Listen to the article
The following is a condensed, edited version of a recorded interview from June 25, 2020.
The full recorded version can be heard on our podcast ‘In the Ring’.
We’re going to discuss Magento – more specifically, the Magento Commerce One ‘End of Life’, which will occur on June 30th, 2020.
At that time, support will end for the product. It will still function, but at greater risk, because past that date, the software won’t be updated or patched by Adobe. This has caused some controversy in the Magento community, as well as opened up opportunities for developers and agencies to help merchants to migrate either to Magento 2 or off of Magento completely.
To break this all down for us, we have SUMO Heavy Co-founder and CTO, Bob Brodie, and SUMO Heavy Co-founder and CEO, Bart Mroz.
We were there in San Francisco in 2015 when the highly anticipated Magento 2 was released. Merchants and developers were made aware that it would only be a matter of time before Magento 1 became obsolete.
Magento gave an end date of November of 2018. Why did that date slide and what has happened since then?
Bob Brodie: Nobody was really ready and neither was the product. I don’t think very many people were comfortable with it back then.
John Suder: Fast forward to 2020: Where is Magento 2 at this point?
Bob Brodie: I think that for a lot of people, it’s not quite there yet. There are a lot of regressions between releases. There are a ton of bugs, so many people really aren’t comfortable leaving something that’s been stable for a number of years now, for something that could be slower or less stable.
It’s a different experience for people in terms of how the product works and is developed for. With a lot of other products moving towards single-page apps and microservices, it feels big to put into place. There’s a lot more annotated-driven magic than there used to be with some of the underlying frameworks. There have also been architectural decisions that many disagree with, such as the frontend pipeline implementation, modules lacking proper isolation, and numerous libraries that have been losing popularity for years. Overall, a lot of It’s just not there yet.
John Suder: It sounds like there’s a hesitation from the community writ large to even switch to Magento 2. So what have merchants been doing? Have they just been holding on and crossing their fingers and hoping maybe the date would slide? What’s been the attitude?
Bob Brodie: From what we’ve seen, most people, including us, are putting new projects on Magento 2. To start a new project, It’s the right thing to do if Magento fits their needs. Regarding switching, we’ve seen it go a number of ways. Some are seeing it as an opportunity to re-platform.
We see a number of sites re-evaluating what their needs are. I think that with a really solid team, you can make a lot of other platforms do the core things that you need from Magento and even some of the more spectacular features such as the promotion engine, which has been great forever.
A lot of times we see people not upgrading because they don’t have the team, which is one way that we help our clients. The other is that they’re switching to another platform: Shopify, Big Commerce, or something else altogether – or they’re taking it in house. 10 years ago, with open source eCommerce platforms in their infancy, talking about building your own in-house eCommerce platform was frowned upon.
Anybody that said that was looked at as if they didn’t know what they were doing, and people rarely thought it was a good idea. It’s just become so easy now, that between the tools that we have on the infrastructural side, like Ansible and Kubernetes, or other orchestration platforms combined with how many frameworks that are now available for any language. Whether you want to do it in Node or PHP or Rails or Java or .NET, they can all work for you depending on your requirements.
It’s gotten much simpler than it used to be with just a framework to build something around your own needs. We see a lot of people going that way. They have control over their infrastructure, security, and feature set by building only the things they need. By spreading the security and scaling out across different services they can save a lot of headaches.
And so that’s the third batch of people that we see is just people taking it in house and building their own platform, migrating off of other platforms altogether.
John Suder: So either way, it presents a good opportunity for developers and agencies, but what does this mean for Magento itself? Do you see Magento adoption declining?
Bob Brodie: With all that’s been said with it not being quite there yet for a lot of folks, there are plenty out there that it is ready. It’s definitely not the ‘one-off, install it and run’ it, and be a small shop that installs a bunch of marketing modules, like it was for some Magento 1 shops. PHP was a different world back then.
There’s a lot more to it today, it’s a good product. I think they’ve done a lot of interesting things and they’re keeping up with some aspects of new technology. But, if we look back at Magento 1, it didn’t really hit its stride until Magento 1.4 came out, that was kind of the beginning of its stability.
We all know that up through 1.3 was kind of a mess and a lot of standards were changing. And so, they started to implement a lot more standardization in 1.4. And then once one 1.6 hit that’s where things got really comfortable. From 1.6 through 1.9, things have been really stable.
