Risks of staying with Umbraco 8

Back
Christoph
Christoph
Tags: Umbraco CMS - Dec 12, 2023

Background

Towards the end of 2023 we reached out to our customers with websites on Umbraco 8 to highlight the end of support coming in February 2025 so they could start planning for the future of their websites.

While we would generally recommend a migration to Umbraco 13 (the current long-term support version of Umbraco), this is a significant undertaking that may not make sense for all our clients.

Why is it so difficult to migrate to Umbraco 13?
Unfortunately there is no direct upgrade path for 8-13 because the codebase has been fundamentally updated in Umbraco 9 with the move to ASP.NET Core. While the content can be migrated, templates need to be adjusted and all custom code needs to be rewritten.

Most of our customers are in the process of either migrating or rebuilding their Umbraco 8 sites. However, some have asked about the risks of staying on Umbraco 8 while they get a bigger rebuild underway.

What happens if we pass the end-of-life date, can we still move after?

Yes, you can move your website from version 8 at any time however waiting until after the version becomes unsupported exposes your website to security risks.

What happens after February 2025?

Websites built on Umbraco 8 will continue to work after February 2025, but the end of life means that any newly-discovered security issues would not be fixed.

Born Digital will continue to support your Umbraco 8 website should you choose to remain on that version for now, but some mitigation will need to be completed to lower the risk (see below).

Assessing the risks for your website

While we would never recommend having a website running on an unsupported platform or framework, we understand that there are cases where the price of a migration or rebuild is prohibitive and we want to assist you in evaluating the risks.

If you are considering retaining your Umbraco 8 website, we recommend that you carry out your own risk assessment.

First consider what is unique about your website:

  1. Do you have any integrations with key business tools?
  2. Are you collecting personal data from your users/customers/members?
  3. Are you taking payments for one off purchases or subscriptions?

We have compiled some specific risks to consider. Please note that this is not an exhaustive list.

Risk: Compromise of personal identifiable information (PII)

Impact: high

If your website collects or processes any PII data (most websites do), consider the type of data collected and how it is processed. Is your website integrated with other systems like a CRM or newsletter signup? What would happen if those systems were compromised?

The compromise of PII of your customers could lead to action by the Privacy Commissioner and would most likely damage your brand reputation.

Risk: Financial loss of your customers

Impact: critical

If your website has any e-commerce integration, a successful attacker may abuse the payment gateway to their financial gain.

Risk: Website abused to serve malware to your customers or your employees

Impact: high

If an attacker was successful in placing malware on your website, they could abuse your brand reputation to compromise either your or your customers' computers with ransomware or similar.

Risk: Website defaced

Impact: moderate

A successful attacker might abuse your website for their gain by serving ads or spreading misinformation.

Mitigating factors

There are some mitigating factors that exist or are available as options

Umbraco only infrequently has (publicly known) security issues, you can see a history of Umbraco security advisories. We believe it is more secure than some PHP-based open source CMS systems.However, while they are few and far between, a security issue could be discovered in Umbraco 8 at any time.

The underlying ASP.NET Framework the website runs on continues to be supported by Microsoft.

Further risk mitigation

If you would like us to continue hosting your Umbraco 8 website, the following steps should be taken to reduce the risks:

  1. Update to 8.18.7 or later (highly recommended): the website should be updated to the latest patch version of Umbraco 8, version 8.18 to fix all known issues. The path to version 8.18.7 fixed a medium-severity security issue.
  2. Hosting separation (mandatory): if your website is on a shared hosting plan, this hosting will be separated out. In order to protect our customers, Umbraco 8 sites will not be hosted together with websites on a supported version of Umbraco (version 10 or newer). This may increase your hosting costs.
  3. Limit backoffice access (recommended): if your website doesn’t already have restrictions in place for accessing the backoffice (/umbraco), it should be restricted to your office IP address if at all possible. This may disrupt staff working from home, but can usually be mitigated with a VPN. Talk to your IT provider if this will be an issue.
  4. Turn off third-party integrations where feasible: any third-party integrations could expose those systems to risk if your website got compromised. If the integration doesn’t serve business-critical functionality, consider the removal of the integration.
  5. Restrict traffic to your website to your key markets only: if your business is only targeting New Zealand customers, it may be acceptable to restrict the website to users within New Zealand. While not a guarantee, it could lower the risk of exposure to malicious actors.

What if my website got hacked?

Backups and restore

We have backups in place that would allow us to restore a website if the compromise was discovered within the retention period of the backups.

The restoration of a backup would involve some downtime, we are generally able to restore backups within 2-4h during business hours. However, the restored website would most likely get compromised again if the security flaw allowing the attack wasn’t fixed.

Fixing the security issue

If a security issue is discovered, there is no guarantee that a fix will be available. Umbraco HQ may, at their sole discretion, supply guidance or even a patch. Without a publicly available patch, it should in theory be possible for the community or Born Digital to develop a fix thanks to Umbraco being open source. However, it might take a huge effort to discover and fix a security flaw.

Summary

While a website on Umbraco 8 will continue to work after February 2025, you need to consider the risks of staying on an unsupported version. Despite being built on a strong foundation, a security flaw in Umbraco 8 could be discovered any day. We have listed some specific risk examples, but you need to carry out your own risk assessment with the knowledge of your business.

Born Digital is here to help

Since 2015, Born Digital has been building, upgrading, migrating, and re-building Umbraco websites since version 7 of Umbraco.

As a team we have have supported website projects across a range of requirements:

  • New Umbraco website design and development
  • Website upgrades / migrations / rebuilds to newer or current versions including minor and major releases
  • Inherited Umbraco websites that have been built by other agencies and delivered improvements in terms of administrative experience, performance, code, features, functionality or integrations
  • Migration of existing websites from other platforms such as WordPress to Umbraco CMS
  • Delivered simple brochure websites to complex multi-tenanted or multi language websites

Connect with our team today and we will guide, plan and support your website re-build.  You don’t need to be an existing customer of ours, if you require a new Umbraco web agency please get in touch.