Security Support for Concrete v8.x

Security Support for Concrete v8.x

Aug 19, 2022
by frz

We recently announced that Concrete v8 will be end of life late 2022, but that doesn’t have to mean you won’t be able to run a Concrete v8 site beyond New Year's. 

[Update 14 Nov 2023 - Concrete v8 will have extended security maintenance through 2024]


There is quite a lot of functionality bundled into the Concrete CMS core, and we use quite a few 3rd party libraries too. Much of that works just great under PHP v7.x, but updating to support PHP version 8’s stricter formatting requirements is a significant undertaking for everyone. That’s not just work we can do here, there’s the 3rd party libraries we depend on too that would have to update. 

The good news is that while the core team behind PHP has announced an end of security updates for PHP v7.x late 2022, there are other groups out there working to keep PHP v7.x secure well beyond this year. The team behind Ubuntu LTS (long term support) keeps an eye on the security fixes that the PHP team are making to v8.x, and they backport critical fixes to PHP releases they make available if you’re running Ubuntu for your webserver. 

If you aren’t able to get your Concrete CMS site updated to version 9.x, you can still keep running it on a reasonably secure version of PHP by simply making sure your web host is offering a PHP branch with long term support (LTS).

We will continue to issue critical security updates for Concrete v8.x through 2023. Critical in this context means any issue we deem may give an external actor administrative access to your CMS or operating system. We will not be porting every security improvement we make, we’re really just focused on keeping public facing marketing sites built with Concrete safe on the web. If you’re building a web application where internal actor threats are a serious concern, you should upgrade to version 9.x to maintain the highest level of security.

For better or worse, the days of being able to buy a box of software from the computer store that just worked for 5 years have passed. Unless you’ve built something from the bottom up and haven’t connected it to the internet, your software is benefitting from a complex ecosystem of ever changing partial solutions from many parties. We can deliver applications that are wildly easier to use than what our forefathers did in that shrink-wrapped box, but all those pieces-parts do need to be updated to keep working together and stay safe. 

If you choose to host with us, we’re eager to help make these upgrades as painless as possible. If you have an older Concrete site, and you need a long term support plan that makes sense, please let us know and we can help. 

If you host on your own, please consider your threat tolerance, audit your web server stack frequently, and keep your software updated!