The community has been wonderful at pushing and submitting patches. If you’re a site that does under $10 million a year under, $20 million a year, and you’re on Magento 1, it’s going to be, in many cases, a lot less expensive to stay on what you have, figure out the security issues at hand, and invest later when you have time.
I think there’s a lot of misinformation out there about Magento 1. A lot of misinformation and scare tactics.
John Suder: What we’ve heard is that it may have been a little over-hyped, but also it’s there’s this hard deadline. Some might ask ‘What does this mean for us?’
Can you break it down – what does it actually mean after June 30th?
Bob Brodie: After June 30th, Adobe’s no longer committed to patching Magento 1. They’re going to continue to patch Magento 2, with 2.3 and 2.4 in scope at the moment. Magento 2.2 had its final patch, so 2.0, 2.1, and 2.2 fall into a similar bucket as Magento 1.
So what we’ll talk about is kind of ‘what does that mean?’ At a deeper level, Adobe is not writing patches for Magento 1.x, 2.0, 2.1, or 2.2 anymore.
If we take a look at the patches historically, they have for a long time been submitted from the community. I think there was a patch that came out on Monday that was also from somebody in the community. Where the fear comes in is there’s part of PCI – requirement 6.2.
This rule says your software has to be patched by the vendor.
With Magento, who is the vendor on an open-source product? Is it who owns the trademark? Is it who has committed to it? Is it…everyone? Is it yourself when you install it? And that’s the part I think a lot of people have gotten hung up on because it’s open to interpretation on a case by case basis. Now the question becomes ‘how do we get patched?’ If in order to stay PCI compliant, you have to patch vulnerabilities when you find them, what can you do?
Obviously, if there are CVEs out in the wild, they need to be taken care of. But who can be that acting vendor? Could it be yourself since you were running and owning the product, at least the open-source parts of it? Are you able to keep running it and keep it patched? And what does that involve? So part of that will be constantly monitoring your code with various tools. There are static analysis tools, and there are tools to find vulnerabilities. But a part of it will be PCI scanning, penetration testing, and vulnerability scanning. Going through third-party modules, as well as the core and looking for things that people are exploiting. If you become exploited, it’s important to find out how they got in and what that root cause is. We can’t say what the right option is for everyone – we are not lawyers, these are not recommendations, but we can say what people are talking about and if you have specific questions please always feel free to reach out.
One option that some people are taking is to patch everything themselves, having vulnerability scanners, threat detection, penetration testing, and are continually going through all their core, first-, and third-party modules and looking for vulnerabilities, monitoring their traffic to see who’s getting through, who’s getting blocked, and taking a proactive approach.
Another approach is that some vendors have gotten together and are getting the community together to support patching Magento 1. One of them is Mage One.
Mage One looks to be a commercially supported solution supported by a number of partners like Webscale, who has created impressive scaling technology. They’re great guys. We know them. One-step checkout is supporting it. Jet Rails, a hosting company is supporting it.
There are a number of folks from agencies, payment providers, different SAAS products, and module providers supporting these efforts. There are a lot of people that built their businesses around Magento 1 as partners, and there are still going to be people to support it. So, that’s one of the companies that are out there and it looks to be a commercial product. We haven’t investigated too deeply into Mage One yet because we’re following Open Mage.
John Suder: This all sounds like great solutions for someone who wishes to stay on Magento 1, but at what point does all of this patching and monitoring become cost-prohibitive?
Bob Brodie: Let’s talk about the other one real quick: Open Mage, which is not a commercial solution. It’s essentially a long term support fork of Magento that also has partners behind it. It’s gotten a lot of traction and has a new website. One of their goals is to have a composer installable version of Magento 1 that is patched by the community. We’ll see patches flow through there, which will be really interesting.
But what does it all mean? Should you stay on Magento 1 forever? I don’t think anybody’s recommending that, including us. The bigger your site is, or the more it took to build your site, and the more data and customization you have, the more expensive it’s going to be to migrate. If you have invested $800,000 into tech for your site, and that included all the front end work, the backend work, modules, integrations, and services, and that was your initial cost, it may not be much different with Magento 2. It’s certainly not a simpler solution to work on and nothing ports over, it’s not an upgrade. That’s something that is hard to deal with, reinvesting for little functional benefit.
