It’s a bird… It’s a plane…. It’s SUPEE-6788!
The 5th Magento security patch of 2015 has arrived, much to the chagrin of Magento developers and website owners. We’re of course glad to see Magento providing protection against vulnerabilities that have been discovered and are still huge fans of Magento Community & Enterprise. While the first four security patches of the year were certainly disruptive, they were relatively easy to integrate, and caused relatively minimal disruption to websites and to our production flow as an agency.
SUPEE-6788 may not be from Krypton, but it’s not like most other security patches either. It comes with a warning from Magento: “Important! This patch breaks backward compatibility, and can impact extensions and customizations.” It also comes right before the holiday shopping season.
For website owners, this means that in order to protect your site against these now published and known vulnerabilities, you will likely need to perform other upgrades, including updating Magento Extensions to be compatible. In a best-case scenario, this patch should be applied to a development / staging copy of your site once relevant softwares have been brought up to date, and then this extra copy of your site should be tested, before going live with the changes. Applying the patch directly to a live website with incompatible software and extensions can easily cause noticeable problems and failures in a Magento site.
Some extension developers, like Amasty, have offered free patches for their extensions, posting “PLEASE NOTE THAT UPDATES FOR SUPEE-6788 COMPATIBILITY ARE DELIVERED FOR FREE” on their website. Some extension developers may charge for the updates, or in some cases, may not have an update to make an extension compatible with the SUPEE-6788 patch at all.
Hosts that are used to automatically patch sites in order to protect their overall hosting servers and infrastructure, may need a change of course as well. Patching live sites without proper preparation can create problems that will hurt or stop sales.
For agencies like Rand Marketing, this means that we’ll be reaching out to our active retainer customers individually regarding addressing this upgrade in the busiest time of year, and scheduling accordingly. Between the holiday rush, and SUPEE-6788, we expect our production queue to be booked to capacity for weeks to come. New development requests may be delayed accordingly, such as any new requests to add extensions or customizations to existing Magento websites.
In addition to this patcg, we do recommend bringing on a 3rd party security platform to watch your site for intrusion, and help with any security issues that may arise, such as Sucuri.net or Sitelock. This is a general recommendation to all Rand customers, whether on Magento, WordPress, or other popular website platforms. Much like an alarm system, or a business insurance policy, an extra layer of security can be extremely valuable.
– Robert Rand