Blinding with science?

Discussion in 'Joomla Support' started by Mike W, Oct 11, 2013.

Thread Status:
Not open for further replies.
  1. Mike W

    Mike W UKBF Ace Full Member - Verified Business

    1,566 358
    A client has received the following from his web design co/host.

    Is it true or is being bs'd into spending more money?

    ---------------------------------------------------
    PLEASE NOTE: Your site isn't currently hacked but is flagged as suspicious because it's running version 1.5.

    We want to inform you that you're website has been compromised by hackers again due to running an outdated version of the Joomla CMS system. When you're website was developed some time ago the latest version at this time was 1.5 (green admin). For over 2 years there has been no ongoing support with security patches and updates which makes the website admin very vulnerable. It is not difficult to compromise any outdated software online but there is a permanent and highly recommended fix.

    The current supported recommended version is 3 (blue admin) and is a very much improved system now with built in Joomla version updates and security patches so you never need worry if the system becomes outdated again. Below are some answers to frequently asked questions to help you understand exactly what this means:


    Why has my CMS version become outdated now?
    As with any software, over time technology and security improves and the system works better than old. Version 1.5 was the latest available version when you're website was developed some years ago.

    What are the risks of running 1.5 on my website?
    Your website is open to all hackers and your website will be compromised at some point again in the future. When software is out of date there are many ways to get into the file system and only these doors can be closed by having the latest version and security patches. It is not just the Joomla CMS that is vulnerable, it applies across every CMS platform available that is outdated.

    What are the costs and timeframe for a migration?
    It's highly recommended all businesses upgrade/re-design their website at least every 3 - 5 years. A migration is needed to ensure you're website is 100% secure but you can also opt for a complete re-design should you think you need this. You have three options... etc

    -------------------------------------------------------

    As an aside, they're really garbage designers, so he'll ultimately be better going elsewhere, but I just wanted to check this out first.

    Thanks

    Mike
     
    Posted: Oct 11, 2013 By: Mike W Member since: Aug 19, 2010
    #1
  2. GooKing

    GooKing UKBF Newcomer Free Member

    12 0
    Yes, it is a legit reason (but check how old your version is).

    Like any bit of software, it gets improved and upgraded all the time. For web based software this is especially critical as hackers find security holes, then they get fixed. If you don't update with the fixes your site is potentially at risk.

    It's worth checking the Joomla site for the fixes list, as there may be some business benefits too, such as improved functionality.


    This can be a complex job, especially if you use a lot of add-ons or custom coding.
     
    Posted: Oct 11, 2013 By: GooKing Member since: Aug 25, 2009
    #2
  3. StevensOnln1

    StevensOnln1 UKBF Big Shot Free Member

    3,364 726
    I've seen a few Joomla 1.5 sites being hacked recently, it's definitely worth upgrading.
     
    Posted: Oct 11, 2013 By: StevensOnln1 Member since: Dec 10, 2011
    #3
  4. Mike W

    Mike W UKBF Ace Full Member - Verified Business

    1,566 358
    His site was only done a couple of years ago. No idea how much he paid (they should have paid him, it's so bad), but they're now asking a further £400 to upgrade it.

    He won't be paying it - he's going to need a new site (which I need to find someone for) - but any idea if that's a reasonable amount? Sounds a complete rip-off to me ....especially as they effectively set him up for it 2 years ago.
     
    Posted: Oct 11, 2013 By: Mike W Member since: Aug 19, 2010
    #4
  5. 200host_Steve

    200host_Steve UKBF Newcomer Free Member

    69 14
    £400 seems a rather large amount to charge for an upgrade.

    Joomla, are currently on 3.1.

    Going from 1.5 to 3.x isnt as easy as going from 2.x upto 3.x. But shouldn't be too much hassle. As long as a backup is taken in case of an issue.

    Rgds
    Steve
     
    Last edited: Oct 11, 2013
    Posted: Oct 11, 2013 By: 200host_Steve Member since: Sep 28, 2013
    #5
  6. Faevilangel

    Faevilangel Website Critic Full Member

    7,564 2,404
    400 is about right imho as to upgrade to V3 will need the theme redeveloped because V3 was totally rewritten from V1. it is a big job code wise.
     
    Posted: Oct 11, 2013 By: Faevilangel Member since: Jun 29, 2009
    #6
  7. KM-Tiger

    KM-Tiger UKBF Legend Full Member - Verified Business

    9,909 2,631
    There is nothing suspicious about running a 1.5 version, the key thing here is which 1.5 version?

