Should You Keep Using Unsupported Software?
All software users have struggled with this question at some point:
“Should I go through the hassle of updating to the latest release, or should I take a risk and keep using an old version?”
We get this question frequently from our Joomla and Drupal users. To help them work out what to do, here’s our guide to using unsupported software.
What is Unsupported Software?
“Unsupported” generally means there will be no more updates. Even if there is a major security issue, the developers do not promise to provide a fix.
Sometimes, there are exceptions to this rule:
- Official developers: the PHP developers stopped support for PHP 5.2 in December 2010 and then released a security fix one month later.
- Third-party developers: a company Netshine have a patch to make Joomla 1.0 run on the latest version of PHP.
- Custom fixes: if you have an old site, you can pay a developer to provide support, even after official support has ended.
However, you really can’t rely on the first two options and it might not be easy or cheap to find a developer willing to help with the third option.
Why Do Developers Stop Supporting Software?
Because their time and resources are limited.
Both Joomla and Drupal make it clear that they can only support two versions at a time. Currently Joomla is only supporting versions 2 and 3. Drupal is only supporting version 6 and 7. When a new major version comes out, such as Drupal 8 next year, support for the older version will end.
Examples of Using Unsupported Software
Drupal
- Staying with Drupal 5, or Drupal 6 after August 2013.
- Not updating to the latest releases which are Drupal 6.26 or Drupal 7.16.
Joomla
- Staying with Joomla 1.0, or Joomla 1.5 after this year.
- Not updating to the latest releases which are Joomla 2.5.7 or Joomla 3.1.
WordPress
- Staying with anything except the very latest release, which is currently 3.4.2.
Why Would You Keep Using Unsupported Software?
Many people use unsupported software simple because they forget to update or because they don’t use their site very often. We’re not talking about those people here.
We’re going to talk about people who know they need to update, but actively choose to keep using unsupported software. What are those people thinking?
- The update is too difficult or expensive. This is a common reason for staying with Joomla 1.0, Joomla 1.5, Drupal 5 or soon Drupal 6.
- It might break features you need There’s a huge amount of nervousness around updating. It’s also difficult and time-consuming to test updates. Why risk the update when your site works fine now?
- You know it breaks features you need. WordPress 3.3 is a good example. The menus in that release caused accessibility problems for a number of people who had a hard-time updating.
- There’s no rollback option. Unless you have a very powerful development setup, most software simply doesn’t have a rollback feature. If you update and break something, there’s no Undo button.
- You’re busy and have better things to do. To be honest, this is often why I don’t update. I have a business to run and other things on my plate. I just don’t have time to update some non-essential sites.
What Happens if You Keep Using Unsupported Software?
Please note: I am in no way endorsing the use of unsupported software. It’s bad behavior and should not be encouraged. However, we live in the real world and we all do it sometimes. Here’s what may happen if you keep using unsupported software:
- Nothing. The most likely outcome is that your site will keep on running without any problems. I still have Joomla 1.0 and Drupal 5 sites. All of them have been running for nearly 2 years after official support ended. However, those sites are starting to show their age. Dynamic sofware such as Joomla, Drupal and WordPress just can’t last as long as old-fashioned HTML sites. My unsupported sites increasingly have problems with the latest version of PHP on our server. I’m also reluctant to make any changes to the sites as they are increasingly fragile. Not only the core, but also most of the Joomla extensions and Drupal modules on those sites are now unsupported. I’ve managed to put the decision off for 2 years, but at some point, I’m going to have to either update those sites or delete them.
- Immediate site death. This outcome is most likely if your software was being updated to fix a major security hole. Once news of the security hole is made public, many hackers will try and find sites that aren’t updated and so are vulnerable. The good news is that such major security holes happen rarely. In the last 5 years, I can recall only a couple of examples each for Joomla, Drupal and WordPress.
Final Thoughts
Sure, it would be great if we never used unsupported software. But, we live in the real world and it happens for all sorts of valid reasons.
If you don’t update your site to a supported version, you may be hacked immediately if the update is to fix a serious security problems.
If you don’t update your site, your site may be fine for years to come. However, you will need to make an update decision eventually. Joomla, Drupal and WordPress sites can struggle on beyond their use-by-date, but they don’t last forever.
Good article. Thanks for addressing this issue. One point missed is that while upgrading for security fixes is a good idea, doing version upgrades (Drupal 5 or 6 to Drupal 7 for example) provides an opportunity to assess how the site is structured and to take advantage of new features that more current versions offer. We’re finding as we do upgrades on D6 to D7, while it can be challenging turns in to an opportunity to make big improvements to the sites.
Thanks Bob. Yes, you’re absolutely.
Websites are almost like attics … they accumulate such junk over the years that’s it great to clean them out. You find all these modules and code that you added 4 or 5 years ago and completely forgot about.
Some advice for minimizing the risk in maintaining obsolete web applications: keep a close eye on exploit and vulnerability lists you can subscribe to by RSS or email. Keep secure backups, use a good, secure host and harden your site as much as possible. Periodically do searches for vulnerability reports. Remove all third party add-ons you can live without, and monitor them most closely for vulnerabilities.
Interesting article – only this week I have had notification from Total Choice Hosting that a joomla 1.5 site of mine has been hacked and is sending spam email. They have temporarily suspended the account. This is inspite oif upgrading the account with the most recent security patch in December. This is the second 1.5 site that this has been hacked via Total Choice (also spam email sender) These sites are not critical and I will be upgrading them but my question to TCH as to why they continue to offer joomla 1.5.23 via fantasico has gone unanswered.
Another point to remember is that extensions can be hacked so those that have stopped supporting 1.5 could be a risk.
What about people on fixed income that can’t afford a monthly bill as high as a cell phone bill for one special software? If all software goes to this line of thinking it’s going to price itself out of business. Just my opinion. I already paid for my computer then I paid for the operating system now you want me to pay for you to have control over what I do with it monthly instead of a software package that last a while, or a reasonable amount of time to budget for the new update. Monthly kills everybody’s budgets, and is worse than a tax.. That is Microsoft in a nutshell.