Is Joomla 3.10 still going to be usable in security only mode? Elaborate on the meaning of this please.

[GODpleasers]

I got this message...

Warning

Joomla 3.10 has entered security only mode. Support ends 17 August 2023. Start planning to migrate to Joomla 4 today.

My question is Joomla 3.10 still going to be usable in security only mode? Elaborate on the meaning of this please.

Are you forcing people to have to upgrade before they are ready We have to many component that aren't ready for Joomla 4 yet. UIf you are that is not fair.

[abernyte]

No one is forcing you to upgrade to Joomla 4.
Joomla 3.10.x is supported until August 2023 although no new features will be added to J3 during this period.
All software has a finite life and Joomla is no different. If you are using old extensions in your J3 site that are incompatible with J4 then they will in all likelihood also be incompatible with PHP8.x, which is also a desirable change.
Start now and plan your upgrade path. You have ample time.

[GODpleasers]

No one is forcing you to upgrade to Joomla 4.
Joomla 3.10.x is supported until August 2023 although no new features will be added to J3 during this period.
All software has a finite life and Joomla is no different. If you are using old extensions in your J3 site that are incompatible with J4 then they will in all likelihood also be incompatible with PHP8.x, which is also a desirable change.
Start now and plan your upgrade path. You have ample time.

Ok, so will 3.10 still run even know it is not supported? and if so how long for?

And yes we have a lot that of extensions that will not run in php 8 or j4 which we are waiting on updates for. That is why we are not ready for j4 yet or php 8.

at any rate it takes time for all the extension makers to update them.

[sozzled]

No one is forcing you to upgrade to Joomla 4.

I agree 1000%: no-one (and I mean no-one) is forcing anyone to do anything. People, today, are still running J! 2.5 websites¹; some people are still running J! 1.x websites. If anyone was threatening to cut off life-support for websites that are still using anything before J! 3.10.10 then it would have happened years ago and, today, this forum would not welcome requests for information from people who still use those old, outdated, unsupported versions of J!.

There are currently only two supported versions of J!: J! 3.10.10 and J! 4.1.4. All other versions of J! are unsupported in a technical sense. Does that mean that all bugs will be fixed in those versions? No. Does this mean that these versions will receive updates that will enhance the current feature sets in those versions? No. Does this mean that new releases are guaranteed to occur at any time for either of these versions? No ... but it would be unlikely that these versions will be the end of J! as we know it.

What you can also do is to search Google for articles about what or who may be "forcing" the retirement of J! 3.x in August 2023. End-of-support just means that no-one will be fixing any software errors, vulnerabilities or bugs after the EOS date but it doesn't mean that your J! 3.x website(s) will capsize at midnight on 17-Aug-2023.

I have no immediate plans to migrate all of my J! 3.x websites to J! 4.1 (or J! 4.2 or possibly even J! 5.x) regardless of whatever EOS date exists. Who knows?

Does this help? Do you feel my comments have "elaborated" sufficiently?

______
¹ There's an interesting story about J! 2.5 that was supposed to have been retired in 2012 but it stayed around for another 2 years after the originally planned end-of-support date. I don't think that's going to happen with J! 3.x this time around, though.

[Webdongle]

...
Ok, so will 3.10 still run even know it is not supported? and if so how long for?

...

The answer is 'How long is a piece of string. A lot depends on how long your server allows older php versions when new versions come out. And how your 4rd party extensions cope with php upgrades that your Host makes.

[GODpleasers]

So what does security only mode mean? Please elaborate?

[sozzled]

As far as we know—we don't know much—J! 3.10 will be supported until 17-Aug-2023; that's—literally—all that we know!

I agree with @Webdongle's assessment that the lifespan of your website is unpredictable: your website may continue to operate in the same way as it already has for the next twelve months, twelve weeks, twelve seconds or twelve years depending on (a) what you do with it, (b) whether your webhosting provider continues to offer you services that underpin J! (e.g. Apache, MySQL, PHP, etc.), (c) how other software you're using is also maintained and (d) I suppose, whether you're still alive in the future to look after your website. None of us has a crystal ball; there are no guarantees.

However, in terms of the end of service manifesto, as promulgated by the J! CMS development team, is concerned, the viability of your website is not dependent upon whether you're using J! 3.10.10, J! 3.10.11 or whatever happens at one minute after the stroke of midnight on 17 August 2023.

