Recently there has been a growing buzz on the web that there are hosts taking quite a solid stand against having Joomla 1.5 on their servers. So in the light of the event I would like to take a minute and explain the SiteGround view point: what are the challenges of hosting Joomla 1.5 and how do we face them.
Is Joomla 1.5 really insecure?
The answer to this question right now is: NO.
Currently there is no known vulnerability in this version that has not been addressed by the Joomla developers. In August 2013, there has been a serious security issue that affected Joomla 1.5 after its official support was discontinued. Nonetheless the Joomla team released a patch, so that people still using this version can fix the issue.
So why messages about Joomla 1.5 being intolerably insecure are in circulation? There are two reasons. First, it is true that Joomla 1.5 is no longer supported, so providing a patch for any future vulnerability is not guaranteed. Still there is a difference between current vulnerability and a possible future one. Second, the standard way to fix vulnerability by upgrading your software is no longer applicable for Joomla 1.5. The best you can hope for in case of vulnerability is a patch, not a new updated 1.5 version. Well, applying a patch is not a rocket science, but it requires a little more effort than hitting an upgrade button and this decreases the number of users that do it.
So how does SiteGround handle these Joomla 1.5 security challenges?
In August, when the Joomla vulnerability affecting 1.5 versions was announced, we made two things:
- We researched the vulnerability and created a patch on a server level that will stop hackers from exploiting it on our servers, even if there are vulnerable 1.5 Joomlas. We have done this in multiple other cases affecting different applications and versions. We are quite experienced in reacting to such issues and feel comfortable that if another 1.5 vulnerability appears in the future, we will be able to protect our customers even if no patch is officially released.
- Besides our own server level fix we manually applied the official patch to all Joomla 1.5 hosted on our servers. It is true that it took some effort (on our part, not our customers’), but we strongly believed that it was the best course of action.
Details about how we handled the case can be read in our Serious Joomla vulnerability Blog post.
Should you upgrade to a more recent Joomla version?
The answer to this question is: YES
We do recommend that all people move to the supported versions of Joomla as soon as possible. However, we know that migrating from 1.5 to any of the other two currently supported versions (2.5 and 3) can be a challenging task.
So how does SiteGround make the switch easier?
In this case we do not believe in the negative motivation: we don´t intend to send our customers packing if they don´t upgrade or to exaggerate the danger of using 1.5. Instead we have worked with Brian Teeman, one of the Joomla founders. He has produced a full video course, sponsored by our company, which explains how the move from 1.5 to 3 can be made. The tutorial is freely available for anyone, but we also emailed all our Joomla 1.5 users announcing its existence and explaining in details why it is a good idea to make the move.
I believe that people using Joomla 1.5 should move forward as soon as possible. However, I am aware why this is not such an easy step for most of them, and we, as a host, have decided to respect their choice.