Not every merchant was ready to migrate off Magento 1 in June. As M1 is now officially unsupported, what options are available for merchants who need more time to make a decision on where to go?
With Magento 1 support officially discontinued in June 2020, hear from Miguel Balparda, Product Manager at Nexcess and Ian Helm, Director of Managed Services at Forix on how merchants can extend the life of their Magento 1 instances with support services. This webinar will be pre-recorded and available on-demand.
- Ongoing support & maintenance
- Hosting and instance setup
- Security monitoring
- Compliance concerns
No Time to Watch?
We know you’re busy, so if you don’t have the time to watch the webinar, then take a moment to browse the official transcript. If you’re still on Magento 1, then choosing a managed services and security package, such as Safe Harbor from Nexcess, or Forix’s own Magento 1 extended support plan, can help you maintain the security you need to keep your site running. Keep reading to learn more about these innovate plans.
Extending Your Magento 1 Instance
Hosted by Forix and Henry Chen
Ian Helm (Forix)- Director of Managed Services
Miguel Balparda (Nexcess) – Product Manager
Transcript of Webinar: October 7th, 2020
HC: Okay, let’s go ahead and get started. Welcome everyone, thank you for joining us on today’s webinar on how merchants can extend the life of their Magento 1 instances. My name is Henry Chen and I’m the marketing manager here at Forix, a Magento Enterprise Partner specializing in providing ongoing support and managed services.
I’m joined by Miguel Balparda, product manager at Nexcess, and Ian Helm, director of managed services here at Forix, to talk about what we offer in the realm of Magento 1 extended support and to address some of the key areas of consideration. If you have any questions during the presentation, please type them into the question box, we’ll get back to you to address them as soon as possible.
Now without further ado I’d like to turn things over to Miguel to get us started today. Miguel, thank you for joining us. For those of you who are not familiar with Nexcess, why don’t you give us a quick introduction about yourself and the company, and then we can get into what Safe Harbor is about.
MB: Thank you very much for having me here today, my name is Miguel and I’ve been working with Magento for the last, I don’t know, 7 to 8 years? I’m one of the guys maintaining Magento 2 on GitHub. I’m a full time Magento Master, and I’m one of the guys helping the Magento Association in the content committee. About Nexcess, well Nexcess has been here forever. When Magento 1 started, Nexcess was probably the only hosting provider out there actually supporting this new application. So for the last decade, Nexcess has been the go-to hosting provider/cloud provider for anything that’s Magento related. To be honest, we created this alternative, this Safe Harbor alternative because we still own the majority of Magento 1 stores. We created this item to use on the existing Magento platform to accommodate stores who are not yet ready to migrate to a new Magento platform.
Now this is really important, I don’t want this to take us away from migration, or as a way to stay on Magento 1 forever. We are going to discuss some alternatives later, but I think it’s important to know that Magento 1 is extremely old, and has its share of problems, so everyone should consider moving away from it to a newer platform in the near future. Today there are hundreds of thousands of Magento store owners who don’t really understand what an End of Life situation means. They haven’t kept up with Magento and PHP upgrades, or they aren’t ready to invest in an upgrade to Magento 2, which is like, really expensive. We created this program to give these people more time to find a partner to help them navigate their options. Most of these sites are really old and are vulnerable, and they need an End of Life solution quickly.
Now, some of the things we try to avoid here is staying on an old platform forever. I try to highlight this every time that I mention Safe Harbor: this is a temporary security measure. This doesn’t mean you can stay on Magento 1 forever. This doesn’t mean you can create a new site to launch in 2021 using Magento 1. That’s not a good idea. So those were some of the reasons we used to create this program.
Nexcess Safe Harbor was created by experts in the matter. We provide a couple of security features that we consider really important. It’s important to understand that Nexcess has been dealing with this forever, I mean it’s not like we created Safe Harbor this year and we’re trying to maintain these stores as of today. We’ve been hosting Magento 1 for almost a decade, and that includes a ton of different versions, from Magento 1.1, which is extremely old, to Magento 1.9 [the] latest, which is the version that everyone should be using. But again, I really want to highlight who our Safe Harbor is for. We’re really focusing on merchants who don’t have a relationship with an agency partner like Forix, who haven’t upgraded to the latest version of Magento 1, which these days is 220.127.116.11, or companies who don’t have an internal technical staff to manage updates. Or again, who are not yet ready for the expense of a migration to Magento 2.
