When a business owner weighs up an ExpressionEngine upgrade, the mental calculation is usually straightforward: upgrading costs money now, and not upgrading costs nothing. This framing is understandable but misleading. The cost of not upgrading does not stay at zero. It accumulates, quietly and consistently, until it becomes unavoidable.
Security vulnerabilities that do not get patched
ExpressionEngine receives regular security updates on current versions. Sites running old, unsupported versions do not receive those updates. Known vulnerabilities remain open indefinitely.
This matters more than it might sound. Automated scanning tools search the internet continuously for sites running vulnerable software. A site on an old version of EE with a known security flaw is not safe because nobody has noticed it yet. It is safe only until the moment it is not.
If your site processes any payments, holds customer data, or operates in a regulated sector, the risks associated with running unpatched software go beyond inconvenience.
PHP version incompatibilities that get worse over time
Modern hosting environments run current versions of PHP. Old versions of ExpressionEngine were built for old versions of PHP. As hosting providers upgrade their infrastructure, older EE installations start to break, often in ways that are not immediately obvious. Forms may stop working. Admin functions may behave unexpectedly. Third-party integrations may silently fail.
Every year this gap widens. A site that runs adequately on PHP 7.4 today will face increasing problems as hosting moves to PHP 8.2 and beyond. The later the upgrade happens, the more compatibility issues have accumulated.
Add-on abandonment compounds
The add-ons your site depends on were being updated and maintained when they were installed. As time passes, developers move on, businesses close, and add-ons are abandoned. A site with five active add-ons today may have two of those abandoned in three years time. Each abandoned add-on is a dependency that cannot be updated, an incompatibility that cannot be resolved, and a potential vulnerability that cannot be patched.
The longer the upgrade is deferred, the more likely it becomes that replacing those abandoned add-ons becomes part of the work, adding cost and complexity that did not exist when the upgrade would have been simpler.
Developer scarcity increases
The pool of developers who know ExpressionEngine well is not growing. Most of the experienced EE developers who have been working with the platform for years have moved on or reduced their EE work. Developers who can work confidently with EE 2 or EE 3 installations are becoming harder to find with every passing year.
This has a practical consequence: the cost of finding specialist help for a legacy EE installation increases over time, and the available options decrease. An upgrade that costs a certain amount today will likely cost more in two years, because the expertise required to do it well is becoming more scarce.
The compounding effect
Each of these factors compounds the others. An unpatched security vulnerability is more serious on a site with abandoned add-ons. PHP compatibility issues are harder to resolve when the developers who know the codebase are no longer available. The upgrade from EE 2 to EE 7 becomes more complex as more add-ons in the dependency chain lose support.
The right time to upgrade was probably a few years ago. The next best time is now, before any of these factors become critical.
If you have been putting off an ExpressionEngine upgrade and want an honest view of what your site's situation actually looks like, get in touch and Karl will carry out a proper assessment.