Magento SUPEE-8788 Security Patch
On October 11th, Magento put out a new Security Patch, known as SUPEE-8788. This patch addresses multiple security vulnerabilities that the Magento team has labeled “critical” in both Magento 1.x and 2.x websites.
As many of you know, some of the recent Magento patches were not particularly easy to apply. SUPEE-6788 required the upgrading of many Magento Extensions, and was particularly intensive and expensive to address. SUPEE-7405 caused issues that forced the Magento team to re-issue a “fixed” version of the patch. Magento has already re-released SUPEE-8788 after fixing issues, and we hope that it’s now finalized.
So far, our experiences with the 8788 patch are comparatively good. Both Magento 1.x and 2.x are taking to it well overall. Each site will react to this patch differently. It’s always possible that a particular site will need more labor to debug conflicts (especially with extensions and customizations) OR that the Magento team will put out another update to the patch, and sites will need to be re-patched accordingly.
Let us Handle Upgrading Your Magento Website
Aside from installing this patch, we can upgrade your Magento website from Magento CE version 220.127.116.11 to Magento 1.9.3 (which includes this latest security patch and other updates). The additional updates, above and beyond the security patch, add to the likelihood of compatibility issues. While we recommend updating your Magento software, we understand this may not be cost effective for some businesses. You may choose to have the security patch installed without upgrading your Magento version.
If you’re still on an even older version of Magento, please be aware that your upgrade would be expected to need more labor than an upgrade from the more recent 18.104.22.168. Magento is still putting out some stability / compatibility tweaks for 1.9.3, so we will not be upgrading to 1.9.3 just yet, as per Magento’s own recommendations. They plan to release 22.214.171.124 in a few days (“this week”). We can, however, apply the SUPEE-8788 patch in the meantime.
Unless otherwise specified, Rand’s team will patch or upgrade your website on a development copy of your site. This is an environment where you, and any other vendors can test the site, prior to patches or upgrades being pushed live where shoppers would be affected. This helps us to address issues “behind the scenes”. Our existing retainer clients will be given priority, on a first-come, first-served basis.
Known Issues With Supee-8788
Hosting Compatibility Issues
If your hosting account is on a server using a version of PHP that pre-dates PHP 5.6, this patch is likely to cause major issues for your website.
As part of the upgrade, we will be checking your PHP version. We will notify you if you’re on an older version in order to communicate about how you’d like us to proceed. If you are, your host can upgrade your hosting account to utilize a newer version of PHP, but your site (ie. theme, extensions, and customizations) may react negatively to the new version, and this may require debugging.
As our Dev servers are using PHP 5.6 and above, there’s a good chance that your site has already been tested with a newer version of PHP (or certainly would be tested during any patching / upgrading). The good news is that newer versions of PHP are more efficient, which can lead to faster loading times and other benefits. If you need us to work with your host on upgrading PHP versions, you may need a bit more time than other sites to get through the patching process.
If you’re using Unirgy’s uRapicFlow extension, we’ll need to patch uRapidFlow before installing Supee-8788. As a result, your patching will probably take a bit more labor than some.
Putting Off The Patch For Later
If you elect to hold off on having this patch installed, please be aware that your site will continue to have known security holes. You may want to consider deploying an extra software firewall as an additional security measure.
We recommend Sucuri.net’s pro plan, with firewall and website monitoring services. While this firewall won’t necessarily provide you with the same protection from vulnerabilities as the patch, Sucuri’s team has historically been able to protect against many Magento vulnerabilities “virtually”.
Sucuri’s pro plan costs $19.99 per month, per website and we recommend it for all Magento websites, regardless of patches or upgrades. Additionally, there are other systems on the market, like 6scan.com, SiteLock.com, Centrora.com, and SiteGuarding.com that offer similar services.