by Greg Reedy, PHP/MySQL Developer at InteractOne
Many people don’t consider the need or necessity for Magento version upgrades once an initial package is installed and running. Many think that once they’ve got their software setup and tweaked just the way they want (or especially once they’ve added several customizations) that an upgrade might then somehow “break” or undo all of the special changes, settings, edits and customizations on which they’ve spent countless hours getting just right. Why would anyone want to then go and “mess things up”? One might also ask, “Aren’t those updates and upgrades just adding more buttons and whistles that I don’t need? Couldn’t they potentially change the placement of elements in the user interface that I don’t have the time or desire to re-learn?”
Well, sometimes some of those concerns are legitimate, but rarely. The more pressing concerns that should be at the top of your list are:
- Are my customers satisfied with the overall experience of navigating my site?
- Is the site I depend on for my business secure?
- Can my customers continue to trust my site for a hacker-free experience?
- Does my site comply with Payment Card Industry Data Security Standards? (PCI DSS)
- Will my customizations and plug-ins continue to function worry-free and conflict-free?
- Will I be able to expand, change, or upgrade in the future?
- Is my site secure?
- Is my site secure??
- Is my site secure???
…you get the idea.
The year of 2015 turned out to be particularly busy with security hacks, breaching all levels of the web, including even CIA Director John Brennan’s personal email account. Magento has itself had its share of hack attempts over the year, having published several security patches and version updates as recently as the end of October 2015. The latest patch, SUPEE-6788, being a fairly major update to the core code.
So the question of how often to perform version upgrades in Magento is somewhat self-explanatory (hint: as often as new versions are published), however many version upgrades are simply the latest core code with the latest security patches applied. For example, if your site is running Community Edition 22.214.171.124, an upgrade to v126.96.36.199 simply adds the latest patches up to that point.
Version release notice from CE 188.8.131.52 upgrade page on Magento.com
Similarly, the latest Community Edition version (184.108.40.206) includes the major patch SUPEE-6788 supplied at the end of October 2015, where an even more important warning is posted:
Version release notice from CE 220.127.116.11 upgrade page on Magento.com
Notice that this patch can impact previously installed extensions and customizations? There are major core code changes in SUPEE-6788, and if your Magento site is languishing back in earlier versions and/or heavy customizations, you may be at risk for opening up your site to some major security holes and also finding yourself in a now more painful upgrade. Depending on how far back your version of Magento may be, the difficulty of an upgrade could be high or low. In the case of SUPEE-6788, it’s already a tiny bit painful for those running later versions around 1.9.x, so even earlier versions could cost you more to bring up-to-date, as well as cost your company if the security risks aren’t handled in a timely manner.
According to Magento’s own page on Security Best Practices:
A compromised site can have long-term consequences for both customers and merchants. Customers might suffer financial loss and identify theft, while merchants can face damage to their reputations, loss of merchandise, higher processing fees, revoked privileges with financial institutions, and the threat of lawsuits.
This all may seem like common sense, but it’s surprising how many companies continue to allow their websites to operate without Magento version upgrades or patched software. In May 2015, CBS News reported that online security firm Cyphort had scanned 1.75 million URLs against a list of known malicious sites and found that the software behind as many as 21% of the URLs referenced hadn’t been updated with the latest security patches. Further, it was reported that none required “special or invasive means” to solve the issue, and that “attackers need no more than a standard browser to find vulnerable sites to exploit.”
Though there are occasions when an update or patch isn’t focused on security (SUPEE-6237 patched a change in the USPS API that impacted shipping rates), it is fairly easy to agree on the fact that any and all patches and upgrades will provide important updates to your Magento installation. If updating important functionality and performance standards aren’t a high priority, certainly the idea of a malicious hacker taking down a site for hours or days along with gaining access to sensitive customer information should be plenty to rattle the cage of any player in the e-commerce arena.