“The safer you are, the better you sleep” and if we paraphrase it into a merchant’s words: “The later patch you have, the less chance your store will be hacked”. This should be the main rule when it comes to security.
It’s been almost 2 months since we could touch and feel Magento 2.4. A new minor version of Magento with a better eCommerce security layer and long-waited B2B features aimed at improving merchant’s customer experience. If it’s the first time you are hearing about this, you might want to take a look at our summer review of it here.
We’ve mentioned a lot here. You might still have a question (or two!) about whether it’s time to move forward with Magento 2.4.1. Or, you might want prefer to apply a patch (2.3.6), recognizing minimum risks will remain but will keep your store more secure. The choice is up to you. If you want to learn more, talk it through, or are ready take a step forward — we’ll always be happy to help.
Overall changes
If you are interested in reading the detailed notes from Magento, don’t forget to stop by DevDocs.
- Over 15 security fixes and platform security improvements
- Magento Scan Tool enhancement
- Site-Wide Analysis Tool (SWAT) integration with Magento Admin (Commerce only)
- Support of SameSite attribute for cookies
- Performance improvements
- PWA and GraphQL new features
- MFTF 3.1.0 release
- Hundreds of fixes of the core issues.
Performance was improved in two main aspects:
- Company-specific shipping methods
- Approval workflow enhancements:
- Bulk purchase order approval/rejection
- Alert counter to show POs awaiting approval.
- Faster cart management and requisition list creation
- Adding an entire cart or individual items
- Clearing a shopping cart in a single action.
- Support for payment on account for orders created in the admin mode
- Customer information filtering by a sales representative
- Quoting history visibility from the Customer Detail Page
- Google reCAPTCHA for New Company Request form
- Company module admin action logging.
Key changes in more details
Security
Below, we provide a minimum of tech jargon to assess and share Magento 2.4.1 from the merchant’s perspective — just like we do, when consulting our clients.
Magento 2.4 found numerous proponents especially among the Magento community enthusiasts and developers thanks to its GraphQL coverage. At the same time, some clients decided to stay at Magento 2.3, for now, and apply a proper patch. If you were the one asking yourself, “Should I perform Magento 2 upgrade or not?”, this might be the right time to make a move and upgrade your Magento store.
- CAPTCHA protection has been added to the Place Order storefront page and payment-related REST and GraphQL endpoints. It’s disabled by default by can be enabled from the admin. CAPTCHA was also added for B2B — for company registration.
- Improvements to support the latest Google Chrome enforcement related to the SameSite attribute.
- Enhanced Magento Scan Tool. After partnering with Sanguine Security Magento will provide better real-time insights into the security of merchants’ websites. You can apply for the tool by visiting https://account.magento.com/scanner.
Moreover, the extensions got numerous fixes which will improve working with them even more.
Performance
The latest Magento version has the following security enhancements:
- Network transfers between Redis and Magento are no longer stored in the cache. This results in better performance and cache size reduction.
- New configuration setting now supports a decrease in consumer queue CPU consumption.
Tools and integrations
- New Media Gallery is enabled in admin by default. This gives you a bunch of new features like deleting images in bulk, better image sorting, work with image metadata.
- Now you can turn on full-screen mode working with Page Builder.
- GraphQL released coverage of the next features: Product review, Gift options, Reward points, Order history and much more.
- PWA studio released v8.0.0 with an updated style guide for Venia theme, a better mini-cart and my account experience.
- B2B has massive improvements to its features. Now buyers can view rules that apply to their company on the new View Rule page when they do not have permission to edit them. B2B managers and Company Administrators can now perform bulk rejection and approval of purchase orders. Each company has a specific list of shipping methods to be configured.
If you want to learn more about B2B and its features go here.
Extensions from vendors
B2B Features
- Amazon Pay got better Pay button placement on the product, cart, and Magento one page checkout pages; language translations, and improved messaging in the password reset link.
- Braintree now has support for multi-address shipping.
- Dotdigital Engagement Cloud can brag with Page Builder support, 25% performance improvement for batch catalog sync processes of configurable products, and much more.
- Klarna now has GraphQL module to support PWA integrations.
- Vertex Cloud got a better validation process for the orders created from admin.
- Yotpo Product Reviews got some functions to be publicly available and now customers can override settings and filters, and make adjustments when Magento orders are synced to Yotpo.
In this patch following modules were updated and enhanced:
As it’s only a patch version it does not contain as many changes as we had in 2.4.0 but there’s also something worth mentioning:
Should I upgrade?
Given that, it’s a good point to upgrade your store to the latest version. But also, there are some small yet efficient tips to protect yourself from hackers. These are IP whitelisting, two-factor authentication, unique admin, VPN usage. Remember, most of the attackers try to obtain access to the admin panel of your store.
