Back to Blogs
Why Patch? A Guide for Magento Users
December 15, 2017
Table of Contents
“Patch” is software terminology for chunks of code installed on top of your software’s existing code in order to update the software with bug fixes and/or new features. Like a piece of cloth used to fix a hole in a garment, a software patch fixes the holes in your software.
As it pertains to Magento, a patch is a minor release of modified (or sometimes entirely new) core files that address security vulnerabilities and bug fixes only. Patches are released for all supported versions of Magento at the time of the patch release. For example: Patch SUPEE-1533, released 10-3-14, is compatible with Magento 1.4 and higher, where Patch SUPEE-10266, released 9-14-17, is compatible with Magento 1.5 and higher.
Every Magento version release includes a patch release for lesser versions, with only the necessary security vulnerability and bug fixes. This allows users to continue to use their current version of Magento while still being up-to-date with the latest security updates. What the patch does not include is new features built into the new Magento release.
The only reason a client wouldn’t want to install a patch is if they would rather have their site upgraded to the latest version of Magento. This is actually recommended and preferred over installing a security patch, as the upgraded version includes new features, in addition to bug fixes.
Other comparable platforms (WordPress/WooCommerce, Magento 2.x) don’t provide a patch option but require users to upgrade every time a new version comes out (either that or remain vulnerable).
It’s worth noting that clients may not want a patch because their site has custom modified core files which conflict with patches. Storing custom code in core files (in any software) is a huge no-no, for this reason specifically. Software cannot be kept up to date in accordance with best practices if the core versions of the files have been modified. This is why Built Mighty audits new client sites for core modifications and cleans them up prior to the development of new features.
To put this simply, every time Magento releases a patch they are subsequently releasing instructions on how to hack into any unpatched Magento build. The purpose of a patch is to secure any unlocked/unknown access into your site. To do this, Magento publicly posts the necessary steps to find and secure these access points. Thus, anyone motivated enough to read code can very easily see every vulnerable point of entry into an unpatched Magento build. Not patching your site is like leaving your car doors unlocked. You might be fine, but anyone with a basic understanding of cars will be able to easily break into your car.
For starters, if a malicious entity is able to access your codebase, they could install ransomware (holding your site hostage), install data collection scripts or even access your site’s database credentials. Once they have access to those, they have access to all of the site’s sensitive data, including user emails, passwords, addresses, names, phone numbers, and potentially credit card information. This would be a breach of a number of privacy regulations and can get any site owner into trouble and put their customers at risk. Identity theft is a real threat that happens daily because of unpatched software.
In my opinion, successful patches should be pretty uneventful and kinda boring. The best results from patches are the results that you can’t see. Apart from a functional bug fix, a site owner would not notice a properly installed patch. Because patches aren’t that noticeable, many sites go unpatched until it’s too late and something really bad happens.
With the death of Magento 1.x comes the death of the standalone Magento patch. Magento 2.x does not offer patches for older versions of the software, but rather follows the example of its counterparts and requires a full upgrade whenever new bug fixes and features are released.
Your team is about to get a whole lot mightier.
If it sounds like we might be a good fit, send us a message. We’ll get back to you within 24 hours. And then we can hit the ground running.