What’s included in our Safe Harbor offering? Our Safe Harbor add on works with any of our existing SIP and Cloud plans, and we offer daily malware scans, with support for remediation. You will get a notification every day, and in the event we find something, you will get a notification with actions, that would be, quarantine that file, removing that file, or actually marking that as a false positive. We also offer enhanced threat protection, monitoring users, bots, and http requests. We also offer staging environments where upgrades can be tested. This is one of the features I like the most, because there’s this really weird idea, where people just go ahead and try their new stuff, their patches, their new PHP versions, all right on their live sites. And that usually ends up with their production site being down, and they have to call support to remediate that. But we created this staging environment, basically so that you can test all of your stuff without having to break your production site.
And of course, and this is the most requested feature, we’ve backported security patches post- End-of-Life. This is a big topic, we could talk about this for hours, but the thing we’re trying to do here is to define common threats, common vulnerabilities both in the core and common models, and we then backport fixes for at least the 1.9 Magento versions. We considered doing this for older versions too, but I don’t think that’s a great idea because we want everyone in the same version. That’s 1.9’s latest, if possible, and 1.9 if you can’t do the latest. We also have Web Application Firewalls (WAF), which we actually use to block some threats, and this is one of the most common features to use. There are times when we can release a patch, but there are times where we will need to block certain types of requests, and that includes malicious software trying to abuse the API info, trying to gain access to the admin folders, all of that kind of stuff.
HC: So Miguel, real quickly on the topic of Web Application Firewalls, what if a merchant already pays for one? Can Safe Harbor install a new one, or what should they do there?
MB: That’s a great question. There’s a lot of people using Cloudflare these days as a Web Application Firewall, and that will play nice with our Safe Harbor offering. You can actually have both Web Application Firewalls, but the thing is, at the end of the day you will need to decide if you want to manage your Web Application Firewall by yourself, or if you want to have us manage that for you. If you go to Cloudflare, they may have some application there that will block some of these threats, but at the end of the day, we are the ones who see the most threats, and that’s how we create our Web Application Firewall rules. We see a threat, we see the same threat a thousand times, and we think, okay this may be a hacking attempt, how about we block this threat widely. And that actually works because, again, we host the majority of Magento 1 sites out there, and we get to see and analyze the traffic that’s going on. So I’d say you can keep your Web Application Firewall, but again you will need to decide which one do you want to use, and do you want to maintain your own, or do you want to have someone else maintain that firewall.
HC: On the topic of maintenance as well then, with the Safe Harbor program, will Nexcess be able to install new extensions and modules? Coming from a merchant standpoint.
MB: Yeah, that’s actually in scope. We can install extensions upon request, and actually there’s a really interesting story about this. A couple of weeks ago we released a new security patch called Nexcess CSP. Which is a Content Security Policy module, and that can be set up upon request. So the answer is yes, you can get new modules installed in Safe Harbor.
We’re also working with different providers when it comes to extensions and security patches, and one is Open Mage. They are a developer community for Magento 1. Not that long ago, at least a month ago, they created their first CVE associated with a vulnerability in Magento 1, and they released this to address some code discrepancies. We work with Open Mage, and we created a patch which we made available for our customers. That was a really interesting collaboration because we believe in open source, which Magento 1 is. That means that anything you release after its End of Life means it has to be released under the same license, and that’s what Open Mage did. They created their own CVE and we worked together in remediation, and we released the patch together, meaning every Open Mage user and every Nexcess customer got the patch even before any commercial offering, which to me, seems extremely important.
HC: Yeah, absolutely. Well thank you Miguel. I’d like to transition now over to Ian with Forix’s managed services team to talk a little bit more about our offerings and who we are as a Magento agency. Ian, thank you for joining us. For those who haven’t worked with Forix before, would you mind giving a quick overview of who we are and what your role is here?
