TYPO3 upgrades: Why "It's working" is the most dangerous excuse

I experience it again and again. A customer is on TYPO3 version 8 or even older, and when I bring up the subject of upgrading, the answer comes out of the blue: "The site works. Everything works. Why should I invest money in it?"

And I understand the reluctance. I really do. No company likes to spend money on something that doesn't seem to be broken. But this attitude isn't just short-sighted. It's a fire hazard.

As someone who's been working with TYPO3 since 2006 and regularly talks to other agencies and integrators, I can tell you: the problem is real, it's widespread, and it's getting bigger.

The convenient lie: "It's working"

Yes, your website is up and running. Today. Maybe tomorrow too. But it's running on software that nobody maintains anymore. On PHP that hasn't received any security updates for years. With extensions that have not been maintained for a long time.

It's like driving a car without an MOT. It works too. Until the first bend. Or until the first inspection.

The difference: with your car, you know you're taking a risk. With your website, you tell yourself that nothing will happen.

What you are really risking

Security vulnerabilities: Open doors for attackers

Old TYPO3 versions have known security vulnerabilities. These gaps are publicly documented. Hackers have automated scripts that scan the internet for exactly these kinds of outdated installations.

You don't just leave your front door open. You hang out a sign: "I'm not here, come in."

When your website gets hacked, it's not just about a few spam links. It's about malware that infects your visitors. It's about stolen customer data. It's about a damaged reputation that takes years to repair.

GDPR: You are currently violating the law

This is where it gets nasty: according to the GDPR, you are obliged to keep the software you use up to date. Especially if personal data is processed.

And before you say "We don't process any data": Yes, we do. A contact form alone is enough. Analytics. Newsletter registration. These are all personal data.

Anyone who deliberately uses outdated software is acting negligently. In the event of a data breach, you could face reporting obligations, fines and claims for damages. And your insurance company could refuse to pay out in the event of gross negligence.

This also applies to associations, communities and parishes. Honorary board members are personally liable. Do you really want to risk the association's assets for an avoidable penalty?

Costs increase exponentially

An upgrade from TYPO3 11 to 13 is manageable. From TYPO3 8 to 13 is more expensive. From version 4.5 to 13? Then we're no longer talking about an upgrade, but a relaunch.

The longer you wait, the more expensive it gets. Extensions disappear from the market. PHP versions become incompatible. Hosters discontinue support for old systems. What could be done in two days today could mean a complete rebuild in a year's time.

You decide today whether you plan the upgrade or whether your host decides for you. And decisions made under time pressure are always the most expensive.

The domino effect: when the host pulls the plug

The scenario is always the same: your host announces that old PHP versions will no longer be supported. You have three months. But your old TYPO3 version only runs with exactly this PHP version.

Now you have a choice: emergency upgrade under time pressure or website offline. Both are expensive. Both are stressful. Both could have been avoided.

I've been through this dozens of times. And every time, the bill ends up being higher than a planned, clean upgrade would have been.

Why customers still hesitate

I understand the objections. I really do.

"We don't have a budget."

Then you also have no budget for an offline website, for data loss or for GDPR penalties. A planned upgrade costs a fraction of what an emergency scenario costs.

Think about it: would you say "I don't have a budget for new brakes" for your car? No, because you know what happens if the brakes fail.

"We're not going to change the website anyway."

Then you don't need a CMS. If your website is really static and nothing changes, there are better solutions. A static HTML version is cheaper to run, more secure and faster.

But be honest: does nothing really change? No text, no images, no contact details? If it does, you need a well-maintained system.

"Nothing will happen with us."

Maybe you're lucky and nothing happens to you. But the statistics tell a different story: one in seven companies has already been hacked, and 70% of German companies have already been victims of cyber criminals. Most of them are small businesses and associations that thought exactly that.

Hackers are not interested in the size of your company. They are interested in open security gaps. And these are guaranteed to be present in an outdated TYPO3 installation.

The integrators' perspective

And now a word to the agencies, developers and integrators reading this:

You do an important job. You look after websites, keep systems running, deal with problems. But you're not paramedics for zombies.

Looking after old TYPO3 installations costs a disproportionate amount of time. Time that you lack for modern, exciting projects. Time that eats into your margins. Time that frustrates you.

And more importantly, your employees don't want to work on software that is ten years old. What good developer still wants to be working on TYPO3 4.5 in 2025? You will lose good people if you only support old systems.

Setting limits is not unfriendly. It's professional.

It's okay to say: "I can no longer be responsible for support if you don't upgrade. Here are the risks, here is an offer for an upgrade. If you don't want it, we'll have to end the collaboration."

That's not an ultimatum. This is risk management. For both sides.

If a customer is hacked and you haven't made them aware of the risks beforehand, you may be jointly liable. And even if not, your reputation suffers. "He's in charge of a hacked website and hasn't done anything."

You are experts. You know what's right. Stand by it.

What you can do now

For customers: Listen to your integrator

If your agency or developer says an upgrade is necessary, then it's necessary. These people live from TYPO3. They know what they're talking about.

Ask for a concrete offer. Let them explain what's happening and why. And then invest in the security of your website.

If your integrator hasn't addressed the issue yet, bring it up. Ask which TYPO3 version you're on and whether an upgrade is necessary.

And if you don't have an integrator or need a new one: Feel free to contact me. We'll take a look at your installation and discuss what makes sense.

For integrators: Speak plainly

Make a list of your customers with outdated TYPO3 versions. Prioritize according to risk. And then address the issue. Specifically, with a schedule and offer.

Give your customers the information they need to make a decision. Explain the risks. State the costs. Set a deadline.

And if a customer still doesn't want it, document this in writing. Get confirmation that you have pointed out the risks and that the customer is refusing the upgrade. This is self-protection.

Offer solutions:

Maintenance contracts: Small, predictable monthly amounts instead of large, unexpected bills. Regular updates are cheaper than emergency upgrades.

Upgrade packages: Fixed price offers for standard upgrades, scaled according to effort.

Static conversion: For really dead websites without regular changes. Out of TYPO3, into static HTML. Less expensive to operate, more secure, faster.

Step-by-step migration: Not all at once, but step by step. First close the most critical security gaps, then the rest.

Exit option: Sometimes a new, lean system is cheaper than a monster upgrade. Be honest if this is the better way.

The question is not if, but when

You will have to upgrade at some point. The only question is: do you do it now, planned and clean? Or later, under time pressure and at triple the cost?

The technology won't wait for you. TYPO3 version 14 is coming in April 2026, and the gap between current standards and old installations is getting bigger, not smaller.

In five years, you won't find anyone who wants to touch TYPO3 4.5. And if they do, it will be really expensive.

The best time to upgrade was two years ago. The second best time is now.

My advice

I'm not writing this to cause panic. I'm writing it because I'm serious.

As a TYPO3 expert since 2006, as a member of the TYPO3 Education Committee and as someone who has accompanied hundreds of projects: Outdated installations are a risk you shouldn't take.

It's not about perfectionism. It's about common sense.

You don't always have to be on the latest version. But you should be on a version that still receives support. That still gets security updates. That still has a future.

And if you don't know where you stand or what to do: ask someone who knows. Your integrator. An agency. Or me.

But do something. Because "It's working" is not a strategy. It's self-deception.

And that can be expensive.