Hero Banner

Joomla Development Insights

Joomla Development Insights

John is the owner and senior developer of Blue Bridge.

Why You Should Upgrade Joomla 2.5 to 3

Why You Should Upgrade Joomla 2.5 to 3

A business recently approached us to perform a site upgrade. In January, their site was hacked and the hackers were using it to send spam email (one of the many uses of a hacked website.) In response, their web host took their site down and refused to put it back up until they fixed the issue. Eventually, they were able to restore to a pre-hacked backup of the site, but it was only a matter of time before it would be hacked again because the version of Joomla in use was out of date and vulnerable. This scenario happens all the time. In fact, the first question we ask businesses who want a quote for an upgrade is if they have been hacked. They almost always say, "yes," because typically this is the only time that someone has told them they need to upgrade the site.

In this blog post, I'll explain the link between hacked sites and Joomla 2.5 reaching "end-of-life", why else upgrading is important, how to upgrade, and how to keep your site up-to-date and running smooth.

A Growing Issue

The problem of hacked sites is on the rise because Joomla 2.5 reached end-of-life in December. This means that there will be no more security updates for 2.5 and instead updates are only available for the current long-term support version, Joomla 3. With every passing month, more and more sites will be hacked because they haven't made the transition.

Joomla is actually very secure by the time a major version reaches end-of-life. What typically happens is that the third-party extensions (add-ons) that most sites use have vulnerabilities exposed in their older versions that are not corrected because those versions are for the older, no longer supported, version of Joomla. It's sort of like the apps on your iPhone not getting updated because your iPhone is four years old and no one is building for it anymore.

I watched this happen in 2012 when Joomla 1.5 was replaced with Joomla 2.5. In the years following, we recovered several hacked Joomla 1.5 sites and helped them upgrade to Joomla 2.5. These recoveries can be expensive, not just for the cost of the work, but also the damage they cause before the site is fixed.

The Damage Caused by a Hacked Site

I've written in several other places on this blog about the damage caused by hacked sites, so I'm just going to list a few scenarios we've seen here:

  • Hacked sites routing spam email like the above (your website is sending Viagra for some spammer in Russia.)
  • Hacked sites redirecting users to spam websites.
  • Hacked sites actually showing spam website content and trying to get your visitors to purchase things from someone else.
  • Hacked sites adding links to your content to boost the search engine rankings of other websites.
  • Hacked sites delivering malware to site visitors and trying to install viruses on their computers.
  • Hacked sites getting delisted from Google for being hacked.
  • Visitor website browsers warning your audience not to visit your site because it is a risky website.

As a thought experiment, imagine how one of the scenarios above would affect your business. The impact can give you a good idea of the value of your website.

Why Else You Should Update

Staying secure is a great reason to perform the update from Joomla 2.5 to 3. However, it's not the only reason. By keeping up to date, you are able to access the currently available solutions. To go back to our iPhone example, by having an up-to-date iPhone, you are able to access all the latest apps.

To use a real-world example, right now Google is devaluing websites that are not mobile friendly. If someone were to approach us with a Joomla 1.0 or 1.5 site, there would be several additional costs to making their website mobile friendly. There are no responsive templates available for Joomla 1.0 or 1.5 and no responsive frameworks to build them on. Additionally, common extensions like slideshows don't have responsive versions for older versions of Joomla. Instead of just quoting the cost to make their site mobile friendly, we would have to quote them an expensive site migration package to get everything up-to-date just so that we could build a mobile friendly version of their site.

Websites are not one and done. The web is an ever evolving environment and a website needs to evolve in time with that changing environment. It's certain that your website will need changes in the future and if you haven't taken the time to keep it up-to-date, you will increase the cost and difficulty of making those changes.

Planning Joomla Upgrade

How to Upgrade

The transition from Joomla 2.5 to 3 is pretty seamless. So far, we haven't ran into any issues using Joomla's updater to do this. However, as I mentioned above, Joomla installations typically have lots of extensions and this is where problems are introduced into the upgrade process. For example, we recently did a site upgrade where upgrading Joomla took around a minute and upgrading JomSocial, a common community software extension, took around 20 hours.  Because of this, I recommend the following process:

1) Set up a staging environment on your Web server. It's important to test the upgrade process in the same environment that your website currently is in. Doing a test upgrade in a different server or a local environment may not expose some of the issues you will have on your Web server. Some web hosts offer the ability to clone your site to work in. This is an ideal environment to do a test upgrade (check with your web host to see if this option is available.)

2) Create a list of extensions that need to be upgraded. You'll need to review the components, modules, and plug-ins that you or your developers installed and check to make sure that current versions exist for Joomla 3.

3) For extensions where current versions do not exist for Joomla 3, you'll have to find extensions with comparable functionality to replace them (the Joomla extension directory is the place to perform the search).

4) For extensions that you have Joomla 3 counterparts, you'll want to go through and read their upgrade documentation. Some extensions have specific steps that have to be executed before or after upgrading to Joomla 3. If you have a few of these, you'll want to map out your upgrade process.

5) In your staging environment, perform the upgrade for Joomla and its extensions. If you have a larger site, you'll want to document this process and any warnings or errors caused by upgrading an extension.

6) If you're running a site where user content isn't being submitted and you haven't made any changes to the backend (like adding an article or event), you can simply swap out your old site with the upgraded staging environment site.

7) If you have a larger or more active site, once you have confirmed that you can upgrade successfully and that things look and work as they should, you'll want to either freeze user submitted content or take your main site off-line and put into maintenance mode. Then you'll run through your whole upgrade process again (this is where documenting all the steps keeps things quick). The safest way to do this is and another staging environment and then replacing the production site with the freshly upgraded one.

Finally, I recommend for all site changes that you start by making backups and upgrades are no different.

This may seem like a lot, because it is, but there's more. For a more detailed and comprehensive process, I recommend taking a look at the Joomla documentation. There are several great articles with much more information on making the upgrade.


Schedule Joomla Upgrades

One Last Thing

Let's say that you have upgraded to Joomla 3: can you forget about the site for the next couple of years? No!

A common misstep that businesses make after having work done on their site is not keeping it up-to-date. It's much cheaper and easier to keep the site up-to-date that it is to have to catch up on updates. Additionally, vulnerabilities are regularly discovered in software and the best way to defend against the ongoing attacks your site experiences is to keep it up-to-date. Almost all of these updates are minor version and extension updates, so you won't be going from Joomla 3 to Joomla 4, but from Joomla 3.2 to Joomla 3.3 or updating your website slider. For minor version updates, most sites don't need to go through the extensive process I laid out above.

An easy way to make sure that your site stays secure is by assigning updating to someone technical and make sure that they have a monthly routine where they log-on to the site and perform the updates.

I hope this information is helpful. If you have any questions leave a comment below or shoot me an email at [email protected]