Joomla! 3.6.5 Big issue

[loudy_ca]

Hello, According to the new advise from Joomla all sites need to be updated to: Joomla! 3.6.5?

I'm running Joomla 2.5 and we have custom joomla extensions that we put lots of efforts and money to have it. Now the new warning says: please update to Joomla! 3.6.5.

This is not easy for us to update to Joomla 3.6.5 as we already have our platform up and running with lots of custom apps that runs only on joomla 2.5.

I'm really confused now, I hope joomla can find a patch to this issue for joomla 2.5.

Please vote for asking Joomla team to take in consideration our usage of Joomla 2.5

Please help.

[sozzled]

J! 2.5 was at end-of-life about four years ago (no more updates are available for this version) and end-of-support ceased two years ago. Those are the facts.

[mbabker]

So to be bluntly honest here, I think a very bad precedent was set with the handling of security issues over the last few years and patching unsupported software. 1.5 support ended in 2012, 2.5 support in 2014. Yet each has received patches created by the security team but released under the name of a "community contributed patch" to respect the fact that we ended support for those versions and would no longer issue releases.

This has caused an expectation that now these versions will continue to be checked for security issues and patches issued to address them. It's unhealthy as that basically means the project is continuing to provide support for software it has decided does not receive support. It can't be done both ways.

As with all software, eventually you should update your resources to currently supported versions as soon as practical. It is unsafe to rely on outdated software, sooner or later it will stop receiving security support (four of the five PHP branches Joomla 2.5 will run on are no longer supported and the fifth receiving security fixes only as of next month, additionally it won't run on PHP 7 at all; and two MySQL branches it runs on are not supported either). So not upgrading one piece of software can and will cause a domino affect with being unable to update other software and increasing the risk of running a site in a certain configuration.

[loudy_ca]

I really appropriate your help, but is there any way to solve this issue in Joomla 2.5?

[sozzled]

I really appropriate your help, but is there any way to solve this issue in Joomla 2.5?

Firstly, I have to agree with @mbabker that the "big issue" here is the expectation among some people that this forum can continue to provide "support"—whatever this may mean—that (a) is reliable and (b) can be continued for out-of-date versions of software.

Each day I see requests from people to assist with problems they have with outdated versions of Joomla—antiquated versions that have been discontinued for several years. The big issue in my mind is that J! 2.5 still continues to be used by people and, in spite of the numerous warnings that have been issued over the years, the message just doesn't seem to filter through the resistance—the refusal (it seems)—to heed the advice given by those of us who have long ago taken the decision to move with the times.

I understand the pain that people might feel when they realise that their work—their businesses—are exposed, threatened by the risk that, sooner or later, they may lose everything.

You've asked if there's any way to solve the "issue in J! 2.5". I don't know if there's any better way to solve the problems other than to seriously consider migrating from that version to the security, the safety and the support that we can give to people who now use J! 3.6.5. This may not sound very sympathetic but, believe me, the decisions don't get any easier the longer people wait.

For what it's worth, good luck. I mean that sincerely.

[loudy_ca]

Hi sozzled,

Thank you for your help, I'm really considering to migrate to J3, but when I just did the upgrade my site went blank, so I removed all plugins and extensions, except the core still getting lots and lots of error.

Now I'm think to re do everything from clean version of Joomla 3. as it seems I will never be able to migrate from J2.5 to 3.

[sozzled]

I'm really considering to migrate to J3, but when I just did the upgrade my site went blank

Once upon a time (back in the early days of J! 3.x), there was a feature known as the one-click migration to help people who wanted to migrate their J! 2.5 sites to J! 3.x. To be honest with you, I can't remember much about it because it occurred several years ago. I don't even remember what version of J! 2.5 this feature came with. If you're not using J! 2.5.28 then you may find yourself in trouble.

Now I'm think to re do everything from clean version of Joomla 3.

This may prove to be a wise decision. You may find some parts of your existing J! 2.5 website are still salvageable but bear in mind

a) J! 2.5 template extensions are incompatible with J! 3.x;
b) J! 2.5 articles are stored in a database form that is "incompatible" with J! 3.x; in other words, you may need to do a cut-and-paste job if you cannot migrate your site from J! 2.5 to J! 3.x;
c) J! 2.5 users are, likewise, stored in a database format that's incompatible J! 3.x;
d) If you have the original installation kits for your J! 2.5 extensions (i.e. modules, plugins and components) you will probably find that they won't install in J! 3.x; and
e) you will be able to transfer any images (or other media files) from your old site to your new J! 3.x site without having to do any modification to them.

