Should we upgrade our vB 3.8.11 forum?

Discussion in 'vBulletin' started by RisingSun, Oct 14, 2018.

  1. RisingSun

    RisingSun Aspirant

    13
    8
    +15
    Hi everyone. So glad I discovered this community.

    I'm one of the admins on the Rising Sun 4WD Club of Colorado forum. We stood up vBulletin in 8/2005 and it's been great for connecting with our local community of Toyota 4WD vehicle owners. Our stats:

    Threads: 26,276 * Posts: 312,112 * Members: 2,084 * Active Members: 339
    Most users ever online was 2,621 on 11-12-2013 at 09:26 PM.​

    We're not a huge online community (and we don't want to be huge), but we have a tight-knit community of active users. We're running the latest version of the vB 3 series, 3.8.11. Our current install is a pretty standard, out-of-the-box configuration. We had a handful of plugins but we have since deactivated them. We do have some members-only sections of the forum as well as a section for club officers only, but I'm guessing that's pretty standard across most forums. It's working fine at the moment.

    We don't need to update our forum, but I am concerned about a few things:
    1. vBulletin has announced that 3.8.11 is the last version of the 3 series. It will never be updated again. It works fine now, but eventually it won't, and we will be forced to upgrade. I'd rather not wait until we're in a crisis to make a change. It would be better to make a thoughtful upgrade or transition when we have time to test and consider options.
    2. Forums seem a little dated these days, I guess. I still find them incredibly useful and so do our club members. We're not looking to compete with Reddit and Facebook, and I'm not even sure we'd want to integrate with them. But we do want our forum to look modern so we attract new people to join our community. If we just stubbornly stay on 3.8.11, I worry that we're going to miss some guys who would be great additions to our club because we look like some ancient dead community.
    3. vB 3.8.11 isn't mobile responsive. Using the website on a smart phone isn't a good experience. A number of club members use Tapatalk, but it's not wonderful either. Having a mobile responsive web version of the forum would be better. Ultimately, I'd prefer to have an app version of the forum so it works great.
    4. There are probably other features we would love if we knew what they were!
    5. Of course, I'm also concerned about breakage from upgrading or moving to a different platform. We don't have millions of users or posts, but what we do have is important to us.
    6. Finally, it should be said that some of our club members are older (like me) and won't enjoy being forced to learn a new interface. The more the new web forum can still function like the old web forum, the better.
     
  2. LeadCrow

    LeadCrow Apocalypse Admin

    6,269
    1,232
    +2,065
    Consider contracting a trustworthy freelancer experienced with migrations. As for commercially supported scripts (you'll want the guaranteed tech support to limit issues during the transition), your budget's the limit. Do note you might also need to upgrade your server or change webhost.

    - Woltlab. Lowest total cost of ownership, as good as Xenforo, easier to manage.
    - xenforo. The safe choice your users and staff will likely already be familiar with. Since you're running a naked install, prefer XF v2.x
    - IPB. More expensive to run and keep updated, but most fully featured out of the box with many functions beneficial to the webmaster. 'Clubs' may appeal to folks who liked vbulletin 3's groups.
     
  3. koraldon

    koraldon Aspirant

    12
    3
    +4
    If you are limited by budget, you can also consider phpbb - it is modern and free. However it has less features and styling options compared to the paid options.
     
  4. Craigles700

    Craigles700 Participant

    99
    23
    +50
    Knowing what you want for the site, or what your sites needs are is key, and it sounds like you have that met.

    My first forum was vBulletin 3.8 and it worked well for us. Eventually we needed to upgrade, or rather wanted to upgrade to incorporate more features into our site. We did have to upgrade our server, and we went with vBulletin 5. I don't regret it.

    I did pay for the installation service as I too wanted to not have any issues, and it was money well spent.

    The look and feel will be familiar to your members as well.

    There are not a lot of mods available out there but you will find glennrocksvbglennrocksvb mods pretty neat if you indeed want to add some.
     
    Last edited: Oct 15, 2018
    • Like Like x 2
    • Appreciation Appreciation x 1
    • List
  5. RisingSun

    RisingSun Aspirant

    13
    8
    +15
    This is a great idea, and we have the budget to get help. Where do I find the trustworthy freelance experts?

    Any recommendations on how to evaluate the platforms? In terms of budget, we'd probably be OK with paying an annual license fee but it would need to be less than $1000/year. We don't make any income from our website -- it's just a community for our local club.

    I know phpbb has been around for a long time. However, I think we'd be more comfortable buying into a commercial platform that has a financial incentive to keep their code up-to-date (security patches, etc). When we stood up our first forum back in 2003, we did so on a free platform. We got hacked a couple of times and then moved to vBulletin, which has been secure and stable.

    Curious about your vB 5 forum. What features did you gain? Did you feel like you lost anything when you moved away from vB 3.8?
     
