The Importance Of Magento Version And Security Updates

How well does your current website scores on security?
Give it a free test by writing your site’s address here:


if your site comes out with a really bad score like a Zero, or even a negative score. The following analogy might help you understand why..

Magento Version And Security Updates

While you may have several excellent security measures in place already from previous version updates and security patches. What does it matter if you have the very best lock on your door… if there is a gaping hole in the wall of your house and people can just walk in… That’s a very common situation in website and e-commerce security.

Simply being up to date on the Magento version, without doing any additional security work, can typically give about a 50% mark on this test.

And you can reach a higher % by implementing additional security measures.

Historically, Magento version 1 had both security patches and version updates. You could install a security patch without doing a full version update.

Magento 2 has changed how this works, you have to do a version updates each time, and this does include all the security patches.

If your site’s version is outdated, it will have security flaws.

I did notice a “world view distortion” when discussing the topic of website security and version updates with many entrepreneurs.

Most people who did live the experience of having their website hacked or infected with a Malware need little convincing on this topic and implement all security measures promptly.

And many (but not all) of those who didn’t live that nightmare, tend to often neglect it and often failt to grasp how truly important this is.

Not everyone gets hacked, but in the 12 years I’ve been creating websites for our company, the longest neglect period I’ve seen for someone with a CMS like Magento or WordPress of not doing security updates and getting away with it… for a while… was 3 years. Then he too got hacked, after being 3 years behind on security updates. While theoretically you could be hacked on “day zero” (the first day) an exploits/security vulnerability is discovered and published public, this very rarely ever happen for Magento websites. However, someone neglecting their security updates for a year… is definitely courting serious trouble. While the sooner, the better, version updates should be done at least once per business quarter (every three months) to be considered a responsible pace of keeping up with technological changes and known security flaws.

How easy is it to update the Magento version?

Quite easy.

A command line and it’s done. 5 Minutes.

Nevertheless, the complication arrives if your extensions or plugins, or code customization is not compatible with the new version, then sections of the website might break.

Another possible complication, which does not happen at every version update, is a structural change in the architecture of Magento itself. For example, from Magento 2.2 to 2.3, the location of the file index.php was changed to be put in a subfolder. (This specific issues is well documented on the web and is discussed on this forum: ) A site updating from 2.2 to 2.3 must be reconfigured after the update, without this configuration update, the newly updated site breaks.
Let’s go back to the first possible complication: the plugins. It is frequent when a new version is released that the plugins are not there yet and need some time to catch up. The most reputable and larger Magento extension makers, typically have their plugin ready for the new version on the day it comes out, or in the next few days / the upcoming week. Smaller Magento extension makers sometimes need months to catch up which can be a problem, and a specific plugin can prevent doing the update to the latest version. Then we either wait for the plugin maker to publish a compatible update, or replace the plugin by a better one, or we do the update anyway and create our own patch for the plugin (a plugin to modify a plugin) : such as situation is far from ideal as it’s spending money to do a quick fix that the developer of the plugin might offer for free later, it should only be done if it is really urgent to update for some business reasons. (Moral of this story, sometimes buying a plugin just a few $ more, say 50$ more expensive, but from a reputable plugin maker can save a lot of and costs trouble down the road.)

Therefore the workflow is to :

  1. Make the version update on a development copy of the website (never on the live website!)
  2. To inspect what broke (if anything). If all looks good then we do a full round of quality control. We use a post version update quality control checklist. Otherwise, we go to step#3:
  3. Fix any problems found and once the dev copy is ready:
  4. Have the client/owner of the site, review and approve the copy.
  5. Then the upgrade is pushed to the live website.

With this workflow, a version update can take as much as a day of work. Depending on the problems encountered. This workflow guarantees you won’t have problems on the live copy of your website while staying up to date on the latest security/version updates.

If you would like our assistance or Magento support to update your Magento version, remove malware, virus, have a security audit, or have other security measures added on your Magento e-commerce website, we invite you not to hesitate to contact us; we look forward to having a chat with you 🙂

Interested in our content?

Subscribe to our newsletter to get notified when we release a new podcast episode or new blog post.

At Mage Montreal, we strive to offer our clients affordable, top-notch services that are tailored to their individual needs. Our team of certified Magento developers are experienced and devoted to helping our clients accomplish their goals. Get in touch with us today to learn more about how our services can benefit your online business.

Magento in Montreal
Interested in our content?

Subscribe to our newsletter to get notified when we release a new podcast episode or new blog post.