers, you’ll be able to keep your Magento 1 site safe, fast, reliable, and scalable.

    About The Author
    Robert Rand
    Director of Partnerships & Alliances

    Robert is a Magento 1 and 2 Solution Specialist with over a decade of experience in helping merchants benefit from sound ecommerce and digital marketing strategies. He’s highly experienced at harnessing the power of ecommerce technologies and solutions to help businesses of all types and sizes grow and succeed.

    Get A Free Consultation From The JetRails Team

    Need Help With Hosting Support, Security, Scalability, Speed, or Stability?

      More Articles
      How to use data to drive your Black Friday ecommerce strategy
      View Article
      Magento 2.4.1, 2.3.6 and Other October 2020 Releases
      View Article
      Recommended Magento 2 Open Source Site Examples
      View Article