  6. zappaDPJ

    zappaDPJ Administrator

    6,367
    1,342
    +4,767
    Moving from an old vBulletin platform that's using the stock style is going to unnerve a fair proportion of your regular membership because of the radical change in look and feel. A lot of members will obviously be very comfortable with the current site despite it's limitations and won't take kindly to change even when it's for the better.

    My advice would be to take a look a XenForo first because it was written by the same developers who wrote the software you are currently using. It's obviously different but there will be some familiar areas which might help ease the way.

    I would also take a slow approach to the migration. Explain to your members why there is a compelling need for change and perhaps start to post some details with images from a test migration (which you perform anyway), showing the advantages i.e. the responsive interface.

    Hopefully by the time you go live members will be more familiar with the new site and it'll help ease the pain of change for them.
     
    • Agree Agree x 3
    • Like Like x 1
    • List
  7. Craigles700

    Craigles700 Participant

    99
    23
    +50
    Our site is on an intranet.

    What we gained was the Articles, Blogs, and Groups without any additional fees. The upgrade allowed us to move the company policy and procedures, workgroups, and think tanks all onto the one platform.

    What did we lose? The calendar for a period of time, but that has since been re-introduced.
     
  8. mysiteguy

    mysiteguy Devotee

    2,587
    887
    +1,833
    Yeah, the latest version of php supported with VB 3.8 is PHP 7.1, and it's end of life is 13 months away so your forum is on borrowed time. If you're currently using PHP 5.6, upgrade to 7.1 ASAP, only 10 weeks left before it's end of life.

    I generally prefer XF's interface over IPB, and its more familiar to VB users, but IPB isn't bad either and not that much different.

    Concerning members getting upset, remember it's usually just a small number who like to moan about any changes. One large forum I migrated for a client in April with a core user base over 50 years old there was a little complaining, but maybe 10 people out of tens of thousands of members. Within a month or so even those voices quieted down as they became familiar with it. If we listened to the small minority in situations like this, we'd all be driving Ford Model-T's. Only when its a huge outcry with design changes would I be concerned, and I've yet to see that with a VB to XF/IPB migration.
     
  9. Anton Chigurh

    Anton Chigurh Ultimate Badass

    1,165
    237
    +766
    Yes if his host arbitrarily upgrades the php version he's going to have some errors generated. I have noticed however that hosts seldom upgrade php just for laughs. Otherwise his installation will run indefinitely, just fine. There's still some really big boards as I have documented before, still running vB version 2. I admin a really large and super busy sports board that still runs vB 3.8.2 with no problems at all. 18 million posts, well over 220,000 members.

    He has no compelling reason for his upgrade. As others have pointed out, if the membership as a whole likes what they have, and you're having no problems, don't upset the apple cart.
     
  10. Paul M

    Paul M Dr Pepper Addict

    3,732
    1,127
    +2,059
    PHP will not stop working simply becasue of some arbitary EOL date that their devs made up.

    Tons of sites are still running on earlier versions of PHP without any problems, its not a reason to rush into upgrading.
     
    • Like Like x 2
    • Disagree Disagree x 1
    • List
  11. mysiteguy

    mysiteguy Devotee

    2,587
    887
    +1,833
    I never said older versions of VB and PHP will no longer run.

    However, it is a ticking time bomb to run the unmaintained software especially when its in widespread use. It becomes a target. When PHP 5.6 goes into unmaintained status in 10 weeks, and over half the web is still using it, what do you think iis going to become the largest target out there for hackers to try to find an exploit in? One they know will stay exploited for quite some time as hosts scramble to update millions of websites.

    With all due respect, anyone who runs very old software on the Internet which no longer has support is playing Russian Roulette with their site unless they are able to mitigate security issues themselves. And just because a forum is large doesn't make it a good idea, it makes them a more appetizing target.

    FWIW, about half a dozen security-related bugs impacting 5.6.x have been found just since last month and updates issued.
     
    • Like Like x 2
    • Winner Winner x 1
    • List
  12. Anton Chigurh

    Anton Chigurh Ultimate Badass

    1,165
    237
    +766
    Ahh yes, playing the hax0r card. OP needs to be aware when advice comes from someone who makes money on this kind of stuff, every car salesman says you need a new car and has 100 reasons why you do. When nine times out of ten, you don't.
     
  13. mysiteguy

    mysiteguy Devotee

    2,587
    887
    +1,833
    He doesn't need to believe me, or you. How about one of the top security notification lists, the CVE?
    PHP security exploits patched by year:
    2016 107
    2017 43
    2018 16

    Take your innuendo that I make security recommendations based on income motives, and shove them. You don't know me, and cannot make that judgment call. It was totally uncalled for. I've been giving advice like this long before I started doing consulting work.
     
  14. Anton Chigurh

    Anton Chigurh Ultimate Badass

    1,165
    237
    +766
    I certainly didn't mean it that way, and I'm sorry you took it that way. My apologies. I was calling back to your Model T example.
    But honestly, it doesn't mean he stands any more risk of getting "hacked" than millions of other sites out there in the same boat. Plus, there's zero evidence that exploit patches make anyone safer from it - most of the exploits found were never used at any point. Fear of hacking really isn't all that valid of a reason to keep upgrading to the latest greatest thing. People fear the hax0r though, it does have a certain vanity appeal. The idea that little ole me can be the target of hax0rs, I MUST be important on the web!