Lastly, depending on how important your J! 2.5 site is to your business, you may find it worth your while giving the responsibility (and the "worry") to a professional to undertake the migration on your behalf.

[Webdongle]

I really appropriate your help, but is there any way to solve this issue in Joomla 2.5?

Yes but that would just be putting a sticking plaster on it. If you are not updating then your 3rd party extensions (for whatever reason) could become or could already be vulnerable. 'You pays your money and takes your chance' ... if you pay for custom extensions without planning for updates then you have a few choices to make.

• You can pay to have those custom extensions to be updated
• You can pay to have new custom extensions
• You can keep running old vulnerable software

And that does not apply only to Joomla it applies to php versions too. Eventually your php version will become unsupported/vulnerable and your custom extensions will not be able to run on the newest php version.

[HelpJ]

And dont forget...Joomla 4 is coming next year.

[Bettinz]

I think that an old but updated version is still better than an old and outdated version.
Moving from 2.5.x to 3.x wasn't easy and it's not easy for a lot of people: plugins incompatibility, templates, etc.
I'm not here to discuss about the right decision of J! to move forward, but there are a lot of websites out there and leave them insecure for a matter of principle, in my personal opinion, is a mistake (we're talking about 1 update every year).
There is a patch released from virtuemart team: I've read it's for testing purpose and under testing, but better than nothing. Make a backup before update:
https://dev.virtuemart.net/attachments/ ... 4PATCH.zip

[kjkhere]

that's how it looks:

Version 3 is used by 47.8% of all the websites who use Joomla.
https://w3techs.com/technologies/detail ... la/all/all
W3Techs.com, 15 December 2016

[sozzled]

Version 3 is used by 47.8% of all the websites who use Joomla.

I don't believe it. In fact, to claim that 52.2% of all Joomla websites are using J! 1.x, J! 2.5 is totally absurd!

Well, here are the facts:

1) W3Techs surveys do not include subdomains
2) Only the "top 10 million" websites rated by Alexa are used in the survey.

The second point is very important: there are over 1 billion websites in the world and therefore W3Techs surveys less than one percent of all of the websites and only the "top-rated" sites as well!

As we all know, anyone can create a website and most of these sites never "rate" very highly by Alexa (if that means anything to anyone). Therefore the claim that "47.8% of all websites that use Joomla" use J! 3.x is totally misleading because claim is based on a tiny sample of all sites that predominantly (i.e. 92.8% of the "top Alexa-rated sites") use something other than Joomla anyway.

[leolam]

Just to be as blunt as Micahel was in his post. We won't patch joomla 2.5 since it is End of Life since 2014. This will not be considered in any way not by the Joomla PLT, not by the Security Strike Fore (of which Michael is Team Lead) and not by the CMS-Release Team.

You will need your custom components ported to Joomla 3-versions (which is not that hard if proper coded). You cannot hold to the past. Joomla 3.7 will be coming soon and we are already defining Joomla 4. Besides that hanging on to EoL-software is holding you back from utilizing all the new goodies we have introduced and stops you from running newest technologies as outlined above

You simply have no choice and need to migrate. Enough companies to assist you with that very rapidly

Leo

[EvanGR]

There is a patch released from virtuemart team: I've read it's for testing purpose and under testing, but better than nothing. Make a backup before update:
https://dev.virtuemart.net/attachments/ ... 4PATCH.zip

Thank you.

Could you please point us to the discussion forum for this patch? (if any)

[leolam]

Don't trust patches that re "out-in-thew-wild" Upgrade your extensions and migrate to Joomla 3.6.x. Mind these kind of patches have not been tested by the Joomla Team(s) (nor won't they be tested) so you take a huge risk

Leo

[StefanSTS]

I still have customers running Joomla 2.5.
I don't force them to update, since the risk for Joomla 2.5 being hacked is very low.

Thank god, it is Open Source.

Wonder what the company name "Open Source Matters" actually means. What matters seems to be, giving old reliable software a bad name to be able to push people into "the most amazing features". Wonder what saying that about your old work actually means for the new one?!

Maybe it is just, that this way, more work for companies is generated that update Joomla, and maybe for "security companies" that always react quickly on the newly introduced vulnerabilities in Joomla 3.

