SUPEE-7405

In November, we published a blog post about the worst Magento patch that we’d come across to date – SUPEE-6788, known to some in our offices as “the website killer”. It required significant work to apply this patch, which in essence requires Magento store owners to have us upgrade their extensions and store, and address all of the issues that can arise when conducting such upgrades. Other developers like Shero estimated that it “…took around 40 hours to complete” a Magento SUPEE-6788 patching and relevant work. While our team has been averaging fewer hours for this patch, Magento developers as a whole reported very similar experiences.  We hoped that while this was a traumatic experience for the Magento community-at-large, we might start off 2016 on a better foot.

Unfortunately, SUPEE-7405, released in January 2016, has turned out to be another headache for many store owners. As our friends at Simple Helix posted a few weeks ago, this patch changed file permissions making it impossible to do things like upload images through the admin successfully. Magento has since updated the patch (on February 23rd) requiring sites previously patched to be re-patched (lest their sites not be in good shape for future patches and upgrades). We’re glad that they addressed the issue, but we recognize the burden that this places on our customers who bear the financial burdens, and our business that needs to keep up with unexpected jumps in demand for patching and debugging large numbers of clients.

While researching the 7405 patch, we uncovered an article from the team at Sucuri that shed some light into the history of the issue. It appears that the Sucuri team became aware of the security vulnerability because they detected issues found with their Cloud Firewall, and notified the Magento team. As many of our client’s know, we’ve been recommending the Sucuri Malware Monitoring and Firewall system in many of our recent publications.

Furthermore, according to Sucuri’s article on the 7405 patch, websites using their firewall can be patched “virtually”, meaning that even if you don’t have the patch installed yet, you can potentially be protected. While not all vulnerabilities can be addressed virtually in this way, we highly recommend the Sucuri firewall product. For around $300 a year, (the equivalent of about 2 of hours of work by our team) it’s a great value, and can offer a huge savings by avoiding, detecting early, and helping to address malware and other security concerns. It’s also a really great opportunity for websites that are outdated and not compatible with the latest patches, or otherwise aren’t being as actively patched.

We’re still huge fans of the Magento eCommerce Platform for a great many reasons, including its great features, many extension options, and open source coding. Simultaneously, we’re continuing to help customers evaluate the best platform for their long term needs. As the costs of building and maintaining a Magento website grow, our team is continuing to help assess other options for clients, such as startups and small businesses, and have been advising businesses accordingly.

-Robert Rand


Recent Posts

brightpearl-headshot
Fix your supply chain so you can focus on growth!
November 16th, 2016

Magento SUPEE-8788 Patch and Magento Upgrade Information
October 26th, 2016

mega-menu
Rand Marketing’s Favorite Menu Extension for Magento
October 13th, 2016

online-shopping-01
DDP v DDU and Why You Need to Know before Selling Internationally
September 29th, 2016

migrating-ecommerce-platforms
What to Watch Out for When Migrating eCommerce Platforms
September 21st, 2016

Accept Credit Cards