Skip to Content
Last modified by Agnease on 2026/05/26 10:58
From version 1.4
edited by Agnease
on 2026/05/12 14:47
Change comment: There is no comment for this version
To version 9.3
edited by Agnease
on 2026/05/26 10:47
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,0 +1,1 @@
1 +Why You Should Upgrade XWiki Regularly for Security and Stability
Content
... ... @@ -2,292 +2,302 @@
2 2  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 3  {{html clean="false"}}
4 4  
5 - ## PAGE HEADER
6 - <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
7 - <div class="container hero-inner">
8 - <div class="hero-kicker">
9 - <i class="fa fa-refresh" aria-hidden="true"></i>
10 - XWiki upgrade guidance
5 + <section class="resource-header" aria-labelledby="hero-title">
6 + <div class="container">
7 + <div class="text-center">
8 + <div class="hero-kicker">
9 + <i class="fa fa-refresh" aria-hidden="true"></i>
10 + XWiki upgrade guidance
11 + </div>
11 11   </div>
12 12  
13 13   <h1 id="hero-title">Why upgrading your XWiki instance should be a regular priority</h1>
14 14  
15 - <p class="lead">
16 + <p class="resource-summary">
16 16   A working XWiki instance can still become outdated, harder to maintain and exposed to avoidable risks
17 17   when upgrades are postponed for too long.
18 18   </p>
19 -
20 - <p class="hero-support">
21 - Regular upgrades help keep XWiki secure, stable, compatible and easier to evolve, especially when the platform
22 - is used for internal knowledge, documentation, procedures, workflows or business-critical collaboration.
23 - </p>
24 -
25 - <div class="hero-actions">
26 - <a class="btn btn-primary" href="$xwiki.getURL('services.xwiki-upgrades')">View upgrade services</a>
27 - <a class="btn btn-secondary" href="#upgrade-tips">Read upgrade tips</a>
28 - </div>
29 29   </div>
30 30   </section>
31 31  
32 - ## WHY IT MATTERS
33 - <section aria-labelledby="why-title">
23 + <section class="resource-page">
34 34   <div class="container">
35 - <h2 id="why-title">“It still works” is not the same as “it is safe to keep unchanged”</h2>
25 + <div class="resource-layout">
36 36  
37 - <p class="section-intro">
38 - Many XWiki instances continue to run for years with only small visible problems. That can create the impression
39 - that upgrades are optional. In practice, the longer an instance stays behind, the more risk accumulates around
40 - security fixes, extension compatibility, infrastructure changes, custom code and future upgrade effort.
41 - </p>
42 -
43 - <div class="pathways">
44 - <article class="pathway-card">
45 - <div class="pathway-icon">
46 - <i class="fa fa-shield" aria-hidden="true"></i>
47 - </div>
48 - <h3>Security fixes accumulate</h3>
49 - <p>
50 - Older versions may miss security-related fixes and improvements that are already available in newer releases.
51 - </p>
27 + <aside class="resource-sidebar" aria-label="Page summary">
28 + <h4>In this guide</h4>
52 52   <ul>
53 - <li>Known issues may already be fixed upstream</li>
54 - <li>Public information about vulnerabilities increases risk over time</li>
55 - <li>Security updates are easier to handle when upgrades are regular</li>
30 + <li><a href="#why-it-matters">Why upgrades matter</a></li>
31 + <li><a href="#upgrade-checklist">Upgrade checklist</a></li>
32 + <li><a href="#safe-process">Safe process</a></li>
33 + <li><a href="#common-mistakes">Common mistakes</a></li>
34 + <li><a href="#upgrade-rhythm">Upgrade rhythm</a></li>
35 + <li><a href="#upgrade-faq">FAQ</a></li>
56 56   </ul>
57 - </article>
37 + </aside>
58 58  
59 - <article class="pathway-card">
60 - <div class="pathway-icon">
61 - <i class="fa fa-puzzle-piece" aria-hidden="true"></i>
62 - </div>
63 - <h3>Compatibility becomes harder</h3>
39 + <article class="resource-content">
40 +
64 64   <p>
65 - Extensions, custom applications, authentication integrations and infrastructure components evolve together.
42 + Many XWiki instances continue to run for years with only small visible problems. This can create the
43 + impression that upgrades are optional, especially when users can still log in, search, edit pages and
44 + access the content they need.
66 66   </p>
67 - <ul>
68 - <li>Extensions may require newer XWiki versions</li>
69 - <li>Java, Tomcat and database requirements can change</li>
70 - <li>Large version jumps are harder to validate</li>
71 - </ul>
72 - </article>
73 73  
74 - <article class="pathway-card">
75 - <div class="pathway-icon">
76 - <i class="fa fa-line-chart" aria-hidden="true"></i>
77 - </div>
78 - <h3>Maintenance cost increases</h3>
79 79   <p>
80 - The longer upgrades are postponed, the more difficult it becomes to understand what changed and what may break.
48 + The real risk is that technical debt accumulates quietly. Security fixes, extension compatibility,
49 + authentication behavior, infrastructure requirements and custom code assumptions continue to evolve.