So what does that mean?
It means that you should think about migrating. PHP has new versions more quickly than they used to back in the day, and vendors are going to keep up with those. We are going to run into that eventually, where core third-party libraries won’t be patched and will become a significant lift to support new versions of PHP.
Even though your core will be patched, there’s that level of ‘when does that cost outweigh it’? And I think that really all that’s going on here is that people are going to be able to buy some time, but that’s about it. It’ll end up either turning into another product or people are all really going to move away from it. And the ones that will be left are the ones supporting themselves. So it’s definitely time to investigate. What I’m hoping is, personally, that there’s enough support until another version or two of Magento 2 are released.
So maybe it will be a viable crutch until 2.4 or 2.5, or if it is supported long enough, maybe 2.6, because we are starting to see more stability. Upgrades are becoming smoother, and regressions are becoming fewer. But still, there’s a lot of work to do. If enough people support Magento 1 for the next couple of releases of Magento 2, I think that’ll give people enough time to make sure they’re really comfortable moving, where they have the cash to move, and they’re moving on to a stable product with a larger feature set.
John Suder: What do you see on the horizon? These people who hang on to Magento 1, the merchants that are just saying, ‘you know what, we’re good now’, but how long do you think they have?
Bob Brodie: It’s hard to say because it really depends on their team. Do they have an internal or an external team? How good is their documentation? How well have they tracked their business logic? Somebody who’s been using JIRA or Basecamp or any other good project management system for the lifetime of their site and a site that has good feature documentation and well-written code, they’ll spend less money moving over to Magento 2, than someone who didn’t keep any of that or someone who just kind of built on their servers as they went along. There are so many different cases out there and it’s really surprising how many sites are still around – the old school way of having their files on an FTP server and they just send files on up to it as they make changes, where they work right on the surface. There’s still a lot of that. And not all those sites are small. So it really depends.
I think that the time to start migrating is probably today, if you haven’t already. All of this that’s happening is kind of a holdover except for very special cases. And there’s another aspect to the nuance of it too because all of this stemmed from Visa and PayPal saying you’re no longer PCI compliant if you stay on Magento 1, because of that 6.2 language. There’s a lot of nuance here. We need to think about all the different levels and types of PCI. We need to take into consideration PCI compliance offset, and some of the companies that are out there that help you do that, like Spreedly. We need to think about embedded payment forms. And so if you have enough security on your end to mitigate attackers from manipulating forms that are injected, how does that affect your 6.2 requirement? Does that offset some of that over to that vendor?
There are a lot of questions – and we can’t give explicit advice on what to do or what not to do.
Something that will never hurt is to talk to your payment provider or your QSA, ASV, or whatever partner you have at your payment gateway or at Visa or at your bank. We recommend that you talk to whoever you’re the closest with to really talk through that and get to the right people. It doesn’t hurt to ask. We’ve heard from people that are not worried because they’re using embedded payment forms, hosted payment forms from gateways that are flowing through Spreedly or Braintree or various solutions that are out there.
There’s a lot of nuance to whether you’re PCI compliant or not. I think there was a bit of irresponsibility with the marketing that was happening. And a lot of that is all the marketing specifically mentioned Magento 1. All of the marketing really focused on Magento 1 ‘End of Life’, but what it didn’t really focus on was Magento 2, as a whole.
It’s irresponsible of everyone who’s been pointing out that someone’s not going to be PCI compliant on Magento 1 because of ‘End of Life’ because it’s not going to receive patches — and not giving that same amount of energy into the ‘End of Life’ Magento 2 products that no longer receive patches like Magento 2.0, 2.1, and 2.2. I think that was really frustrating for a lot of people in the community. It led to a lot of conversations that really weren’t necessary. If someone is calling out Magento 1 as being not PCI compliant because it’s not being patched, then they should be calling out other Magento products that are not patched such as the early versions of 2.x. That’s just part of lifecycle management.
John Suder: I think a lot of people might not realize which versions Magento Two are not being supported at this point.
Bob Brodie: 2.0, 2.1, and 2.2. I don’t remember the day, but it was fairly recently. That’s where it got really interesting.
