ShopSecurity - SUPEE security patches for Magento 1

We recommend that you have security updates installed by experienced Magento developers.

Magento closes security gaps in Magento 1 by releasing security patches (known as SUPEE patches) for all affected versions. It is therefore not necessary to update to new versions of the shop system, which also involve functional changes. Security patches for Magento 1 can be installed independently of the respective sub-version, although all previous patches should generally be installed before a newer patch can be used. Your ShopSecurity report shows the missing patches; it is not necessary to install old patches ‘on suspicion’.

Solution: Install missing security patches

• Install all missing security patches. Also check whether security vulnerabilities have been exploited if your shop has been vulnerable to critical security vulnerabilities for a long time.

• Some security patches have been released multiple times and sometimes have an additional designation with a version number, such as ‘v2’. Check the availability of newer patch versions, e.g., in this patch directory on GitHub: https://github.com/brentwpeterson/magento-patches.

  Note: Since the end of official support for Magento 1 on June 30, 2020, there are no longer any official downloads of Magento from Adobe.

• Check security patches in a staging or development environment before installing them on the production system.

• Most security patches have special requirements, e.g., they must be installed after other patches or require certain shop settings to be enabled or disabled beforehand. Please always check the individual instructions for a patch before starting the installation.

• Install security patches one at a time and make a separate backup before you start and after each patch, as well as performing the necessary functional tests after each patch.

Magento 1 security patches are often installed as follows

1. Download the appropriate patch from Magento. For Magento Commerce (Open Source), you can find all patches on this page: https://www.magentocommerce.com/products/downloads/magento/.
   Click on ‘Release Archive’ and then search for the term ‘Magento Open Source Patches’ or the exact name of the patch you are looking for.

2. Create a backup of your shop files and database.
3. Put your shop into maintenance mode. This ensures that visitors to the shop will not see any error messages during installation.
4. If you are using the Magento compiler, disable it to install a patch.
5. Transfer the patch to the root directory of your shop on your cluster and install it from an SSH session. To do this, change to the root directory of the shop and call up the appropriate command depending on the file extension of the patch file. 
   1. If the patch file has the extension .sh, use the following command to install it:
      /bin/bash Patch_Filename.sh
      Example:
      /bin/bash SUPEE_5344.sh
   2. If the patch file has the extension .patch, use the following command to install it:
      patch -p0 < Patch_Filename.patch
      Example:
      patch -p0 < SUPEE_11219.patch
6. Check the installation output for error messages or anything unusual.
7. Clear the shop cache and restart PHP in the Managed Center of your cluster.
8. If you use a compiler, you must recompile your shop for the security patch to take effect. However, we recommend that you do not use the Magento compiler.
9. Deactivate the shop's maintenance mode and check all important functions.

Further recommendations

Magento 1 only received official security patches until June 2020. Although there are various efforts by third parties to continue providing Magento 1 with security patches or even other bug fixes, there is no empirical evidence for this yet. We therefore recommend that you always use an officially supported shop system such as Magento 2 or Shopware (6) when developing a new shop or relaunching an existing one.

For detailed information about Magento hosting at maxcluster, please visit maxcluster.de/en/magento-hosting