Today is the 6th of June, and the Western world is celebrating D-Day.
However, a good portion of the e-commerce world is preparing for the 11th of June—another M-Day, when the latest Magento security patch lands on our digital beaches.
Adobe’s battle plan for securing the Magento front involves patch releases every two months. This round there will be patches for the following: 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9.
You might wonder:
Where Can I Find My Magento Version?
Your Magento version is shown at the bottom right corner of your admin panel
If the footer of the admin panel has been customized and no longer shows the Magento version, you might need a developer’s help to determine which Magento version you are on.
Another “trick” is to navigate to your website’s URL and add “magento_version,” like so: “http://your_store.com/magento_version”. This will show you the version number but not the patch number.
For example, the official Adobe extensions marketplace is on an older Magento 2.4 (Enterprise).
Where can I Find My Magento Patch version?
Your Magento security patch version number is shown at the bottom right corner of your admin panel, together with the Magento version.
In the screenshot “2.4.2” indicates the Magento version and “-p1” stands for security patch 1.
If there is nothing after the three digits indicating your Magento version, e.g. “ver. 1.2.3”, it means your Magento has never been patched.
Adobe’s semantics for its versioning, e.g. 2.4.5-p1 can be a bit confusing:
MAJOR.MINOR.PATCH-SECURITY PATCH
MAJOR release – 2 (includes incompatible API changes)
MINOR release – 2.4 (adds functionality in a backward compatible manner)
PATCH release – 2.4.5 (adds backward compatible bug fixes)
SECURITY PATCH release – 2.4.5-p1 (adds security bug fix, security enhancement)
In my experience, “patch” is used to indicate the “security patches”
Knowing where you are is only the first step… the next decision is:
When Should I Update Magento?
Generally speaking, it’s good to update frequently, just a couple of weeks after a patch is released.
But there is a difference between patching and version updating, so let’s have a look at what’s what.
Patching vs Updating
- Patches are fixes for specific bugs or vulnerabilities but, usually, don’t change the logic or features of a program. A patch update can usually be done on your staging website (not directly on production, no).
- Updates are more comprehensive and complex, and can improve, change, add or remove features and core functionalities. A version update is usually done by spinning off a development website, clone of your current production website.
Version updates are generally more impactful than patch updates. Version updates might require you to update some or even all of your modules and extensions. Your development agency might be able to do it, but other times it’s just more cost-effective to re-buy modules that are no longer covered by a maintenance contract.
Adobe releases patches quite frequently, while updates are less frequent. See their calendar here: https://experienceleague.adobe.com/en/docs/commerce-operations/release/planning/schedule
How Long Should I Wait Before Patching or Updating, and Why?
Security patches are of paramount importance, and updating Magento frequently is undoubtedly the best and most cost-effective strategy.
However, having worked with some of the best developers in the industry, I am now convinced by their arguments for not immediately patching or updating.
Early adopters of an update or patch often end up doing a lot of testing inadvertently. These early adopters, especially those using the same extensions as you, will likely discover and report issues to the respective extension developers, who will then deliver fixes. This is why it might be worth waiting a couple of weeks before updating.
Still, do not postpone more than that. If your website is complex, or if you are a few versions behind the latest one, things can escalate.
The Spiral of Postponement
The more your Magento version lags behind the latest release, the harder it will be to update. You may need to re-purchase modules, update your tech stack (PHP, database, etc.), and conduct more thorough testing.
This is especially true if you continue using your Magento version past its End of Life (EOL) date. While your website won’t go offline, official patches will no longer be available.
As a result, your site will become increasingly vulnerable to attacks. Black hat hackers will become more adept at finding and exploiting outdated sites.
You’ll then need to spend resources on hot-fixing your website, such as adding layers of security that cost money and impact performance, potentially affecting conversions.
At this point, you’ll find yourself constantly dealing with security issues, making you even less inclined to undertake a major version update.
The Best Practice
- Schedule your patch update after two weeks or so from release of a new patch.If you don’t have ongoing work on staging, ask your developers to align your staging website with the production website. This will simplify your pre-deploy testing (UAT). Be aware that work on staging will be lost.
- Make a note of when your support runs out for extensions and modules.Ask your developers to update these modules before support expires. Managing updates for many modules can be challenging as updates are often released incrementally.
- Schedule your version update before your version reaches it’s end of life.
The next one to be unsupported is 2.4.4, EOL in April 2025 (less than one year as I write this).
You can see the end of support calendar here: https://experienceleague.adobe.com/en/docs/commerce-operations/release/planning/lifecycle-policy
If I were you I would schedule a version update within one year from EOL as, with major works, you’ll discover that:
- your agency might need time to plan the work
- you might encounter major issues
- you might not have time to test
- etc
- When upgrading versions, do some research and discuss with your technology partner if it might be better to move to the latest version that has already been security patched. So for example, 2.4.7-p2 rather than 2.4.8. This is a rough indicator that the version has been around enough for the Magento ecosystem to have adopted it and modules, extension and integrations should work.