When Your CMS Reaches End of Life

cms-end-of-life

End of Life (EOL) in the CMS world refers to the point in time when an older version stops being supported by the company or community that has built it, and all efforts are focused on current and future versions. No support means performance, and more importantly, security issues, which nobody wants.

As a web host, we see our fair share of EOL CMS usage. While we often make our own patches to keep outdated client websites secure and in other cases we notify them about issues, it really is the application’s responsibility. We can't possibly keep track of every outdated software we host and every security vulnerability that comes with it. Hence, here is more about what to do when your application becomes outdated and no longer supported.

When is it EOL?

Every CMS has its own development cycles and thus EOL strategies. Even among the free platforms that most of our clients use - Drupal, WordPress and Joomla! - there are observable differences.

At the beginning of this year, 3 months after Drupal 8 came out, Drupal announced the end of support for version 6. Drupal 7 and 8 are currently both supported and it will probably be a while before we see version 7 dropped. Drupal is notorious for longer development cycles and harder updates between versions, hence the longer support cycles. Drupal 6 for example, was in support for about 8 years.

WordPress and Joomla, on the other hand, are quite different in this aspect. The WordPress release archive states that only the latest version is safe and actively maintained, and the Joomla! version guide says pretty much the same thing. Given the much easier update processes of WordPress and Joomla!, it makes sense for them to focus efforts on the latest versions only.

Upgrading is Best, But Sometimes Hard

Of course, no one can argue with the fact that running the latest version of your CMS is the best idea, always. That’s why we’ve worked hard to build our own auto-update tools for WordPress and Joomla!

However, every experienced sitebuilder has run into upgrade issues at one time or another. Even one-click and auto-updates sometimes break themes or plugins, and you then have to spend time restoring backups, debugging and so on. In the case of Drupal, where upgrades are harder and more time consuming, planning and executing an update on a large website can be a very serious development task.

Additionally, some projects simply do not need further development and new features from the CMS (e.g. brochure company sites). They just need to stay secure. When you’ve got hundreds of such websites, upgrading all of them just to stay secure is an overkill.

External Long Term Support (LTS)

When you can’t upgrade for any reason, there are vendors out there that provide their own LTS support for different CMS platforms. One such is Tag 1 Quo, who specialize in Drupal 6 LTS, but have announced plans to move into WordPress soon, starting with versions 4.5 and 4.6.

With Drupal 6, Tag 1 Quo uses a module to collect information about your website. They compare version information with their database of known security issues, and can then provide up-to-the-minute information about your security status. What’s more, some of their plans include patch development, which means that when a given issue affects any of their customers, they’ll work together with the Drupal community to develop a patch for you (they are an official Drupal 6 LTS vendor).

SiteGround is partnering with Tag 1 Quo to improve our user’s security. All of our existing clients can find a discount code on the Resources Tab of their User Area.

Marketing Project Manager

Kiril collaborates closely with development and design teams, bringing to life new products, features and improvements. Having grown up on the web, he can recognize a smooth user experience and strives for it in every project.

8 Comments

  1. Reply October 11, 2016 / 12:40 Davide MasseriniSiteGround Team

    What about a solution for Joomla and WP??!! I don't get this post.

    • Reply October 13, 2016 / 02:22 Kiril HristovSiteGround Team

      Hi Davide, Joomla and WordPress are much easier to update, so keeping them up to the latest version is best. Otherwise, surely there are external LTS providers for them, too. Tag 1 Quo is introducing WordPress support soon, for example.

  2. Reply October 12, 2016 / 11:14 StevenSiteGround Team

    Very cool. Other than the big three (WP, Joomla, Drupal) what other CMS have hit end of life support?

    Think my XOOPS 1.0 site has hit EOL 🙂

    Thanks! -- Steven

    • Reply October 13, 2016 / 00:39 Kiril HristovSiteGround Team

      Hey Steven, any CMS with several versions on the shelf will usually have one that is no longer supported (EOL). It makes sense to focus on new versions and drop old ones as you go. Therefore, all of them hit EOL, eventually.

  3. Reply October 20, 2016 / 00:41 Best essay writign serviceSiteGround Team

    useful

  4. Reply November 4, 2016 / 00:42 Jigar ShahSiteGround Team

    Agree with you that Upgrading is the best option but it's time-consuming and sometimes hard working process, so (LTS) External Long Term Support is the best way for the site owners. It's cost-effective and easy to manage.

    Wonderful post with the supportable idea.

    • Reply November 4, 2016 / 02:02 Kiril HristovSiteGround Team

      Thanks, Jigar. Cheers!

  5. Reply May 10, 2017 / 08:22 Ian MacdonaldSiteGround Team

    Very true, and I think this underlines the fact that people using a SQL-backed CMS frontend when there is no particular need for such - as when the site content is basically unchanging, or could easily be updated by FTP- ought to think carefully about whether a static site or file based CMS would be a better option.

    The time this choice bites you in the proverbial, can arrive before the CMS reaches EOL. It can be when a security update creates a conflict with the template/theme in use. Which can basically happen anytime. You are then faced with telling the client that they need a new website, or else a fairly costly theme rework.

    The client, understandably, thinks you're just trying to 'milk' them for unnecessary work, and says No. So the unpatched site stays up.. and gets hacked.

    Most of this grief can be avoided by not using SQL-based products, since the majority of hacks are SQL code injections.

Reply

* (Required)