Update to secure version of Magento 2

Details:

Magento releases a new patch version (e.g. 2.3.4) containing security updates for all still maintained release versions (e.g. Magento 2.3 or Magento 2.4) in each case. In addition, since Magento 2.3 there has been an update for the previously released version, which only closes the security gaps. Based on the version numbers, it is therefore easy to check whether all known security holes in a store instance have been closed. A Magento 2 store is secured if it is running one of the two latest patch versions in an officially supported release version.

Magento 2.0, 2.1 and 2.2 are currently no longer receiving security updates. It can be assumed that security vulnerabilities will be found in the medium term, for which there will then be no official security updates. Therefore, the use of these versions is no longer recommended. The official support periods for Magento 2 release versions can be found at Magento itself: for the Commerce Edition (formerly Enterprise) and for the Open Source version (does not yet include version 2.3).

Problem solution: Update Magento 2

We recommend having a Magento 2 store updated by experienced developers. Especially in case of functional updates, as they happen regularly with Magento 2, the impact can often only be estimated by the programmer(s). Magento updates should always be tested in a staging environment first, so that the productive store is not affected in case of difficulties with the update. In addition, it is of course essential to make a backup before an update.

General procedure for Magento 2 updates

IMPORTANT: Magento itself has described the update process in detail in the official documentation. Options have to be considered and decisions have to be made, which have to be individually adapted to the existing store. Therefore, we only provide the general procedure in this overview and also do not consider the integration into a deployment process. For specific steps to upgrade a particular Magento 2 installation, please contact your developers or agency.

Preparations

• Check the system requirements (e.g. PHP version, MySQL version) of the update.
• Check the release notes and the changes of the update for possible pitfalls.
• Create a backup of the store.
• Put the store into maintenance mode.

Update with composer

With a recommended Magento 2 installation via composer, a store can also be updated via composer. Magento provides a PHP script for this purpose, which automates the following typical upgrade steps. However, this script may overwrite preset parameters and should therefore only be used after thorough testing.

1. Create a backup of the composer.json file.
2. Specify the new Magento 2 version to be installed. For example, if updating to version 2.3.4: composer require magento/product-community-edition=2.3.4 --no-update
3. (Optional) For a representative state, modify the "name", "version", and "description" fields in the composer.json file to reflect the new version.
4. Perform the update of Magento and its components: composer update
5. Flush the cache: php bin/magento cache:flush
   1. Additionally, delete the data in some (cache) directories: rm -rf var/cache/* var/page_cache/* generated/code/*
   2. When using Redis for the Magento cache, we recommend flushing the Redis instance separately: redis-cli -p <port number> -n <DB> flushdb (port and database number of the correct Redis instance).
6. Upgrade the Magento installation and its modules: php bin/magento setup:upgrade

Depending on the store instance, additional steps may be necessary, e.g. setup:di:compile or setup:static-content:deploy.