Should we upgrade our vB 3.8.11 forum?

[RisingSun]

Hi everyone. So glad I discovered this community.

I'm one of the admins on the Rising Sun 4WD Club of Colorado forum. We stood up vBulletin in 8/2005 and it's been great for connecting with our local community of Toyota 4WD vehicle owners. Our stats:

Threads: 26,276 * Posts: 312,112 * Members: 2,084 * Active Members: 339
Most users ever online was 2,621 on 11-12-2013 at 09:26 PM.​

We're not a huge online community (and we don't want to be huge), but we have a tight-knit community of active users. We're running the latest version of the vB 3 series, 3.8.11. Our current install is a pretty standard, out-of-the-box configuration. We had a handful of plugins but we have since deactivated them. We do have some members-only sections of the forum as well as a section for club officers only, but I'm guessing that's pretty standard across most forums. It's working fine at the moment.

We don't need to update our forum, but I am concerned about a few things:

1. vBulletin has announced that 3.8.11 is the last version of the 3 series. It will never be updated again. It works fine now, but eventually it won't, and we will be forced to upgrade. I'd rather not wait until we're in a crisis to make a change. It would be better to make a thoughtful upgrade or transition when we have time to test and consider options.
2. Forums seem a little dated these days, I guess. I still find them incredibly useful and so do our club members. We're not looking to compete with Reddit and Facebook, and I'm not even sure we'd want to integrate with them. But we do want our forum to look modern so we attract new people to join our community. If we just stubbornly stay on 3.8.11, I worry that we're going to miss some guys who would be great additions to our club because we look like some ancient dead community.
3. vB 3.8.11 isn't mobile responsive. Using the website on a smart phone isn't a good experience. A number of club members use Tapatalk, but it's not wonderful either. Having a mobile responsive web version of the forum would be better. Ultimately, I'd prefer to have an app version of the forum so it works great.
4. There are probably other features we would love if we knew what they were!
   
5. Of course, I'm also concerned about breakage from upgrading or moving to a different platform. We don't have millions of users or posts, but what we do have is important to us.
6. Finally, it should be said that some of our club members are older (like me) and won't enjoy being forced to learn a new interface. The more the new web forum can still function like the old web forum, the better.

 

[LeadCrow]

Consider contracting a trustworthy freelancer experienced with migrations. As for commercially supported scripts (you'll want the guaranteed tech support to limit issues during the transition), your budget's the limit. Do note you might also need to upgrade your server or change webhost.

- Woltlab. Lowest total cost of ownership, as good as Xenforo, easier to manage.
- xenforo. The safe choice your users and staff will likely already be familiar with. Since you're running a naked install, prefer XF v2.x
- IPB. More expensive to run and keep updated, but most fully featured out of the box with many functions beneficial to the webmaster. 'Clubs' may appeal to folks who liked vbulletin 3's groups.

 

[koraldon]

If you are limited by budget, you can also consider phpbb - it is modern and free. However it has less features and styling options compared to the paid options.

 

[craigForo]

Knowing what you want for the site, or what your sites needs are is key, and it sounds like you have that met.

My first forum was vBulletin 3.8 and it worked well for us. Eventually we needed to upgrade, or rather wanted to upgrade to incorporate more features into our site. We did have to upgrade our server, and we went with vBulletin 5. I don't regret it.

I did pay for the installation service as I too wanted to not have any issues, and it was money well spent.

The look and feel will be familiar to your members as well.

There are not a lot of mods available out there but you will find glennrocksvb mods pretty neat if you indeed want to add some.

 

[RisingSun]

Consider contracting a trustworthy freelancer experienced with migrations.

This is a great idea, and we have the budget to get help. Where do I find the trustworthy freelance experts?

- Woltlab. Lowest total cost of ownership, as good as Xenforo, easier to manage.
- xenforo. The safe choice your users and staff will likely already be familiar with. Since you're running a naked install, prefer XF v2.x
- IPB. More expensive to run and keep updated, but most fully featured out of the box with many functions beneficial to the webmaster. 'Clubs' may appeal to folks who liked vbulletin 3's groups.

Any recommendations on how to evaluate the platforms? In terms of budget, we'd probably be OK with paying an annual license fee but it would need to be less than $1000/year. We don't make any income from our website -- it's just a community for our local club.