If you look at the Magento partner site – we don’t need to talk about who it is and who it isn’t – there are certainly sites listed as Magento 2 on the Magento partner site by Magento partners that are either on unpatched Magento 2 versions or are not Magento at all. Whether these sites are actively managed by those partners or not, the partners did not remove those sites from the Magento partner site.
Some of those sites are running on not just Enterprise versions of 2.2 or earlier, but also Community versions of 2.2 and earlier. So it’s not responsible for Magento partners to only call out Magento 1 merchants and service providers being because the product is ‘End of Life’ when those same partners have sites listed on the Magento partner site that are running on versions which are no longer patched.
Bart Mroz: Yeah, they have some partnership inside of whatever the Magento thing is. But PayPal was sending out tons of marketing.
Bob Brodie: So Magento and Loan Builder, which is a PayPal company, came up with a Magento loan to get people to move from Magento 1 to Magento 2.
PayPal also was one of the ‘End of Life’ marketing that went out.
John Suder: What is the value for PayPal besides making money on the loans? Is it a security issue or were they just being opportunistic?
Bob Brodie: I don’t know that we can say that, obviously we don’t want to blame anybody for anything. If we look at the different events that happened, we know that Magento and Loan Builder have a partnership for people to get loans to move to Magento 2. We also know that PayPal has a Magento ‘End of Life’ announcement out that calls out June 30th and they talk about the consequences of not migrating. They call out requirement 6.2 of PCI, and so those are two pieces of info that we have. We have the partnership between Magento and Loan Builder to get folks loans to move to Magento 2. We also have the article on their site, where they call out Magento 1 being at ‘End of Life’, and that it affects it can affect your PCI compliance.
But then if we look on PayPal’s site, there’s an article that says: ‘How do I integrate PayPal checkout with Magento 2.0’. My question to them, and this has been asked in a number of places, is if PayPal is partnering with Magento through Loan Builder, and PayPal is calling out the Magento 1 ‘End of Life’ announcement and how it affects PCI, then why is their documentation still referencing Magento 2.0, a version of Magento that is no longer patched, just like Magento 1, and not saying anywhere on that page, that it’s out of patch releases just as they do on their Magento 1 page?
So there’s a lot of misinformation and miscommunication. I’m sure that it’s all unintentional and a lot of it is just folks making sure that companies like PayPal have no choice but to put these announcements up because they get mandated by the banks above them.
Visa and PayPal, just like the shop owner, needs to conform to PCI rules, and other companies like PayPal need to comply with specific PCI rules as well. And posting about ‘End of Life’ announcements gets that information out there. It’s very similar to what Visa put out there. The concerning part is that they’re so quick to do this at the same time that all of these announcements went out, all of these sites made sure to update their pages, all the partners aren’t talking about it – yet we have the same company talking about integrating with Magento 2.0 and not pointing out that it’s out of patch release. It’s really frustrating. And if you, just to compare that – we have ‘How do I integrate PayPal checkout with Magento 2.0’ with no information about 2.0, 2.1, and 2.2 being out of patch cycle? If you go to the PayPal page, ‘How do I integrate checkout with Community Edition? 1.7 X thru 1.9 X’, right under the title is a gray box that says the ‘Magento One platform is deprecated as of June 30th, 2020. For new integrations, please see Magento Commerce Two’.
So it’s just really frustrating that everyone is really quick to jump on everybody that’s running Magento 1, but none of the partners, payment gateways, or anyone else involved with Magento 2 at any partner level are talking about the versions of Magento 2 that are no longer going to receive patches.
Bart Mroz: It looks like it’s just a big push to move everybody to Magento 2, which is understandable. But I think that the tactic is just interesting and not really how it should be done, which is crazy and I think that’s why people looked at, you know, a while back when Magento was announcing 2, ‘Do we make enough money to actually support going to a new to re-platform to this platform? Or could we go somewhere else?’
I think that Shopify got a lot of people off of Magento, put it on Shopify and Shopify Plus, also Big Commerce played in that world, but it definitely has changed as sort of the market for each platform.
John Suder: So you think that the competitors have used that as a marketing advantage? Magento doubled down and said, ‘You’ve got to move to Magento 2’ or what? It appears everyone was being a little opportunistic here. Am I reading that right?
Bob Brodie: I think once other vendors caught on that Magento wanted Magento 2 as a re-platform, I think that’s where everybody really started to jump in. It’s fascinating to me how partners never clean up their clients that they have listed on there. You will certainly come across ones that are Shopify.
