As part of our hosting service for our Magento clients, we provide pro-active security patching when Magento releases a security patch. It is not something that many hosting providers offer. There’s a reason for this…

It’s not as easy as it sounds.

Here’s a small peek behind the curtain of what goes into this process…

Is there a patch available?

How do we know a patch has been released? Besides being on the Magento Security List, we’re plugged into a number of other areas related to Magento:

• Twitter
• Magento Forum
• Stack Exchange
• Slack
• Web alerts from Google and Mention

Being part of the community and knowing where to look are the first steps to know about patches, issues, etc…

The Patch is announced

Once we know about a patch, like with the latest SUPEE-9767 patch, we get to work by downloading the patch files and examining their contents. What files are being patched? What are the major code changes?

We also read the security notes, changelogs, and see what the developer community is saying. Simple things, but if you piece it all together, you get a more complete picture of what the patch addresses, and “gotchas” right away.

What is the Community Saying?

Usually within 24-48 hours, posts start appearing on Stack Exchange with issues encountered, questions about the patch, details, etc… This also happens on the Magento Forum, Twitter, and other areas where developers discuss these type of updates.

It is important to digest these discussions, as they can save countless hours re-inventing the wheel and running into issues others have already encountered. With SUPEE-9767, it became quickly apparent that the patch was not seamless, and that multiple bugs were introduced with the patch…

Testing, 1, 2, 3

In parallel with our monitoring, we apply the patch to a few test stores to see how seamless the patch applies, and then we run some tests and scenarios on the patched test stores to see if any basic functionality breaks. We feed back anything we find to the community as best we can, and make notes of what we discovered.

For SUPEE-9767, we found a few show-stoppers with the patch that had us put on hold its deployment to our hosted Magento clients. This proved to be the right decision, as Magento themselves pulled the patch, acknowledged the issues, and said a version 2 of the patch would be released once the bugs were squashed.

Communication is key

If a security patch is simple and just updates a few core files in Magento with limited to no operational impact, we’ll announce it on our support forum, social media, newsletter, etc…

If, like with SUPEE-9767, functionality changes, we have to manually patch template files, provide context for how to enable a security feature, etc…, we then send an email to each store owner letting them know the patch has been applied, what changed, and what to look out for.

In the event a patch cannot be applied to a store due to customizations, we let the client know of the troubles we had applying the patch, and what they might want to do next to get their store patched.

…

Hopefully this sheds some light on the various steps and actions we take behind the scenes to help keep our Magento clients safe and secure. This pro-active security patching, along with daily malware scanning, continuous performance monitoring with pro-active actions being taken if an issue is detected, and periodic analysis on the hosting environment being optimized for each individual store, helps our clients get the most out of their Magento eCommerce websites.

If you’re looking for a web host that is hands-on and pro-active with your Magento store, get in touch with us. We’ll let you know what we can do to make running your business even easier… Peace of Mind for Magento Merchants.