We've been fielding many phone calls from merchants and agencies around Magento 1's end of life date and it all circles back to some statements made around Magento 2 and the implication that would have on Magento 1.
Magento Imagine announces Magento 2
It is Magento Imagine 2015, and Magento 2 is starting to look like a finished product. Timelines are in place and being met, release candidates and merchant betas are in the pipeline and everything is set for a November 2015 launch.
But with the Magento 2 announcement was a message,
“Magento 1 will continue to be supported for 3 years following the release of Magento 2”
This was a message repeated many times by Magento officials and everyone was made aware that there was security update shelf life on Magento 1 and it would kick in at November 2018. Fast forward a few years and its mid-2017 - and the widely spread message was still that Magento 1 security updates were due to expire in November 2018; a topic never challenged by any member of Magento staff - quite the opposite, everyone was in agreement that November 2018 was the deadline. Or were they?
How important are Magento security updates?
Very and not very much. Okay, let me give some context.
Security is paramount, its the single-most important thing about operating an e-commerce store; it is your sworn duty to protect your customers and their information. When a security update is available, be it for your server or your store - it should be applied immediately, without delay - the longer you wait, the greater the chance of a compromise.
So why would I suggest it isn't important? Or at least, why would this supposed November 2018 deadline ultimately not carry the fear and significance it should do. Well, I'll hand over to Magento to explain this:
|Magento 1 is released||...||SUPEE-1533 is released||...|
Almost 6 years passed (bear in mind, Magento 1 is only 9 years old) before the first official security patch was released. I believe the bug bounty program that drove this was initiated in March 2014 and the first security update was brought in in October 2014. For almost two thirds of Magento's life, it never saw a single security patch.
Launching the bug bounty program was an excellent decision by Magento and really drew focus on an area that simply had been neglected, but it does hit home that every Magento store in the world happily operated, in the absence of any official security updates for 6 years. So it really brings the November 2018 deadline into focus, what does it actually mean.
Running a Magento 1 store past November 2018
Magento 1, provided no new security vulnerabilities are disclosed will continue to be a viable, secure and successful e-commerce platform.
But more to the point, if new security vulnerabilities are to be found - then it is quite likely that the community that will find them. Every security patch that you have enjoyed as a store-owner has been the labour of talented, hard-working researchers like Peter O'Callaghan, Erik Wohllebe, Marc-Alexandre Montpas and even our very own Ben Lessani.
Taking an example, SUPEE-7405. Over 20 vulnerabilities were found and fixed, 1 by Magento internal staff, 2 by Magento merchants, and 17 by the community as a whole; that's 85% of the security updates fed by the community for this patch.
This ultimately paves the way and starts to cement the legitimacy of Magento 1 LTS (Long Term Support), known as OpenMage. A community sponsored venture spearheaded by Lee Saferite, David Robinson and Daniel Fahlke. There's real potential for security fixes to continue to be found and fed into this community driven and supported fork - especially if large Magento service providers (Sonassi included) sponsor a bug bounty program.
Enough enough. What does this mean for Magento 1
Well. The answer to that is quite simple, the official word is,
“Magento will continue to support Magento 1 for the foreseeable future with at least 18 months notice when that changes”
So if you are using Magento 1, my honest advice is sit back, keep making money from your store and enjoy the investment you have made in a stable, reliable and secure e-commerce platform.
The average Magento 2 build time has been dropping as competency and familiarity improve; where the early movers saw around 12 month lead time for project completion and now agencies are closer to 6 months for delivery. Also consider the clear advantage of adopting Magento 2 when all the initial teething issues have been resolved.
This allows plenty of time to continue to operate and use Magento 1 - be it Enterprise Edition or Community Edition right up until the point where Magento do officially decide to cease security updates, knowing you'll have an 18 month window to start your Magento 2 migration.
Read Alan Storm's view on Magento 1 and Andreas von Studnitz's view on Magento 1