This article is about maintaining your Magento store. Why you should do it, and what good looks like.
The cost of doing business
Let me paint you a picture.
You have a working store. People are discovering it, some (hopefully many) are converting, and business is brisk. You're laser-focused on the growth of your brand, and it's all hands to the pumps processing orders, servicing customers, and optimising the experience. To this end, you have a roadmap of work planned with your ecommerce agency for the next 12 months, all geared toward growth.
Your agency informs you of another mandatory platform upgrade; security fixes for some cross-site scripting to prevent unauthorised access to... something-or-other (you're only half listening). With the patch application, testing, and deployment, it'll take 3 days. This is an irritant–it distracts from the value-add work you want to be doing, and it feels like you're paying for something just to stand still. What is more, the budget you'd put aside for those needle-moving tasks is being eaten up by constant patches. You ask yourself, "Is this really necessary? Haven't we just finished applying a patch, and now there's another one?"
If this sounds familiar, you're not alone. The truth is, keeping an ecommerce store up to date is a never-ending, thankless task. But it's the cost of doing business. Acceptance of this fact is key to preventing frustration, keeping you sane, aiding realistic planning, and, above all, avoiding the temptation to let it slip.
If you don't maintain it, you'll pay later
As an ecommerce store operator, you have a responsibility to yourself, your business and your precious customers to do everything in your power to keep your collective data safe. Ecommerce sites, by nature, are a massive draw for hackers and ne'er-do-wells. Hacking attempts are on the rise, and they're getting smarter. If your site is hacked, the cost to your business could be immense–both financially and reputationally (and therefore financially again).
So what should be done?
Fixes, Patches, and... more Patches
Monthly Security Fixes
This year, Adobe have moved to a monthly patch release cadence. These monthly updates fix security holes in the platform and are non-negotiable. Once fixes are released, they should be applied as soon as possible. Once vulnerabilities become common knowledge, attempts to exploit them will follow. Not applying them leaves you vulnerable.
Annual (at least) Security Patches
These patches (in the format 2.4.8-p3) cover all previous monthly security fixes as well as any latest security fixes and proactive security enhancements. Again, these should be applied upon release.
Patches
I know what you're thinking: I've already mentioned patches. And you're right, but these patches aren't the same as the other patches (still with me?). The ones I mentioned above are security patches, whereas these are, in effect, platform upgrades (e.g., taking 2.4.8 to 2.4.9). These include security updates, as well as other unrelated improvements that aid stability, performance, and compliance. And you guessed it, these should also be applied immediately.
Why patches are not enough
Ok, so you've come to terms with the patching life. You're applying the monthly security fixes, the annual Security Patches, and the (other) Patches. That's it, right? Actually, I'm afraid there's more to it than that.
Whilst security patching goes a long way to improving your defence and ensuring your website is operating at peak performance, it's only half the story. There are other considerations, including (but not limited to):
- Web hosting software patches (oh yes, more patches) – all software needs patching, and the software running on your server(s) is no different.
- As-yet-unknown vulnerabilities – it's hard to patch a vulnerability that hasn't yet been found.
- Vulnerabilities in extensions and custom code – extensions and bespoke features are software too, and as I mentioned before, all software needs patching. It's no good ensuring Magento is up to date if you have vulnerable plugins installed.
Fortunately, there are solutions. In addition to keeping your servers squeaky-clean, which requires an experienced Magento-specialist company (a general web host often won't do), and your extensions and custom code up-to-date, which again requires an experienced Magento-specialist team, there are services on hand to help prevent intrusions as well as alert you to successful ones.
Web Application Firewalls
You've probably heard of a firewall in the context of computer networks. It's a technology designed to prevent unauthorised access to private systems. Well, a WAF is a version for the web that does a similar job. Modern WAFs can detect malicious traffic, unusual or damaging behaviour, and either block or challenge the source. You've probably seen the "I'm a human" challenges often enough; this is a WAF determining if your requests are genuine or malicious.
It's typical to have a WAF sitting in front of your website, with traffic routed and filtered through it: your first line of defence. And for Magento, you should also be using the Sansec Shield: a purpose-built extension backed by a service designed to stop "zero-day" attacks. Remember those "as yet-unknown" vulnerabilities I mentioned? This is the tool for the job. It stops both known and bleeding-edge attacks in their tracks.
You need both.
Observability
Ok, so you're applying all of the patches, including 3rd-party plugins and custom code. You're also updating your servers, and you have Web Application Firewalls in place. Good job.
Even with all of this, the unthinkable happens: a hacker manages to worm their way in. Are you going to know? Not necessarily. They're devious. They'd far rather leave a hack in place, quietly subverting your processes, customers, and data, leaving you blissfully ignorant. That's until the day you find out, and all hell breaks loose. I'm sure you'll agree that it's better to know sooner and be able to do something about it.
That's where observability comes in. Running a Magento store necessitates security and performance monitoring. It often allows you to be alerted before warning signs turn into a real problem, potentially affecting service to your customers, or worse. For example, a DDoS attack begins (a.k.a. a Dynamic Denial of Service attack–these are designed to overwhelm your website and infrastructure, to take it down). You can either become aware when a customer reports that your website is down, or you can be alerted to anomalous activity ahead of time, allowing you to take mitigating action before your customers are affected. Another example: a hacker is probing your website for vulnerabilities–maybe they find a hole in the fence–and you're alerted, allowing you to take action before too much damage is done. Or perhaps you block them quickly, avoiding them from gaining access in the first place. Either way, you're a lot better off than if you were to find out the hard way.
Is that it?
I know, it's a lot. Did I mention that you also need the right people in place to actively maintain and monitor all of this, taking the right action at the right time to avoid catastrophe and keep things running smoothly?
Whilst all of this can cost not-insignificant amounts of money, often the more challenging aspect can be the distraction and overhead it causes. If not managed correctly, you may find yourself spending all of the time you should have been spending on growth tasks on ongoing maintenance. This can stifle a brand's growth, and it can be a real problem.
Ok, ok, so what's the solution?
Fortunately, it's pretty simple—your partners. The right partner, or partners, can ensure that your Magento store remains online, secure, and running smoothly. And they should make it easy for you. You should be able to sleep soundly at night knowing that your store is in safe hands and that you have a team of specialists looking after your interests. You are then free to pursue your goals unencumbered, without the fear that maintenance will choke out all other voices.
In 2026, with ever-increasing threats requiring ever-sophisticated protections, a specialist agency is required. This is precisely why, at C3, we designed C3 ONE. It includes everything I've talked about here, and more. We host, we protect, we observe, and we maintain. We take the burden and hassle out of a very necessary, very complex, and very sensitive job, allowing our customers to focus on their businesses and our conversations to be focused on the good stuff: growth and goals.