Yes, we all have to live from some work, but generating that work artificially by blocking open source software to be patched?

I have heard that "unsecure argument" so many times, but still nobody ever produced any proof. Except for the three fixes in the last three years that were easy to implement and found in J 3 too.

But you are the experts, if you say, Joomla 2.5 is not secure you must be right and I am just phantasizing.

Loving the idea that PHP 5.6 gets fixes for the next two years and my customers can still run their pages for at least another two years, saving them five years of investment for a new site altogether, even if Joomla 2.5 is End Of Life.

What a great open source software, thanks to all the hackers that hardened the J 2.5 core in the old times to make it almost invincible.

Stefan Schumacher

[Webdongle]

I have heard that "unsecure argument" so many times, but still nobody ever produced any proof.

Plenty of proof that insecure sites are hacked and with your attitude towards security it will not be long before you experience that proof first-hand.

Loving the idea that PHP 5.6 gets fixes for the next two years

Joomla 2.5 was supported for 2 years. Joomla 3 has been supported for over 2 years

[StefanSTS]

Plenty of proof that insecure sites are hacked and with your attitude towards security it will not be long before you experience that proof first-hand.

I am hearing that now for two years, no first-hand experience on hacked J 2.5 sites that my customers run. I even have colleagues that have customers with J 1.5, running safely for many years.

My attitude towards security is to provide the best security to my customers for any version they are running. No Joomla 2.5 site hacked until now, that is a good attitude towards security I would say. Again, thank god, it is Open Source and you do not rely on a specific person or company.

I had to clean up J 3 sites though that did not update fast enough. Thank god there were good enough backup strategies in play. Still I recommend using Joomla 3.x for new sites, even if there were problems. But I cannot say it is safer to run J 3.x or J 2.5. It is a bit like roulette where the ball gets caught next. So if my customer wants to keep a J 2.5 site my customer can do that quite safely, anyway a backup strategy has to be in play.

Loving the idea that PHP 5.6 gets fixes for the next two years

Joomla 2.5 was supported for 2 years. Joomla 3 has been supported for over 2 years

It does not seem you got my point of what I was saying.

[Bettinz]

Websites cost a lot of money for customers. So it's easy to understand why they want to stay with current cms. Let me be more clear:
Joomla 3 was released 27/09/2012, but as you know, a lot of extensions weren't compatible. Also, the experience teach to not rely on early released software. So probably a developer wait for 3.1 or 3.2: we're talking about April-November 2013.
I remember a lot of people says: "don't use j! 3 because it's still unstable and there aren't extensions. Stay with j! 2 because it's tested and more compatible".
So I'm expecting at least 5 years of security support for a product that was still recommended in the middle of 2013. I don't understand why J! team is pushing for upgrade leaving users without updates: I want to be clear, I understand the importance of new features, etc. but we're talking about users that doesn't upgrade websites for many reasons. Forget that users will only left insecure websites. There isn't a word about joomla 2.5 on website news or EOL page. 2.5.999 version isn't updated: don't you want to port a patch? Fine. But let users know about the patch created by virtuemart team.
The lifecycle of j! 2.5 was less than 3 years (01/2012-12/2014). J!3 it's pretty new (just 3 years ago). We're not asking to update J! 3.1, 3.2, etc. We're asking to listen users of a version left behind after just 3 year.
Can you see the problem here?

[Webdongle]

No Joomla 2.5 site hacked until now, that is a good attitude towards security I would say

That just mean that hackers have not taken advantage of your lax attitude of staying up to date. It does not mean that your sites have been secure. Now that you have been hacked then your site(s) will be on lists for hackers. So there will be many more hack attempts which in turn will result in higher successful hacks on your site(s)

I had to clean up J 3 sites though that did not update fast enough. Thank god there were good enough backup strategies in play.

Well that just shows that you should keep your sites up to date as soon as you can. A for using backups to replace hacked sites that just shows your ignorance of security. Hacks can be on a server for months (even years) before their affects are noticed so restoring a backup just replaces the original hacks. Besides which restoring a backup does not eradicate the cause of the hack. Backups are for replacing lost or damaged files not for curing hacked sites.

But I cannot say it is safer to run J 3.x or J 2.5

I can because the vulnerability that was fixed in J3 was not (and will not be) fixed in J2.5. And that makes J2.5 vulnerable.

We're asking to listen users of a version left behind after just 3 year.