It’s interesting that if you go on and you’re a company that’s looking for a Magento partner, find that when you like you click a site and end up on Shopify, call them up and tell them how great it is and they sell you on Shopify? That’s how much attention people give to the partner portal nowadays.
Bart Mroz: Which is true, but we’ve seen this and we’ve had this happen to us too, where a client goes from one to another, and everybody has that logo on there. Nobody really cleans it up, which is interesting itself.
If you were on Magento One right now as a retailer, and it’s coming up to ‘End of Life’, what do you think a retailer should do?
Bob Brodie: I think what I would recommend if you’re still on Magento 1 and aren’t going to make the cutoff, you need to figure out at least what your options are.
I think the most important thing to look at will be your payment solution.
If your payment solution is a direct integration or versus a hosted form, that’ll be really important. Are you doing your quarterly PCI scans or monthly PCI scans or whatever ongoing scans you need to do? Do you have static code analysis in place? Do you have any tools that can help you find vulnerabilities? There are a number of tools. Do you have monitoring and alerting setup and what’s your observability look like? There are some great security tools out there from the community that are keeping a list.
So the biggest thing you can focus on, and the most important thing you can focus on is the security of your customers, the security of your data, and security of your payment solution. Two tools that look really interesting are MageReport, which everybody that doesn’t know about it should know about it, we use that all the time, it’s from Hypernode. It’s very cool. SanSec, I have not used, but it also looks very interesting and I think we’re going to have some of our clients look into that as well who might not be quite ready for a move.
John Suder: Let’s swing over to the client-side. Bart, what’s been the temperature with clients and potential clients, are they clamoring to get off of Magento 1? Do you have to do a sales job to try to get them to move away?
Bart Mroz: Last year we got a few potential clients that wanted to move over to M2, especially the clients that have Enterprise licenses or the cloud version of Magento. These clients were told to move over by their agencies because that is the next step.
When we bring it up in a sales conversation, we ask them a whole bunch of questions: Does Magento Enterprise make sense? Would the open-source version of it work? Does it from a business perspective? Is Magento the right fit for you? And has it been? We don’t lead just on the platform first. We lead with the business first, meaning, what is the business going to do?
What does everything fit for you? We’ve seen clients that do very well on Shopify and then we see clients that do very well on Magento and everything in between.
John Suder: Are there clients that approach and say, ‘I insist on being Magento 1’, do you have to have the ‘hard talk’ with them?
Bart Mroz: We haven’t had a lot of them. I think one of our clients is still going to stick with it because it makes sense for them. Lately, a lot more clients have been coming to us with Shopify Plus asking about it more than anything else, like potential clients, which is interesting in the industry itself.
John Suder: How much is Shopify Plus eroding the market share of Magento? Is that something you guys see or are we just looking at two different things here?
Bart Mroz: It definitely is not, in my opinion. It’s not apples to apples. It fits people differently. Unfortunately, I think people in this space are pushing the platform itself, so they’re trying to make it apples to apples and it’s just not.
John Suder: Let’s make a comparison – If you have someone who doesn’t know which platform to choose, and it was Magento versus Shopify – it sounds like you need a deeper development bench on Magento, but maybe the benefits are greater. Can you extrapolate on that?
Bob Brodie: Yeah, definitely. So one of the things about Magento is the ownership, being able to run it on your own infrastructure and having the data in your realm. That’s really important in a lot of ways.
The other thing is you’re building on top of the platform, and, depending on your build, you have a lot of options with Magento to build services that integrate with it. You can build modules that you install into your platform, you can build microservices that become part of your Magento ecosystem and are supported by underlying modules, the options are endless. You can build on the platform and the features are a lot more robust, whereas Shopify takes the 80/20 route.
One of the Magento features they we have always called out is the promotional engine. It’s incredible. It has a lot of features in general, and they get more granular than with a lot of other platforms. That comes from listening to customers for over a decade. The thing with Shopify is it’s a great platform in a lot of cases, and you offset all of the hosting and maintenance of your platform itself, which can be beneficial to some folks and not to others.
For example, with Shopify, third-party and custom features are built as external apps that integrate with Shopify APIs. The thing we need to keep in mind is if you install a commercially available or publicly available app that interfaces with the data in your Shopify instance – you don’t know where they’re sending your data when they pull it. What countries are their servers are in? What’s their security landscape look like?