IH: Yeah sure. My name is Ian, as Henry mentioned I am the director of managed services here, so I oversee our project management and development groups here internally. Forix is a managed services provider for Magento Enterprise and Community customers, and we specialize in ongoing support and development services. We’ve got over a decade of experience and about 60 plus certified Magento team members under our wing. We’re not only looking to get your site up and running but also to continue to grow it, which is a very important focus for us. And that includes merchants on Magento 1. We recognize that your business needs to continue to succeed and grow, even if you’re still on the old platform.
Our approach to extending the life of Magento 1 is to obviously set up a strong foundation by auditing against our list of best practices, so very similar to what Miguel was mentioning. We’re looking to fill any gaps found in your protection strategy, so we do an audit against our list of things we’ve learned over time that are best for protecting your site. We have a proactive monitoring plan that includes a Web Application Firewall use, server resource monitoring, malware removal, as well as a custom extension for monitoring one of the most common attack factors for Magento 1, which is malicious code being entered into the admin area.
As far as who we can help, we can help pretty much any version of Magento 1, or Magento 2 for that matter. To us it doesn’t necessarily matter which version you’re on. We can of course help upgrade you to the latest and greatest version that’s available for Magento 1, but sometimes that’s not a possibility for merchants, depending on cost restrictions and things of that nature. So we help build a plan that works for your existing instance, utilizing any existing security systems that you may have when possible. You may have existing IT infrastructure that you want to continue using, or you may have a complex setup of systems that are interconnected, such as your ERP or Product Management System. Forix really excels at adapting to and assisting with whatever environment you currently have.
HC: Okay, Ian real quickly, for any merchant who might be thinking of partnering with Forix to discuss options about their site, what’s the process like to engage with us?
IH: Sure, I think it really begins with a discussion to understand the individual business needs they might have. We try to tailor our efforts and teams to specific gaps or areas where our clients need the most help. So those initial discussions help us understand which of our teams internally can benefit them most, whether that’s technical teams, strategic, UX/ design, or all of the above. And then our onboarding process consists of, again, an audit to get the lay of the land of the existing system. We go through an environment set up where we set up a staging site, development servers, things of that nature that we can utilize to work on code and do things that aren’t going to impact the production site. And then of course introductions to that dedicated team of people, dedicated project manager, point of contact, UX teams, etc.
HC: Okay, thanks so much. I hope that clears it up, and for anyone that is interested, feel free again to leave a comment for either Ian or Miguel, as we’re happy to answer those questions at a later time here. Thank you Ian, for that. I wanted to move on now and address some of the key points and questions that we’ve seen pop up quite a bit about staying on M1. I think first and foremost we wanted to reiterate again that whether it’s Safe Harbor from Nexcess or Forix’s M1 Extended Support offerings, these are both temporary solutions. You really do need to consider a plan for continued service and for a migration, whether that’s to Magento 2 or another platform overall. Ian and Miguel, kicking it back to you guys, what are your thoughts on that overall? What’s the emphasis there?
IH: Yeah, I think that making the move to Magento 2 or another platform really isn’t a quick process, but like you mentioned, having a plan is extremely important. You’ve got operational things to take into account, you may have other systems that need to be integrated with that new solution or platform, so you need to account for compatibility issues, extension replacement, other things of that nature. So having a plan is definitely paramount.
MB: Yeah I completely agree. I would say, everybody should have a plan, and to be honest, I don’t like people staying on Magento 1 this long. The server is already at End of Life, and while it still works great and you might be making money, at some point you really need to consider a migration. And again, this is not just an upgrade or anything like that, this is a complete replatform. Whether that’s to Magento 2 or anything else you are considering, it’s going to be a complete replatform. And like Ian said, that will take time and resources. It might also mean that you need to build something from scratch, or reuse some of the stuff you had. But again, having a plan is extremely important. And while I understand that this is not the best time to break away from a site that works and that makes you money, at some point, everyone is going to stop supporting Magento 1, and you don’t want to be in that situation. That’s why you need to have a plan in advance.
HC: Absolutely. And again, we understand that Magento’s original timeline probably didn’t fit yours, if you’re watching this now, but as both Ian and Miguel have mentioned, you should definitely consider putting one together pretty soon. Because every day, third party extensions, customizations, could potentially break and cause issues down the line. Now Ian, quickly on the topic of migration to Magento 2, probably one of the most common questions we get over here is how long it will take? I’ve seen this answer vary widely from agency to agency. For the audience’s reference, if they’re asking Forix, what can they kind of reference in terms of a migration timeline, and what factors into that?