Some people live in the past where static websites could be left untouched for years. That' fine for sites that are static but dynamic websites (like many other thing in life such as cars, washing machines) need regular maintenance.

Can you see the problem here?

Yes ... website designers/creators and their customers are expecting more dynamic/interactive websites without realising that those types require more maintenance than less (or non) interactive websites. As a result (designers/creators and their customers) are failing to allow for that in their business model. Which leads them to expect developers to patch obsolete versions to compensate for the failure by designers/creators and their customers to recognise their own responsibility for updating the dynamic/interactive websites that they require.

If designers/creators and their customers want dynamic/interactive websites then they must accept the responsibility (of staying up to date) that goes with wanting a website that they can alter themselves.

In short:
Designers/creators and their customers have a choice. Either they can have a static website and charge/pay every time they want to change something or they can have a dynamic/interactive website and keep it up to date.

[leolam]

The lifecycle of j! 2.5 was less than 3 years (01/2012-12/2014). J!3 it's pretty new (just 3 years ago). We're not asking to update J! 3.1, 3.2, etc. We're asking to listen users of a version left behind after just 3 year.
Can you see the problem here?

A lifecycle of a version (!) of 3 years is pretty long in software. Also we allowed 2 years for extension developers to update their extensions. It is not a Joomla issue but extension developers not doing their job properly by not upgrading their extensions and make sure their crap is (not!) BC.

All developers are informed about changes and codes enhancements through the Joomla developer channels. They don't follow up on information .....blame them and not Joomla. We inform them months if not years in advance.

I am hearing that now for two years

So why did not you update your sites knowing we would no longer support outdated (EoL) versions?

if my customer wants to keep a J 2.5 site my customer can do that quite safely

Which is a complete wrong understanding from reality. The latest security issue (which have been patched with joomla 3.6.5.) are very much present in Joomla 2.5 and even in Joomla 1.5. so you 'assumption' based on lack of knowledge of the actual situation and you have a complete wrong understanding of your 'warm and cozy' environment for these Joomla versions (which are again EoL and no longer supported by us). I cannot state more in detail but Joomla 2.5.xx is completely vulnerable at present. (so upgrade to Joomla 3.6.5 which patches these issues)

The only problem I see here is that when we inform the Community that on day 'xyz' in 'year xyx' to come (very far ahead) we will seize support and people like yourself are not upgrading or replacing their stuff and afterwards blaming the Project. The EoL support message was posted over 14 month ahead of actual stoppage of Joomla 2.5-support.

People do not listen and do not care and that is the merit of your post and that is the problem I see (!) The title of this thread is ill formulated and should read " Why did we ignore all warnings to upgrade to Joomla 3.x" (for many years)

Cheers

Leo

[sozzled]

The only problem I see here is that when we inform the Community that on day 'xyz' in 'year xyx' to come (very far ahead) we will seize support and people like yourself are not upgrading or replacing their stuff and afterwards blaming the Project. The EoL support message was posted over 14 month ahead of actual stoppage of Joomla 2.5-support.

The main problem and, in my opinion, the truly big issue here is the continuation of "support", the expectation by most forum users, that their questions about old, out-of-date, vulnerable and unsupported software can be fixed, patched, band-aided, repaired/cured, etc. simply by asking. The main problem, as I see it, is to allow unfettered access to people in this forum to ask for maintenance support for products that are long past their due date. By all means, let's help people to migrate to the latest current releases of product; let's continue to warn and advise about known risks/vulnerabilities and genuine problems. But, in my opinion, offering this forum as a kind of "refuge" to those who are tossed in a storm in a leaking lifeboat is not helping the Joomla project.

If people are to believe that J! 1.x and J! 2.5 are old, vulnerable, unsupported, past their use-by date, etc.—and, from the comments posted in this topic, there are people who do not share this belief—then let us be rid of the forum categories that offer hope, comfort, refuge, etc. I realise this may sound uncaring and unsympathetic but isn't it time we cut the anchor chain that's holding the project back from moving forward? Isn't this really the big issue, the elephant in the room, that no-one wants to see or discuss?

[leolam]

We have no anchor chain at all. We (the Joomla project) have stopped all support for EoL versions including 2.5 now for over 2 years. We have communicated over and over again that we won't further support. Actions by Virtuemart releasing (NOT_SUPPORTED!) security patches (are they secure?) for Joomla 2.5 (a few days ago) are irresponsible and do not help the project but are purely for VM-commercial/marketing gains imho and do not cover (by reviewing the patches) the security breaches.