Let’s say you’re using an app that can help you export orders (there’s no particular add on we want to call out). They’re going to have read access to your orders, and potentially customer data, depending on which scopes they use. They’re going to make API calls to Shopify that page through that data. And then they’re going to temporarily store it somewhere. And then they’re going to export that file to you.
Where are their servers? What is their security doing? Is it multi-tenant where everyone’s isolated? Is it just one big server that has everybody’s files on it? What is the authorization like? You know none of that. All you know is that your order data is flowing through someone else’s server.
Your other option is to build your own services. So we take an approach with Shopify, where we build private apps, microservices, and other tools that push and pull data to and from Shopify. Let’s say we need to do some reporting. We’ll write a tool that will pull all of your customer, order, and product data and store that in a database, then what we’ll do is we’ll interface products with those. Maybe we set up a tool that ETLs order data into a reporting database, or we could have customer analysis systems, or catalog management. So, depending on your data needs, that can be a very different cost basis. We quoted a project a few months ago where this client did not want their customer data run through any not well known third parties. Not an export tool, not a reporting tool that they’ve never heard of (Google Analytics, Facebook marketing, whatever it might be – those are things that people will expect). But some of these small third parties that aren’t really well known is where it would become problematic.
We specced out the modules we would build versus the apps we would build and got into the hosting and scaling of those apps and how they’d work and the infrastructure to support them and the Shopify build for all private apps and integrations outweighed the cost of the Magento build because what they needed wasn’t that complex, but it was more complex than out of the box Shopify and that they couldn’t use third-party apps in most cases.
John Suder: There’s no one size fits all. With each client, you have to identify the needs versus the budget versus security and the limitations or expectations that they might have. It doesn’t get easier. It gets more complex.
Is there anything else that you want to touch on?
Bob Brodie: First, it’s important to move off of Magento 1, whether you stay on it for a little bit while you look at your other options, it’s going to be important at some point to get off of it because it won’t be supported by the community forever, as new technologies come out and people’s interests change and their technology stacks change. We can’t expect it to be supported on its own without a commercial entity forever. It’s important that if you are on it for a bit, that you’re in touch with all of the different security aspects, such as payment data in transit and at rest. Talk to your payment gateways, talk to your hosting providers.
And the third thing is just that I, I hope that the community gets together. I hate to see a split in the community of partners versus non-partners in a lot of cases. We know that partners need to sell, but I think the thing we always ask is that everyone sells responsibly and that whether you’re a technology partner or a solution partner, that if you’re the entity itself if you’re a Magento or Adobe, you need to be responsible with your messaging.
And just to be fair, I generally don’t get into online debates, I generally am not very public online at all, but it was kind of a shame to see a lot of folks really pushing for getting off of Magento 1 and how important it is and this and that. And it is important, but that they weren’t providing the whole story for Magento 2. Even when it was coming from partners that have sites that are on 2.0, 2.1, and 2.2. To this day partners like PayPal or Visa are putting messaging out into the world that is outdated which really isn’t doing the community any favors. And so what came out of it were a lot of folks that pushed against that. Not because they’re out there making a business on maintaining people on Magento 1 forever, but because they know that there’s nuance in that the customer’s needs really count before theirs.
We know that if you have a client on Magento 1 and you know that over the years, they’ve paid you a quarter-million dollars and they are a million dollar a year company, you can’t expect them to just have another quarter mill on-hand to move over to Magento 2 where they’d get no benefit from it.
I think that’s one of the final points other than being a more modern stack with better security, CEOs and small company owners generally aren’t looking at the security features or the tech stack that they want their product to work. Show me a list of major features in Magento 2 that aren’t in Magento 1 open-source and justify it. I think it’s hard. What do you get? You get a new admin, you get some new interesting features for developers, some new search capabilities, multi-location inventory. You get some newer integrations, but overall we see a lot of people that are from a non-developmental standpoint, they say, ‘but, the front end loads this way or that way,’ or ‘ I need to spend this much more in hosting,’ or ‘I need to redevelop this.’ And to completely re-platform onto the same thing without a vast list of feature improvements, it’s a hard sell.
We know that migrating the right thing to do – but it’s a hard sell for someone that’s writing the checks.