The phrase "security-only mode" is used (without much explanation) in article I referred to in this post. I gave you my interpretation of the phrase in my earlier reply.

[Webdongle]

There was an exception to eol of Joomla. Sometime after J1.5 was no longer supported a zero day exploit of Joomla was discovered. Can't remember the current Joomla version at the time perhaps 2.5. The current Joomla of the time was officially patched. But there was an unofficial patch for J1.5.
viewtopic.php?t=902928 All inks now lead to language downloads now but a patch for the unsupported 1.5.26 was produced.

[Per Yngve Berg]

"Security only mode" means that the updates only contains security fixes, no bug fixing and new features.
You have one year left and the site of cause will operate after that date until it will fail from upgraded php versions.

You may get lucky or not (as J1.5 users got hacked by a discovered security hole after the support ended)

[sozzled]

"Security only mode" means that the updates only contains security fixes, no bug fixing and new features.

I agree.

You have one year left ...

I completely disagree.

[nicol]

Thanks for asking this question. Drupal end-of-life for D7 got delayed this year (and may be delayed again) after it was clear not enough sites had ported to D8/9 - I'm still hoping Joomla powers / Open Source Matters see the light and extend the cut-off date.

But assuming they don't, I would happily commit an annual donation to an Open Collective account for someone to provide security maintenance for J3.x or a branch of it (https://backdropcms.org/ is a community maintained branch of Drupal 7 fyi).

In the CiviCRM community we have put quite a bit of time and money into trying to make the J4 port work (https://lab.civicrm.org/dev/joomla/-/mi ... tab-issues) and after two years, there's still quite a few major blockers. Tbh it's a wonder that CiviCRM is still supporting Joomla given it's Civi's smallest userbase.

"All software has a finite life and Joomla is no different."

WordPress hasn't had one breaking update since v1. You can upgrade a v1 WP site to the latest version (albeit with a new theme). It's a decision in WP's architecture and management to have easy updates and is undoubtedly a part of their success.

For my own clients, I have to explain to them there's a cost for a major upgrade with no clear new featues I can promote to them, other than 'the codebase needed improving apparently'.

I've been thru Joomla upgrades from 1->1.5,-> 1.6/1.7->2.5,2.6,3.x but this is the first time I'm not sure I will. My clients are already out on a limb in their world in not using WordPress or Drupal, now I have to get them to pay for this migration, and convince them they shouldn't bother migrating to WordPress (with no breaking upgrades and Gutenberg) or Drupal (with Composer and Views) instead? I'm not sure I can. Maybe if J4 had a Views or Gutenberg or Composer, but I can't see anything there a client would appreciate. The only alternative I see is paying something each month to support a maintenance 3.x release is possible.

(PS - I appreciate the Joomla team puts in a huge effort, without pay, and I mean no disrespect in saying any of this. I'm really grateful for their work over the years and have defended Joomla for a long time. But I'm sure I'm not the only Joomla user considering jumping elsewhere if the J3 release ends next August.)

[sozzled]

@nicol

I've been thru Joomla upgrades from 1.0 → 1.5 → 1.6/1.7/2.5 → 3.x but this is the first time I'm not sure I will.

I agree.

... I'm sure I'm not the only Joomla user considering jumping elsewhere if the J3 release ends next August.

I sympathise with the sentiment but I think your observation will fall on deaf ears: the CMS development team is wrapped up in their own world with zero regard for what we ignorant consumers have to say about their product. I'm not planning on "jumping elsewhere" in August 2023 but I am seriously considering whether to remain in the webcraft development game.

[abernyte]

Drupal end-of-life for D7 got delayed this year

Dries has already offered his opinion that Drupal is unlikely to survive PHP8 EOL and will be fully SAAS by then. Who knows if that will transpire.

WordPress hasn't had one breaking update since v1.

Oh come on! WordPress did not cycle through the versions because they liked changing the number. The versions were EOL and the fact they achieved this without B/C break in some way explains the complex tangle it is now. All the plugins and themes that failed to make the version jumps make it no different to any other CMS.

now I have to get them to pay for this migration,

The basic answer to the OP remains the same. No one is forcing your clients to change to J4. Your complaint seems to be not with the quality or effectiveness of the J4 code but your ability to monetize it. That's okay. I get that you are running a business and need it to be profitable - but it is your clients decision to evaluate any possible risk and stay with J3 which will continue to work just fine for the foreseeable future.
It is more likely that the evolution of PHP will drive the need to change faster than any fatal weakness in J3, but I am not placing bets on either.
Is J4 perfect? No. Is it a good product? Yes. Should I drop everything and rush out and migrate from J3 to J4? Probably not (although it is not a foolish decision if you do). Should I start planning a future move to J4? Hell Yeah.