We are not offering in any form a safe heaven in these forums. I keep telling people I won't address their issue if they do not follow advise. You have a component that works at present only on Joomla 2.5 and therefor cannot upgrade? BS.....Any skilled developer can port a Joomla 2.5 specific component/extensions easy to Joomla 3 so no excuses.....

Just mini-migrate (!) Users should be aware they have no choice

Leo

[StefanSTS]

That just mean that hackers have not taken advantage of your lax attitude of staying up to date. It does not mean that your sites have been secure. Now that you have been hacked then your site(s) will be on lists for hackers. So there will be many more hack attempts which in turn will result in higher successful hacks on your site(s)

Lax attitude has nothing to do with keeping an old version safe, just the opposite.
Riding on the scenario that "your sites" have been hacked you try to say what? The sites that I take care of have not been hacked, by you repeating that over and over it does not change. That is because I don't have a lax attitude. Your attitude seems to be to put words into play to make the others look irresponsible or worse. Well, using these techniques says just enough about you.

I had to clean up J 3 sites though that did not update fast enough. Thank god there were good enough backup strategies in play.

Well that just shows that you should keep your sites up to date as soon as you can. A for using backups to replace hacked sites that just shows your ignorance of security. Hacks can be on a server for months (even years) before their affects are noticed so restoring a backup just replaces the original hacks. Besides which restoring a backup does not eradicate the cause of the hack. Backups are for replacing lost or damaged files not for curing hacked sites.

I was not talking about my sites, I was talking about sites of people who came for help. A backup is a very good thing to restore hacked sites. You can restore clean backups, update or fix the vulnerability, and put it online in little time.
Same thing for J 3 and J 2.5. If you don't know how to be sure your backups are clean you can come over for a workshop if you like.

But I cannot say it is safer to run J 3.x or J 2.5

I can because the vulnerability that was fixed in J3 was not (and will not be) fixed in J2.5. And that makes J2.5 vulnerable.

If you can say, for you, J 3.x is safer to run then you should do that.
Of course with this blocking behaviour and not even a bit of help by providing or spreading a fix (which would take minimum effort) it makes Joomla 2.5 vulnerable for many members of the community. A minimum effort to read a few lines of code and adding links could help. But I see what is happening and J 2.5 users have to live with that.
Thank god, some people still care about the users and offer reasonable help.

[mbabker]

So let a company with an invested interest provide long term support for unsupported software versions for those who need it. Either way, Joomla can't keep patching unsupported releases; at some point a line has to be drawn by the project otherwise why bother declaring the software unsupported?

It'd be the same argument if someone were groaning on the WordPress forum that a WP 3.2 install wasn't receiving support or Drupal with 5.x or 6.x. End of support generally means the main project isn't providing support any longer, but that doesn't stop third parties from doing something of their own accord.

[StefanSTS]

Users should be aware they have no choice

Depends who they ask, my customers always have the choice.

The fix was informally checked by a Joomla! member, so if you have good reason why it should not work feel free to speak and do a good deed for the community. But I guess that was a feint to raise your expert status.

So sad nowadays it's all about politics even in web world.

[sozzled]

We have no anchor chain at all. ... We are not offering in any form a safe haven in these forums.

Hmmm .... that's where you and I may have to politely disagree. While I agree that there is no official support for J! 1.x or J! 2.5, there is an expectation that help will be given to remediate problems that people experience (or are likely to experience) in those unsupported versions. As @mbabker put it:

I think a very bad precedent was set with the handling of security issues over the last few years and patching unsupported software. 1.5 support ended in 2012, 2.5 support in 2014. Yet each has received patches created by the security team but released under the name of a "community contributed patch" to respect the fact that we ended support for those versions and would no longer issue releases.

This has caused an expectation that now these versions will continue to be checked for security issues and patches issued to address them. It's unhealthy as that basically means the project is continuing to provide support for software it has decided does not receive support.

This is part of the "anchor chain" that I was referring to.

We've also had another discussion more recently about quarantining/archiving forum categories that relate to events and milestones in the project's history. I agree that there's a benefit to retain the historical information—allow it to remain so that information can be accessed by those who may require it—but I do not believe it is helpful to entertain new topics seeking assistance for problems that are only now beginning to surface long after the sun has set.

