Most business owners do not spend much time thinking about whether their website is a security risk. The site is up, the admin panel works, and nothing has visibly gone wrong. The problem is that security vulnerabilities are not visible until they are being exploited, and by then the damage is already happening.
ExpressionEngine sites are a particular concern in this area, because a significant number of them are running on versions that have been out of support for years. If your site falls into that category, here is what you need to know.
How to check your EE version
Log into your ExpressionEngine control panel and look for the version number in the footer or under the system information section. If you cannot access your control panel, your hosting provider or a developer with server access can find the version in the EE configuration files.
The current supported version is ExpressionEngine 7. Any version below this is either end-of-life or approaching it. EE 2, 3, 4, and 5 no longer receive security updates.
What end-of-life actually means
When a software version reaches end-of-life, the developer stops releasing updates for it. This includes security patches. If a new vulnerability is discovered in EE 4 tomorrow, no patch will be released. Sites running EE 4 will remain vulnerable indefinitely.
This is not a theoretical concern. Security researchers and malicious actors actively look for known vulnerabilities in widely-used platforms. Automated scanners probe the web continuously, and ExpressionEngine's version number is detectable from the site's HTML source in many installations.
The PHP layer
ExpressionEngine does not operate in isolation. It runs on top of PHP, and old versions of EE require old versions of PHP. PHP 5 reached end-of-life in 2019. PHP 7 reached end-of-life in 2022. Sites running EE 2 on PHP 5 are running two layers of unpatched software, each with its own known vulnerabilities.
Even if your host has not yet forced a PHP upgrade, running on an end-of-life PHP version carries the same risk: no security patches, known vulnerabilities, and no support if something goes wrong.
The add-on layer
ExpressionEngine sites typically depend on a range of add-ons for forms, ecommerce, search, caching, and other functionality. Each of those add-ons is a separate piece of software with its own security posture. If an add-on has been abandoned by its developer, it is no longer receiving security updates either.
A site with three abandoned add-ons has three additional attack surfaces that cannot be patched.
The ecommerce concern
If your ExpressionEngine site processes payments, the stakes are higher. Payment card industry standards require that software processing payment data is maintained and patched. Running a payment-capable site on end-of-life software is a compliance issue as well as a security issue. If your site uses a payment gateway integration built into an abandoned add-on, that integration itself may have unpatched vulnerabilities.
What to do
The only real solution is to upgrade to a supported version of ExpressionEngine. There is no meaningful way to secure an installation running on end-of-life software short of taking it offline.
In the short term, if an upgrade cannot happen immediately, make sure you have:
- Current, working backups of both the database and the files
- Monitoring in place to alert you if the site goes down or behaves unusually
- A clear understanding of what sensitive data the site holds and processes
But these are temporary mitigations, not a solution. An outdated EE installation that has not been compromised is one that has not been compromised yet.
If you are not sure what version your site is running, or you know it is out of date and want an honest view of the risk and what it would take to address it, get in touch and Karl will take a look.