[Webdongle]

So long as you have your database you have your site. All the files do is put/get the data to from the database and display it on the screen. So if you get hacked you can rebuild the files then decide to look to fix the vulnerability or migrate to J4.

[nicol]

> So if you get hacked you can rebuild the files then decide to look to fix the vulnerability or migrate to J4.
(@webdongle)

That's not an option if you're hosting people's data, which both the J3 websites I need to deal with are.

> All the plugins and themes that failed to make the version jumps make it no different to any other CMS.
(@Abernyte)

If I took a Joomla 1 and WordPress 1 website, WordPress lets me upgrade within it to the current version, Joomla breaks at 1->1.5 and requires a port, and again at 1.5->1.6 (a little). This isn't point-scoring, just no doubt a big factor in WP success. Also, perhaps as changes are incremental, I've not yet had a WP upgrade that broke my theme/plugin.

All this said, Joomla 3->4 upgrade went much smoother than I expected. I have maybe been burnt by the Drupal 7 -> Drupal 8/9 experience. Being told which extensions to disable before was pretty good (an alert to upgrade Kuena to latest 5.x would have been cool as it's too late post-upgrade). Joomla4's error handling helped me debug some issues after upgrade, much nicer than in 3. I still find the UI brash, loud & not pleasant to spend a long time in, and some of the UX puzzling (why take things that were quite happy in a drop down menu and put them behind three navigation clicks?) but TinyMCE, for e.g. is pretty nice, and looking forward to exploring workflows.*

Doesn't make me happier about the whole thing – the cost of migrating CiviCRM to Joomla 4 is notable and still ongoing (and Joomla/Civi is a tiny subset of the Civi community), but we're getting closer thanks to Joe Murray & Monish Deb: https://lab.civicrm.org/dev/joomla/-/mi ... tab-issues. Now moving onto the Joomla+CiviCRM ecosystem: https://github.com/lcdservices/CiviCRM- ... /issues/14.

*I realise to anyone working on J4 - which has clearly been a lot of work - I sounds like an ungrateful brat user. I don't mean to be – I'm grateful for everyone's efforts, but my problem is that while this is a non-profit, community governed CMS, users didn't seem to get a say in the existence and timing of a breaking upgrade. Talk of porting the beautiful ISIS admin theme were ignored. There's been many years of feeling like a salmon swimming upriver against a downstream of WordPress and Drupal users laughing as I try and explain the advantages of Joomla ("the #1 Goldilocks CMS on the powerful<->easy-to-use spectrum" imho). Getting the CiviCRM community and core team to not drop Joomla was an achievement by the few of us who use both, to then get it rewritten for J4 was a big ask & investment. I appreciate there's an attempt at governance, by letting us vote for OSM members, but maybe ecosystem changing decisions should be put to community vote in some other way (Loomio.org / similar)

[GODpleasers]

Is Joomla! 3.10.11still going to be usable when its at the end of life stage?

I'm asking because we have several extensions we don't want to give up that we are waiting for a updates to make them compatible with j4.

[Webdongle]

> So if you get hacked you can rebuild the files then decide to look to fix the vulnerability or migrate to J4.
(@webdongle)

That's not an option if you're hosting people's data, which both the J3 websites I need to deal with are.
...

Yes it is because the data is in the database not the files

...
If I took a Joomla 1 and WordPress 1 website, WordPress lets me upgrade within it to the current version, Joomla breaks at 1->1.5 and requires a port, and again at 1.5->1.6 (a little). This isn't point-scoring, just no doubt a big factor in WP success. Also, perhaps as changes are incremental, I've not yet had a WP upgrade that broke my theme/plugin....

And also a reason why wp is more easily hackable than Joomla.

[sozzled]

Is Joomla! 3.10.11 still going to be usable when its at the end of life stage?

It doesn't matter what I or anyone else thinks: what do you think?

Some people today are still using J! 1.x to operate their websites, would you believe? People are running J! 2.5 websites; people are operating their websites using end-of-life software all over the world. So, it doesn't matter what I think. What do you think?