We, who have been using Joomla for a number of years and have actively engaged with the project, are unanimous in our agreement that J! 1.x and J! 2.5 (and, indeed, all versions of Joomla before the current stable, supported version) are unsupported, outdated, at risk of breakdown. Whether or not people choose to accept this collective wisdom is attested by their continued use and reliance of this forum to ask questions about "solving" problems with unsupported products, isn't it? That's the "safe haven" I was referring to.

But more importantly,

So let a company with an invested interest provide long term support for unsupported software versions for those who need it. Either way, Joomla can't keep patching unsupported releases; at some point a line has to be drawn by the project otherwise why bother declaring the software unsupported?

... and this casts a whole new perspective on the debate. What if an individual or a company offered "long-term support" for an outdated open-source product? Just suppose that were the case. And, suppose, the original development team had no knowledge of this additional after-life (supernatural?) "support"? And then this forum receives contributions from users of EOL versions referring to this "additional" service? The mind boggles as to where the discussions would proceed after that point.

[StefanSTS]

So let a company with an invested interest provide long term support for unsupported software versions for those who need it. Either way, Joomla can't keep patching unsupported releases; at some point a line has to be drawn by the project otherwise why bother declaring the software unsupported?

End of support generally means the main project isn't providing support any longer, but that doesn't stop third parties from doing something of their own accord.

Hi Michael,

that is exactly what I am saying, nobody wants the Joomla Team to do the work. Joomla said support is over, let it be over.
What is happening is that third parties try to provide a fix and then "experts" say only the latest release can be secure and only when the J! team is doing the work.
Ask around I bet a lot of the J! core people have customers with J 2.5 or even J 2.5 sites themselves, maybe even Michael Babker. ;-)

Wishing you a good day
Stefan

[Webdongle]

Lax attitude has nothing to do with keeping an old version safe, just the opposite

No lax attitude is expecting an old version to be patched instead of updating the version.

I was not talking about my sites, I was talking about sites of people who came for help. A backup is a very good thing to restore hacked sites. You can restore clean backups, update or fix the vulnerability, and put it online in little time.

The principle is the same where it's your site or someone else's ... backups of a hacked site are almost certainly backups of the original hack files. Your failure to either acknowledge or accept that fact shows your lack of knowledge. It probably also explains your failure to comprehend what is being told to you about keeping software updated. I will try to explain it one more time:

New versions not only add new features they patch the vulnerabilities and strengthen the code so that there less vulnerabilities in the future. But just patching outdated versions does not fix the problem of the code being unstable.

Disagree with that all you want ... fail to comprehend it ... ignore it ... and you will have continually more and more problems with your sites.

[StefanSTS]

backups of a hacked site are almost certainly backups of the original hack files. Your failure to either acknowledge or accept that fact shows your lack of knowledge. It probably also explains your failure to comprehend what is being told to you about keeping software updated.

Really? My backups start with the site that is build on the original files of a Joomla installation package. From that point it can have vulnerabilities, but no hacks. (Maybe exept for the swf-hackfile that Joomla delivered for some time.)
There are easy ways to keep track of the integrity of the files in the backup. You don't even need to know the server functions anymore. There are ready made extensions that help you with that if you don't know how to do it in the console.

"Failure to comprehend of what is being told". Yes, there is definitely a problem, if people with agendas tell me things they call their gods. Old is bad, new is good. Amen. Don't think, this is the only way. Amen.

New versions not only add new features they patch the vulnerabilities and strengthen the code so that there less vulnerabilities in the future. But just patching outdated versions does not fix the problem of the code being unstable.

As we could see clearly in the past new versions also introduce new vulnerabilities which made them more unstable than the old versions, there is no doubt in that. The open for everything JUser model is/was? just one example.

Outdated versions are not unstable, they can become a problem, if you use them without patching. A well patched J 2.5 (or J 1.5) is at least as safe as the most recent J 3.x, if it is run on a safe server configuration which with the extension of the support for PHP 5.6 is very well possible for the next two years.

Disagree with that all you want ... fail to comprehend it ... ignore it ... and you will have continually more and more problems with your sites.

As I said, I hear all that for years now, no problems with the J 2.5 sites that are patched, safe and sound, as much as "experts" try to tell the opposite they fail to get hacked. That is the only failure till date.

Some of you that say: "This is the only way" should consider to change to proprietary software. Your agenda will be very welcome.

From my site: "Long live Open Source"
Stefan