    1.5.26 is the latest 1.5 version and anything earlier than that should be upgraded to 1.5.26, which is still considered stable.

    The upgrade beyond that should be done at some point, but not necessarily to a 3.x.x version as there is not, as yet, a 3.x.x LTS version, so it might be better to go to 2.5.14 which is the latest LTS.

    Joomla versioning is (perhaps too) complex. Some insight here:

    http://docs.joomla.org/Release_and_support_cycle
     
    Posted: Oct 12, 2013 By: KM-Tiger Member since: Aug 10, 2003
    #7
  8. serverhouse

    serverhouse UKBF Contributor Free Member

    86 18
    This is the Internet equivelent of someone knocking in your front door saying you need a new front door as this one is out of date and not as secure.

    Running the latest version doesn't make it totally secure, it just means there are fewer known vulnerabilities than the old version which may have a series of published vulnerabilities

    I doesn't mean someone will break in or hack your site, just that it would be easier to do.

    Lots of phishing sites are hosted on hacked sites so more security is always better.

    As with any system (front door, home PC or website) you need to be aware of the risks and decide what you're happy with.

    There are certainly going to be older sites and weaker front doors than your own.

    Glad you have no intention of buying or people who solicit business like this.
     
    Posted: Oct 14, 2013 By: serverhouse Member since: Mar 23, 2012
    #8
  9. LouiseSwift

    LouiseSwift UKBF Newcomer Free Member

    6 1
    This could be a good way for him to find better Joomla site developers from now on, too, as he could start by asking how they handle the necessary updates and if/what they charge when updates are due.

    The answers will give some insight into how concerned the web designers are about his long-term satisfaction with their work, which is always handy to know in advance. :)
     
    Posted: Oct 15, 2013 By: LouiseSwift Member since: Oct 15, 2013
    #9
  10. Baz Watkins

    Baz Watkins UKBF Enthusiast Full Member

    728 119
    Joomla 1.5 has a few security issues, I've had to update a few websites to Joomla 3 recently due to user manager hacks, so it's not bad advice to do the upgrade. It can be done using JUpgrade, but its not straightforward.

    As for the cost, thats all dependant on who's doing the upgrade, how much work the have to do and what they charge for doing it. £400 could be reasonable, it all depends...it's the proverbial piece of string.
     
    Posted: Oct 19, 2013 By: Baz Watkins Member since: Jan 3, 2011
    #10
  11. da8iwr

    da8iwr UKBF Newcomer Free Member

    1,187 134
    The analogy is not correct and is showing you don't understand or know Joomla very well at all.

    Joomla has millions of lines of code, as time goes on, hackers find different exploits to get into the site. The bug and security teams in Joomla try to fix them and release updates as fast as possible.

    It is not just the core Joomla system that has these exploits, it is also the extensions that live within it. For example, the current version of the ecommerce system VirtueMart will only work in Joomla 2.5 (and soon J3.X). This means the older versions of VirtueMart which has many bugs and exploits is being used in J1.5, this is the same as the editors, plugins, modules, and many other types.

    I own 3 very large and extensive extensions, we won't add the security fixes to the older versions, why should we encourage people to use out of date software?

    £400 is about right, if not fairly cheep depending on what extensions it has. We charge about £495 to upgrade a standard Joomla and VirtueMart site, as thats 10 x £40 per hour... or one good days work.

    So bringing it back to the incorrect door analogy above, its not the door that is insecure, its the door lock. The hackers have found the key cut/design which unlocks the door and is sharing the info around the internet on hacker forums. So any hacker can have a key cut and walk straight into the site and do what ever they want.
     
    Last edited: Oct 28, 2013
    Posted: Oct 28, 2013 By: da8iwr Member since: Oct 16, 2006
    #11
  12. Mike W

    Mike W UKBF Ace Full Member - Verified Business

    1,566 358
    If not precise in the analogy, it's certainly close. A better analogy would be it's the internet equivalent to a dodgy car or double glazing salesman.

    £400 may be 'about right' if, and only if, you were made aware in the first place that '...every couple of years you're going to have to spend £400 simply to keep up to date'.

    How many Joomla sellers mention that when selling their service? Not all, without doubt. And certainly not in this case.
     
    Posted: Nov 2, 2013 By: Mike W Member since: Aug 19, 2010
    #12
Thread Status:
Not open for further replies.