[nicol]

> "Yes it is because the data is in the database not the files"
@webdongle

Just in case someone reads this thread and takes this as advice.. any hacker with read/write/edit access to your files can access the database. The username and password for your database are sitting in plain text in configuration.php so anyone with access to your root server enough that they can write files, has access to your dbse.

[AMurray]

Just in case someone reads this thread and takes this as advice.. any hacker with read/write/edit access to your files can access the database. The username and password for your database are sitting in plain text in configuration.php so anyone with access to your root server enough that they can write files, has access to your dbse.

Additional to this comment, it's not unique to Joomla to have the db password in a plain-text config file. Many web application would use a similar technique.

The best advice is use strong passwords, change them frequently (including but not limited to your web-hosting account, FTP accounts, and databases).

[Webdongle]

...
Just in case someone reads this thread and takes this as advice.. any hacker with read/write/edit access to your files can access the database. ...

A few points to that you missed to say
1. When you delete all the files then there are no files to be able to access the database.
2. If they can access a server that has no site files then you have bigger server security issues that access to your database.
I have taken the time to write this post for the benefit of newbies who might be misled by your statement. I am sure you mean well but your statement was misleading because it failed to mention the above points.

So I say again

So long as you have your database you have your site. All the files do is put/get the data to from the database and display it on the screen. So if you get hacked you can rebuild the files then decide to look to fix the vulnerability or migrate to J4.

A few other things to consider
* If you follow the advice given in the forum (in multiple places) then you can clean the hack.
* Not all hacks have full access to your server or database.
* Out of those that do often not many will bother with the database. They will hide their hack and leech from your server.

[nicol]

A few points to that you missed to say
1. When you delete all the files then there are no files to be able to access the database.
2. If they can access a server that has no site files then you have bigger server security issues that access to your database.
I have taken the time to write this post for the benefit of newbies who might be misled by your statement. I am sure you mean well but your statement was misleading because it failed to mention the above points.

I'm not sure if this is a meant to be a joke, but can I check what you are saying..

1. Your site is running an old version of Joomla (or any web software). It's not had any security updates and known vulnerabilities exist in it.
2. Someone hacks into the site. They now have access to your database and can make a copy of it. Maybe they hang around snooping user logins to get the passwords, maybe they put a bunch of spam links in, whatever - they cause mess.
3. You notice your site has been hacked. You take it offline, change your passwords. You may now have legal obligations to notify people of a data breach.
4. And at this point, your suggestion is that by deleting files the problems from the hack has vanished: "when you delete all the files then there are no files to be able to access the database." But that's obviously meaningless if the hackers have already exported the dbse.

[Webdongle]

1. Your risk using unsupported software
2. What you said is rubbish because they can't do that if you delete the files
3. No point changing your passwords until you delete your files and eliminate the entry point of the hack. Notifying data breach is your responsibility for running unsupported software.
4.
*a. By deleting the files you prevent the hackers access to the database.
*b. By replacing the files with fresh ones you can access the database and change passwords, remove unauthorised users, remove vulnerable extensions etc. while the hackers still have no access to your site.
*c. You then have your site back, the hackers have no access because you locked them out and removed their back doors.

fyi
As soon as your site is hacked the hackers post the details in a hackers forum. Then other hackers then hack your site. By deleting the all the files on the server you deny the hackers access while you still have access.

[nicol]

For my own clients, I have to explain to them there's a cost for a major upgrade with no clear new featues I can promote to them, other than 'the codebase needed improving apparently'.

Logging back into this thread to correct my earlier statement above. There are a bunch of useful features - Accessibility support no other CMS comes close to, Workflows (also only a plugin for WP and Drupal), better Search, a nice looking TinyMCE, the Media Manager.

And the upgrade itself wasn't so much of a headache – beyond replacing old themes. Tho it took a long time to get CiviCRM Joomla 4 ready (last major fix was merged into CiviCRM Joomla last week: https://github.com/civicrm/civicrm-joom ... ee7feb45c8). We've also had to rewrite the Civi+Joomla Authentication plugin for J4: https://github.com/aydun/CiviCRM-CiviAu ... te/tree/j4 - thanks to two non-profit orgs who funded that

[guy_in_ohio]

Can I get a "yes" or "no" answer? Will the site still functionally run?

I have been trying for months to migrate two sites and just end up with countless errors. I could have redesigned the entire sites in J4 by now. It has been a total waste of time. I'm running 3.10.11

Thanks.

[gws]

Yes

[guy_in_ohio]

Thank you!