IH: Sure, I think it’s probably most helpful to break it down to low, medium, high or simple, middle ground, and complex in terms of timelines, since they’re all going to differ. So when we’re talking about timelines, it’s important to think about things on your site such as the amount of data that you have, so customers, gift cards, orders, things like that; the amount of third party integrations that you’ve got, so again some of those other ancillary systems I talked about or business systems; customization that you might have, whether it’s functionality or to your template; and then of course your server setup or architecture. Those are all things that play a part in understanding how complicated your migration might be. If we’re talking about a simple M1 site with little to no customizations, the timeline is probably going to look something like 3- 6 months. And that’s accounting for safety precautions. People have a business to run and other things come up, right, so you have to be realistic about the amount of time that you can dedicate towards it. So 3-6 months on the simple side. A typical Magento 1 site with some customizations to it and a fair amount of extensions, you’re probably looking at about 6 months. And then on the high end or the complex side, for folks that have a lot of things going on, you’re looking at more like 6- 9 months.
HC: Okay, those are good references for everyone, thank you. Moving on to the last major question I think we’ve encountered before, is that when we’re talking about staying on M1, a frequent question there is “How do I maintain PCI Compliance”? Ian and Miguel, what should a merchant do if PCI compliance is a concern for them?
MB: Yeah, PCI Compliance is a really complex thing, and I think that it shouldn’t be taken lightly. It’s an extremely interesting topic, we could talk forever about that, but in my opinion it should be a per case thing. Nobody should be following old advice, like “Oh you can be PCI compliant if you use Nexcess”; no, that’s never going to happen. PCI is really complicated, and if anybody here had more questions, feel free to reach out to me or to Ian, but I don’t think that anybody can say “Yes, you can be PCI compliant if you do this or that”. What do you think about this Ian?
IH: Yeah I agree, and you know we did discuss this a little bit ahead of time offline too. We’re both in a similar situation where we get asked this question a lot. But one of the things that people don’t really realize is that there’s a lot more to PCI compliance other than just your hosting platform or even just the Magento software. Having a group of people who can help advise on all of those different topics is really what it takes to be actually fully compliant. There’s a certain type of person out there called a QSA, who in the PCI compliance world can really help bring all these topics together and make sure that you’re covering all of your bases in that respect. So definitely some more conversation needed around that.
MB: Absolutely, I completely agree.
HC: And there you have it. As much as I wish we could give you a quick and short answer there, unfortunately we can’t. There’s quite a few things on M1 that realistically at this point, you just need to have a conversation to figure out where to go with it.
I’d just like to wrap this up, thank you for joining us here on this webinar here regarding M1. Miguel, any final thoughts you had for the audience here?
MB: Yeah, I would say that everybody should be considering a migration plan. And please, don’t leave the hosting part to the last. That’s going to be extremely problematic, and every day we see people asking us, “But I didn’t consider hosting”, and “I didn’t consider patch versions”, and “I didn’t consider PHP versions”, and that’s not a good idea. So if you’re planning to migrate, keep your hosting in mind. And if you are trying to stay on Magento 1, please be aware that this is a temporary security measure.
HC: And moving on, Ian, anything from your end?
IH: Yeah, I would just encourage folks to reach out with any questions that they have, or to have a conversation about it. I think that everyone’s situation is a little bit different, and there are of course a lot of different factors involved. So definitely feel free to reach out and that way we can have that conversation.
HC: Okay wonderful. Ian and Miguel, thank you again for being a part of this, and again we understand that every business has different needs and concerns when it comes to discussing extensions of their Magento 1 instance. If you’d like to have a more in-depth discussion about how either Nexcess or Forix can help you with your Magento 1 site, please give us a call or send a message. Again if you had any questions that you typed into the chat, we will get to those. Thank you again for joining us today and we will see you next time.
Staying on Magento 1 After End of Life?
Get in touch with the Magento experts at Forix to find the best ways to keep your M1 eCommerce site secure in a post- EOL environment.