If you are limited by budget, you can also consider phpbb - it is modern and free. However it has less features and styling options compared to the paid options.

I know phpbb has been around for a long time. However, I think we'd be more comfortable buying into a commercial platform that has a financial incentive to keep their code up-to-date (security patches, etc). When we stood up our first forum back in 2003, we did so on a free platform. We got hacked a couple of times and then moved to vBulletin, which has been secure and stable.

We did have to upgrade our server, and we went with vBulletin 5. I don't regret it.

I did pay for the installation service as I too wanted to not have any issues, and it was money well spent.

Curious about your vB 5 forum. What features did you gain? Did you feel like you lost anything when you moved away from vB 3.8?

 

[zappaDPJ]

Moving from an old vBulletin platform that's using the stock style is going to unnerve a fair proportion of your regular membership because of the radical change in look and feel. A lot of members will obviously be very comfortable with the current site despite it's limitations and won't take kindly to change even when it's for the better.

My advice would be to take a look a XenForo first because it was written by the same developers who wrote the software you are currently using. It's obviously different but there will be some familiar areas which might help ease the way.

I would also take a slow approach to the migration. Explain to your members why there is a compelling need for change and perhaps start to post some details with images from a test migration (which you perform anyway), showing the advantages i.e. the responsive interface.

Hopefully by the time you go live members will be more familiar with the new site and it'll help ease the pain of change for them.

 

[craigForo]

Curious about your vB 5 forum. What features did you gain? Did you feel like you lost anything when you moved away from vB 3.8?

Our site is on an intranet.

What we gained was the Articles, Blogs, and Groups without any additional fees. The upgrade allowed us to move the company policy and procedures, workgroups, and think tanks all onto the one platform.

What did we lose? The calendar for a period of time, but that has since been re-introduced.

 

[mysiteguy]

Yeah, the latest version of php supported with VB 3.8 is PHP 7.1, and it's end of life is 13 months away so your forum is on borrowed time. If you're currently using PHP 5.6, upgrade to 7.1 ASAP, only 10 weeks left before it's end of life.

I generally prefer XF's interface over IPB, and its more familiar to VB users, but IPB isn't bad either and not that much different.

Concerning members getting upset, remember it's usually just a small number who like to moan about any changes. One large forum I migrated for a client in April with a core user base over 50 years old there was a little complaining, but maybe 10 people out of tens of thousands of members. Within a month or so even those voices quieted down as they became familiar with it. If we listened to the small minority in situations like this, we'd all be driving Ford Model-T's. Only when its a huge outcry with design changes would I be concerned, and I've yet to see that with a VB to XF/IPB migration.

 

[Anton Chigurh]

Yeah, the latest version of php supported with VB 3.8 is PHP 7.1, and it's end of life is 13 months away so your forum is on borrowed time.

Yes if his host arbitrarily upgrades the php version he's going to have some errors generated. I have noticed however that hosts seldom upgrade php just for laughs. Otherwise his installation will run indefinitely, just fine. There's still some really big boards as I have documented before, still running vB version 2. I admin a really large and super busy sports board that still runs vB 3.8.2 with no problems at all. 18 million posts, well over 220,000 members.

He has no compelling reason for his upgrade. As others have pointed out, if the membership as a whole likes what they have, and you're having no problems, don't upset the apple cart.

 

[Paul M]

Yeah, the latest version of php supported with VB 3.8 is PHP 7.1, and it's end of life is 13 months away so your forum is on borrowed time. If you're currently using PHP 5.6, upgrade to 7.1 ASAP, only 10 weeks left before it's end of life.

PHP will not stop working simply becasue of some arbitary EOL date that their devs made up.

Tons of sites are still running on earlier versions of PHP without any problems, its not a reason to rush into upgrading.

 

[mysiteguy]

I never said older versions of VB and PHP will no longer run.

However, it is a ticking time bomb to run the unmaintained software especially when its in widespread use. It becomes a target. When PHP 5.6 goes into unmaintained status in 10 weeks, and over half the web is still using it, what do you think iis going to become the largest target out there for hackers to try to find an exploit in? One they know will stay exploited for quite some time as hosts scramble to update millions of websites.

With all due respect, anyone who runs very old software on the Internet which no longer has support is playing Russian Roulette with their site unless they are able to mitigate security issues themselves. And just because a forum is large doesn't make it a good idea, it makes them a more appetizing target.

