By Brian Holecko Certified Magento Developer at InteractOne
The Security Patch Conundrum
Patch or upgrade Magento? When it comes to your Magento site, it is less of a question of philosophy, and more a question of security. Magento promotes security patches through admin notifications. These notifications can alarm merchants, causing them to request urgent patching of their online store. Do not be alarmed, security patches are far more numerous than indicated via the admin notification system. It is actually “best practice” to upgrade to the latest Magento version which often includes dozens of security fixes, including the latest security patches. If a security patch is released before its inclusion in an upgrade, be patient and focus on staying up-to-date on upgrades instead.
What if you get hacked?
One very important reason to stay up-to-date on Magento is what if your site is hacked? There is no simple way to easily tell which security hole was breached. Best case scenario, it’s a hole that an existing security patch can fix. Or worst case, it could be an issue that won’t be patched for a long time to come in older versions of Magento.
When new weak points are discovered in Magento and even if they’re urgent, patch requests take time. They have to pass through project management, development, and QA testing before being released to production. This is critical time in which your site can be exploited. Even if you patch the security breach, a hacker still may resort to another weak point, potentially leading your development team into a game of whack-a-mole with the hacker.
Security Patches violate a key Magento rule – never edit core code.
The implementation of security patches violates a Magento standard which says that modifications should not be made directly to the core code, which patches do. This can cause confusion during a code analysis when determining whether core edits to the code have been made by a developer or not. Future upgrades will overwrite the patches which have been applied, providing little gain for having applied the patch over upgrading.
Ok, so do I Patch or Upgrade Magento? Upgrade!
To get the most protection, it is best to stay up-to-date on the latest upgrade. With an upgrade, you get the protection of multiple security fixes via upgrading, rather than get the protection of only one security patch at a time. It is recommended that you meet with your team to develop an upgrade plan which will define the time and effort to upgrade, as well as a test plan and of course, budgetary constraints to determine when and how to upgrade to the latest version and when not to upgrade.