    I suppose it works though.
    Correct. He needs to make an intelligent, informed decision and has sought out advice. And part of my advice is, don't let fear of hax0rs drive your decision making.
     
  15. RisingSun

    RisingSun Aspirant

    13
    8
    +15
    Good advice. Just being here on this forum makes me think that there is not a big learning curve using a Xenforo forum.

    OK, thank you. I seem to recall that there was deprecated functionality in later versions of vB, but maybe that was only for a little while.

    This is one of the reasons I want to explore this now. Thank you for your advice!
     
  16. we_are_borg

    we_are_borg Moderator

    4,605
    807
    +1,800
    Your first line of defense in security is making sure you are using up to date software so everything is patched. If something is EOL meaning no more security or other sort of patches you make sure you can upgrade to something that is not EOL. If you do not cover our basses all other security matters will fail because you left a hole open.
     
  17. mysiteguy

    mysiteguy Devotee

    2,587
    887
    +1,833
    It seemed to me I was being compared to a slimy car salesman. :( But it's water under the bridge :)

    In my opinion, anyone recommending software would be derelict if they didn't discourage using EOL software. Security should be a primary consideration. Check out haveibeenpwned.com, put in your email addresses and you'll be shocked by how many security exploits your data has been involved in, in large part due to a negligent attitude towards security.

    Then there's the issue of liability. If for instance, an EU site gets hacked and the admin knowingly ran software with known unpatched security issues, how well will his defense that "fear of hax0rs didn't drive my decision making" go over with regulators? And in the USA, that will hurt his/her case if a user sued them. Back in 2013 more than 35,000 VBulletin sites worldwide were hacked due to the install folder vulnerability, sites of every size.

    Not having up to date software is the #2 reason sites get hacked, behind weak passwords. This isn't about upgrading to the latest thing, it's about upgrading to something maintained. For instance, I wouldn't recommend someone upgrade Windows solely on it being an older version so long as security support was still available. When it goes end of life, however, I would recommend they plan to upgrade.

    And importance on the web, well when you consider it usually takes anywhere from minutes to a few hours for a newly deployed server to start seeing automated exploit scans and brute force attacks... even the smallest sites are targets. I recently cleaned out a friend's 4-page business website for him because it had been defaced with porn links. The problem... unpatched software.
     
  18. Anton Chigurh

    Anton Chigurh Ultimate Badass

    1,165
    237
    +766
    Agreed, if we're recommending software.
    Right, because they didn't follow the install instructions of removing that folder after install. Nothing there having anything to do with PHP version exploits, EoL considerations, and so on. Same with the "weak password" thing. Which as you know is cracking, not hacking.
    MIGHT fail. Millions of such "holes left open" but very small percentage of actual hacking happening. AND no guarantee it won't anyway, even if they religiously update everything, ride herd on it like a mother hen, they're still, vulnerable. A percentage point or two less maybe?
    Yep I've always been quite clean there. There's a big difference between negligent attitude and just plain ole ignorance.
     
  19. we_are_borg

    we_are_borg Moderator

    4,605
    807
    +1,800
    Well if you knowingly let updates slip you deserve to be hacked periode. Mostly you are in danger of being hacked because you lack updates this has been proven time and time again. Also people forget that security is stacking one measure on top of another then you make a wall, depending on one security measure is laughable at best.
     
  20. Anton Chigurh

    Anton Chigurh Ultimate Badass

    1,165
    237
    +766
    Yeah well, when I was first starting out nearly 20 years ago, I used to listen to this type of "conventional wisdom" and would wring my hands, do every little "security upgrade" and still be sweating it. And preaching it to others like every other know-it-all. Then experience taught me that math is universal and your odds of getting "hacked," defaced, cracked, or otherwise compromised are really really small no matter what you do or don't do. Tens of Billions of sites, 1000s of events, small percentage. It's no longer something I sweat and that comes from experience. When the patches come I study them, and if I think they're valid I'll install them. If not, I don't. You might improve the odds by 0.02 percent? You're far more likely to suffer a hard drive failure on your host than you are suffering any security incident related to your platform upgrades or PHP version.

    What I don't do any longer is let fear and paranoia about a less than one percent chance of an event, compel me to keep upgrading the platform to the latest and greatest. That's what the thread is actually about, anyhow. "Should I upgrade" and security considerations, though relevant, aren't high on my list considering the math. It's just not a compelling reason to throw the baby out with the bath water.
    I never thought anyone "deserved" to be hacked. That's either just being a meanie or it's haughty superiorism. Do you look down on the masses of us who scoff at the security scares because we know the odds are ridiculously small? You think there needs to be more hacking, so long as it's people who "deserve" it? Obey the religion or you deserve the mean ole debbil getting you? I chuckle.
     
Verification:
Draft saved Draft deleted
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.