The risks of staying on Magento 1 for eCommerce as it moves to end of life

For many brands operating in the eCommerce industry, it’s well-known that popular platform Magento 1 is coming to the end of its supported life. And, after June 30, there will be no more updates or security patches released. But what does that mean for the 6,000 UK website owners still running Magento 1?

Businesses still have time

The first thing to point out here is that there’s the opportunity to re-platform – whether that’s moving to Magento 2, or a completely new system like WooCommerce.

The best solution in the long-term for any eCommerce site is to move to a supported system. However, with the Covid-19 pandemic impacting organisations on a global scale, many businesses are prioritising cash towards survival, so the website migration project may have perhaps taken a backseat.

However, there are risks attached to staying on Magento 1 – the primary issue is the vulnerability of getting hacked, and the damage that comes with it. The type of hack that this article is referring to is centred around a targeted and non-targeted website attack, and not activities like phishing to capture log-in details, or denial of service attacks.

Let’s concentrate on the breaches that allow people to delete, edit and steal information from the website. In most cases, this will be a non-targeted attack where hackers have discovered a vulnerability in a particular CMS version, plugin or theme. In cases like this, automated bots are used to find websites that are weak, then they launch a cyber assault.

Understanding sophisticated hacking methods

It’s difficult to know when an attack has taken place. Sometimes it’s obvious – a hacker could have deleted the database and, hey presto! There’s no website. That’s an easy one to spot. In that scenario, a business would have to revert to a backup to get the site up and running again. Are there offsite backups in place? That’s the sort of thing enterprises must organise well before anything goes wrong.

More sophisticated methods can be harder to detect. In the case of eCommerce, someone might be trying to remain undetected to capture payment details. Therefore, it’s better to have regular security scans in place for a website to check it hasn’t been attacked because the sooner it’s detected, the better the disaster recovery scenario.

So, what happens when an enterprise gets hacked and knows about it? The solution is usually to upgrade the CMS and/or any vulnerable plugins. Magento does a good job of alerting users to these issues so that organisations can patch the running version for protection, before anything bad happens.

In an ideal world, a business would be notified – and it’d patch the site before the attack took place. However, many people usually get hacked beforehand, so it’s always important to keep CMS versions and plugins up to date. Usually, the older they are, the greater the chance that a weakness will be exposed.

Dealing with the aftermath

If a company is unfortunate to suffer a hack – and someone has gained access to the website – data could have been stolen and the firm is legally obliged to notify both the Information Commissioner’s Officer (ICO) and any customers that may have been affected.

Many consumers will have likely received an email like this, for example, Virgin Media recently wrote to millions of people to let them know there was a data incident. And for any brand and their marketing, this sort of scenario is damaging for reputation and could end up in a fine from the ICO.

More than likely Magento 1 website owners could find themselves a bit stuck post-June if they get hacked because there’s no patch coming out. So, the only option is to upgrade – assuming the business is not running the latest version – which is a short-term fix that only buys a small amount of time. Additionally, for those already on the latest version of Magento 1, they’re in a bad spot with the only options here being a) find and fix the vulnerability – which is unlikely to be viable – or b) re-platform in a hurry.

The latter is the more likely course of action and the site will remain prone to repeat hacks unless an enterprise takes it down, therefore, neither scenario is good. In addition, there’s lost revenue while the site is out of action and a likely fine to face if a repeated data breach occurs.

Of course, there is the possibility that firms can continue via Magento 1, trouble-free. But unfortunately, that comes without guarantee. In fact, it’s likely that it’s just a matter of time that something bad might happen to the site.

PCI compliance issues

If a company typically processes payments using a third party like Sage, Worldpay or Stripe, card details are not saved onto the website – they’re handled on these sites and encrypted. But there are types of malware that allow hackers to record keystrokes. In other words, they capture the details as they’re typed in. That means, there can’t be the hope of simply relying on the third-party payment gateway for 100% protection.

One of the main stipulations of PCI compliance states that a brand must ‘develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.’ If it doesn’t have the expertise to apply security patches beyond June, it’s hard to see how a website could remain PCI-compliant.

Remaining on Magento 1 is without doubt a dangerous prospect for firms that continue to run it post-June. Unsurprisingly, enterprises – and marketing agencies whose clients use this platform – should ideally be advising their customers that it’s a risk not worth taking, especially when businesses have fought for many months to survive during the current climate and beyond.

Interested in hearing leading global brands discuss subjects like this in person?

Find out more about Digital Marketing World Forum (#DMWF) Europe, London, North America, and Singapore.