Upgrade policy/urgency

[sponna1]

Hi,

All new sites we develop use the current 2.x version as you'd expect and we update these regularly.

However, we also have some old 1.x versions where the clients have indicated that they prefer not to update past the last 1.12 version, primarily down to cost. We have encouraged this but until more recently, the old 1.x series seemed fairly secure and so we haven't insisted, even where the sites used our servers.

Now it appears that there are some more serious security issues identified more recently, which changes our view on the old versions, even though they are all 1.12.2.

Is there anything can be done relatively easily to secure these older sites please, or is it time to update everything? A couple of them have some tweaks to older versions of FEU so could be some fun there!

Just interested to know what everyone else's policy is on the 1.x updates please. I know you should keep everything updated all the time ideally, but sometimes it doesn't happen, particularly where a client is reluctant to pay for support.

Thanks
Dave

[calguy1000]

I hear this excuse all the time 'Customer doesn't want to pay for upgrades', what should I do? It's either related to a problem that they are encountering, or a security vulnerability. It really just means you haven't educated your customer on the care and ownership of his website properly or it is a sign of a customer you don't really want in the long term anyways.

If you take your car to a shop and they say... hey, it is not safe it needs new brakes. Then your choices are to pay for the brakes, or have it towed out of the shop. They will not generally permit you to continue using it.

The same type of analogy can be used for websites that you are hosting. Because one site on your server that is vulnerable could be used to attack all of the other sites or applications on the server, or to compromise the server. It's just not safe.

Additionally, generally speaking, websites (even static HTML ones) and web apps are like computers and cars, or plants. They absolutely need regular maintenance and upkeep. Purchasing a car and putting it in the garage for 10 years is usually a waste of money too. To get the value out of it, it must be used, and that means it needs maintenance and upkeep. That includes content and upgrades. This is what you and your customers need to learn.

[calguy1000]

Another note:

Allowing your customers that you host to remain way behind on upgrades means that you cannot easily manage the upgrades on your server. i.e: upgrading php versions, operating systems, etc. so because one customer refuses to pay for upgrades and has software that is 3 or so years old... means you cannot easily upgrade the software on your server. Which means that that server, and all of the other customers may be vulnerable to other types of attacks that are already fixed in php or system software.

[sponna1]

Thanks for your views - understandable. However, running a successful business is never "black and white" in my opinion. There are reasons why some clients can't/won't update and the risks have to be evaluated. Where software has traditionally been robust, you may choose to run like that until circumstances change, as indicated in my initial post. That's not quite the same as running your vehicle with bald tyres or failing to service a broken gas stove, at least not in my book. But I appreciate and understand your views.

Where the risk is too great, which is what I'm attempting to evaluate, then we take appropriate action. So not really a case of not knowing how to educate customers or me needing to learn to be fair.

Where we have to run "legacy" sites, we do so on servers set up for that reason i.e. controlling risk as far as we can. We also advise the client of the associated risks - once we've fully evaluated.

Any other input also appreciated please. Albeit following this feedback we will begin a programme of mandated upgrades.

Thanks
Dave