FWIW, about half a dozen security-related bugs impacting 5.6.x have been found just since last month and updates issued.

 

[Anton Chigurh]

Ahh yes, playing the hax0r card. OP needs to be aware when advice comes from someone who makes money on this kind of stuff, every car salesman says you need a new car and has 100 reasons why you do. When nine times out of ten, you don't.

 

[mysiteguy]

Ahh yes, playing the hax0r card. OP needs to be aware when advice comes from someone who makes money on this kind of stuff, every car salesman says you need a new car and has 100 reasons why you do. When nine times out of ten, you don't.

He doesn't need to believe me, or you. How about one of the top security notification lists, the CVE?
PHP security exploits patched by year:
2016 107
2017 43
2018 16

Take your innuendo that I make security recommendations based on income motives, and shove them. You don't know me, and cannot make that judgment call. It was totally uncalled for. I've been giving advice like this long before I started doing consulting work.

 

[Anton Chigurh]

Take your innuendo that I make security recommendations based on income motives, and shove them.

I certainly didn't mean it that way, and I'm sorry you took it that way. My apologies. I was calling back to your Model T example.

How about one of the top security notification lists, the CVE?
PHP security exploits patched by year:
2016 107
2017 43
2018 16

But honestly, it doesn't mean he stands any more risk of getting "hacked" than millions of other sites out there in the same boat. Plus, there's zero evidence that exploit patches make anyone safer from it - most of the exploits found were never used at any point. Fear of hacking really isn't all that valid of a reason to keep upgrading to the latest greatest thing. People fear the hax0r though, it does have a certain vanity appeal. The idea that little ole me can be the target of hax0rs, I MUST be important on the web!

I suppose it works though.

He doesn't need to believe me, or you.

Correct. He needs to make an intelligent, informed decision and has sought out advice. And part of my advice is, don't let fear of hax0rs drive your decision making.

 

[RisingSun]

My advice would be to take a look a XenForo first because it was written by the same developers who wrote the software you are currently using. It's obviously different but there will be some familiar areas which might help ease the way.

I would also take a slow approach to the migration. Explain to your members why there is a compelling need for change and perhaps start to post some details with images from a test migration (which you perform anyway), showing the advantages i.e. the responsive interface.

Hopefully by the time you go live members will be more familiar with the new site and it'll help ease the pain of change for them.

Good advice. Just being here on this forum makes me think that there is not a big learning curve using a Xenforo forum.

Our site is on an intranet.

What we gained was the Articles, Blogs, and Groups without any additional fees. The upgrade allowed us to move the company policy and procedures, workgroups, and think tanks all onto the one platform.

What did we lose? The calendar for a period of time, but that has since been re-introduced.

OK, thank you. I seem to recall that there was deprecated functionality in later versions of vB, but maybe that was only for a little while.

With all due respect, anyone who runs very old software on the Internet which no longer has support is playing Russian Roulette with their site unless they are able to mitigate security issues themselves. And just because a forum is large doesn't make it a good idea, it makes them a more appetizing target.

This is one of the reasons I want to explore this now. Thank you for your advice!

 

[we_are_borg]

Your first line of defense in security is making sure you are using up to date software so everything is patched. If something is EOL meaning no more security or other sort of patches you make sure you can upgrade to something that is not EOL. If you do not cover our basses all other security matters will fail because you left a hole open.

 

[mysiteguy]

I certainly didn't mean it that way, and I'm sorry you took it that way. My apologies. I was calling back to your Model T example.

It seemed to me I was being compared to a slimy car salesman. But it's water under the bridge

But honestly, it doesn't mean he stands any more risk of getting "hacked" than millions of other sites out there in the same boat. Plus, there's zero evidence that exploit patches make anyone safer from it - most of the exploits found were never used at any point. Fear of hacking really isn't all that valid of a reason to keep upgrading to the latest greatest thing. People fear the hax0r though, it does have a certain vanity appeal. The idea that little ole me can be the target of hax0rs, I MUST be important on the web!

I suppose it works though.Correct. He needs to make an intelligent, informed decision and has sought out advice. And part of my advice is, don't let fear of hax0rs drive your decision making.

In my opinion, anyone recommending software would be derelict if they didn't discourage using EOL software. Security should be a primary consideration. Check out haveibeenpwned.com, put in your email addresses and you'll be shocked by how many security exploits your data has been involved in, in large part due to a negligent attitude towards security.

Then there's the issue of liability. If for instance, an EU site gets hacked and the admin knowingly ran software with known unpatched security issues, how well will his defense that "fear of hax0rs didn't drive my decision making" go over with regulators? And in the USA, that will hurt his/her case if a user sued them. Back in 2013 more than 35,000 VBulletin sites worldwide were hacked due to the install folder vulnerability, sites of every size.

Not having up to date software is the #2 reason sites get hacked, behind weak passwords. This isn't about upgrading to the latest thing, it's about upgrading to something maintained. For instance, I wouldn't recommend someone upgrade Windows solely on it being an older version so long as security support was still available. When it goes end of life, however, I would recommend they plan to upgrade.

And importance on the web, well when you consider it usually takes anywhere from minutes to a few hours for a newly deployed server to start seeing automated exploit scans and brute force attacks... even the smallest sites are targets. I recently cleaned out a friend's 4-page business website for him because it had been defaced with porn links. The problem... unpatched software.

 

[Anton Chigurh]

In my opinion, anyone recommending software would be derelict if they didn't discourage using EOL software.

Agreed, if we're recommending software.

Back in 2013 more than 35,000 VBulletin sites worldwide were hacked due to the install folder vulnerability

Right, because they didn't follow the install instructions of removing that folder after install. Nothing there having anything to do with PHP version exploits, EoL considerations, and so on. Same with the "weak password" thing. Which as you know is cracking, not hacking.

Your first line of defense in security is making sure you are using up to date software so everything is patched. If something is EOL meaning no more security or other sort of patches you make sure you can upgrade to something that is not EOL. If you do not cover our basses all other security matters will fail because you left a hole open.

MIGHT fail. Millions of such "holes left open" but very small percentage of actual hacking happening. AND no guarantee it won't anyway, even if they religiously update everything, ride herd on it like a mother hen, they're still, vulnerable. A percentage point or two less maybe?

Check out haveibeenpwned.com, put in your email addresses and you'll be shocked by how many security exploits your data has been involved in, in large part due to a negligent attitude towards security.

Yep I've always been quite clean there. There's a big difference between negligent attitude and just plain ole ignorance.

 

[we_are_borg]

MIGHT fail. Millions of such "holes left open" but very small percentage of actual hacking happening. AND no guarantee it won't anyway, even if they religiously update everything, ride herd on it like a mother hen, they're still, vulnerable. A percentage point or two less maybe?

Well if you knowingly let updates slip you deserve to be hacked periode. Mostly you are in danger of being hacked because you lack updates this has been proven time and time again. Also people forget that security is stacking one measure on top of another then you make a wall, depending on one security measure is laughable at best.

 

[Anton Chigurh]

Well if you knowingly let updates slip you deserve to be hacked periode. Mostly you are in danger of being hacked because you lack updates this has been proven time and time again. Also people forget that security is stacking one measure on top of another then you make a wall, depending on one security measure is laughable at best.

Yeah well, when I was first starting out nearly 20 years ago, I used to listen to this type of "conventional wisdom" and would wring my hands, do every little "security upgrade" and still be sweating it. And preaching it to others like every other know-it-all. Then experience taught me that math is universal and your odds of getting "hacked," defaced, cracked, or otherwise compromised are really really small no matter what you do or don't do. Tens of Billions of sites, 1000s of events, small percentage. It's no longer something I sweat and that comes from experience. When the patches come I study them, and if I think they're valid I'll install them. If not, I don't. You might improve the odds by 0.02 percent? You're far more likely to suffer a hard drive failure on your host than you are suffering any security incident related to your platform upgrades or PHP version.

What I don't do any longer is let fear and paranoia about a less than one percent chance of an event, compel me to keep upgrading the platform to the latest and greatest. That's what the thread is actually about, anyhow. "Should I upgrade" and security considerations, though relevant, aren't high on my list considering the math. It's just not a compelling reason to throw the baby out with the bath water.

Well if you knowingly let updates slip you deserve to be hacked period

I never thought anyone "deserved" to be hacked. That's either just being a meanie or it's haughty superiorism. Do you look down on the masses of us who scoff at the security scares because we know the odds are ridiculously small? You think there needs to be more hacking, so long as it's people who "deserve" it? Obey the religion or you deserve the mean ole debbil getting you? I chuckle.