50 + The longer an instance remains behind, the more difficult the next upgrade becomes.
81 81   </p>
82 - <ul>
83 - <li>More release notes to review</li>
84 - <li>More compatibility checks to perform</li>
85 - <li>More risk around custom code and old assumptions</li>
86 - </ul>
87 - </article>
88 - </div>
89 - </div>
90 - </section>
91 91  
92 - ## WHAT TO REVIEW
93 - <section id="upgrade-tips" class="services" aria-labelledby="tips-title">
94 - <div class="container">
95 - <h2 id="tips-title">Practical tips before planning an XWiki upgrade</h2>
96 -
97 - <p class="section-intro">
98 - A good upgrade starts before the installation step. The most useful preparation is to understand the current
99 - platform, identify what is business-critical and validate the upgrade outside production.
100 - </p>
101 -
102 - <div class="services-grid">
103 - <article class="service">
104 - <div class="service-icon" aria-hidden="true">
105 - <i class="fa fa-code-fork"></i>
106 - </div>
107 - <div class="service-body">
108 - <h4>Check your current version and target version</h4>
53 + <div class="resource-note">
109 109   <p>
110 - Identify the current XWiki version, the desired target version and whether intermediate upgrade steps are needed.
55 + <strong>In practice:</strong> an XWiki upgrade should review the current version, target version,
56 + required intermediate steps, installed extensions, custom code, authentication setup, infrastructure,
57 + backups, rollback expectations and the business-critical features that must be validated before
58 + production is touched.
111 111   </p>
112 112   </div>
113 - </article>
114 114  
115 - <article class="service">
116 - <div class="service-icon" aria-hidden="true">
117 - <i class="fa fa-puzzle-piece"></i>
118 - </div>
119 - <div class="service-body">
120 - <h4>Review installed extensions</h4>
121 - <p>
122 - List installed extensions and check whether they are compatible with the target XWiki version.
123 - </p>
124 - </div>
125 - </article>
62 + <p>
63 + An XWiki upgrade is the process of moving an existing instance to a newer XWiki version while preserving
64 + content, configuration, extensions, customizations, access rights and business-critical behavior. A safe
65 + upgrade is not only a software installation task. It is a controlled maintenance process with preparation,
66 + staging validation, production rollout and follow-up notes.
67 + </p>
126 126  
127 - <article class="service">
128 - <div class="service-icon" aria-hidden="true">
129 - <i class="fa fa-code"></i>
130 - </div>
131 - <div class="service-body">
132 - <h4>Identify custom code</h4>
69 + <div class="resource-note">
133 133   <p>
134 - Review custom macros, Velocity scripts, Java components, UI extensions, sheets, templates and local changes.
71 + <strong>The main point:</strong> regular upgrades are not only about new features. They reduce security
72 + exposure, compatibility risk and long-term maintenance cost.
135 135   </p>
136 136   </div>
137 - </article>
138 138  
139 - <article class="service">
140 - <div class="service-icon" aria-hidden="true">
141 - <i class="fa fa-lock"></i>
142 - </div>
143 - <div class="service-body">
144 - <h4>Validate authentication</h4>
145 - <p>
146 - LDAP, Active Directory, SSO, OIDC, SAML and MFA configurations should be tested carefully after the upgrade.
147 - </p>
148 - </div>
149 - </article>
76 + <h2 id="why-it-matters">Why regular XWiki upgrades matter</h2>
150 150  
151 - <article class="service">
152 - <div class="service-icon" aria-hidden="true">
153 - <i class="fa fa-database"></i>
154 - </div>
155 - <div class="service-body">
156 - <h4>Prepare backups and a staging clone</h4>
157 - <p>
158 - Never treat production as the first test. Validate the upgrade on staging or a temporary clone first.
159 - </p>
160 - </div>
161 - </article>
78 + <h3>1. Security fixes accumulate over time</h3>
79 + <p>
80 + Older versions may miss security-related fixes already available in newer releases. Once security issues
81 + become publicly known, running an old version can become a more predictable risk.
82 + </p>
162 162  
163 - <article class="service">
164 - <div class="service-icon" aria-hidden="true">
165 - <i class="fa fa-check-square-o"></i>
166 - </div>
167 - <div class="service-body">
168 - <h4>Create a validation checklist</h4>
84 + <p>
85 + This does not mean every old instance is immediately exposed in the same way. The real impact depends on
86 + your configuration, installed extensions, access model, authentication setup and whether the instance is
87 + public or private. But staying close to supported versions makes security maintenance more manageable.
88 + </p>
89 +
90 + <p>
91 + For a broader view of security-related checks, see
92 + <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
93 + </p>
94 +
95 + <h3>2. Large upgrade gaps are harder to control</h3>
96 + <p>
97 + A small, regular upgrade is usually easier to validate than a large jump after several years. Large gaps
98 + mean more release notes, more compatibility changes, more extension checks and more uncertainty around
99 + custom code.
100 + </p>
101 +
102 + <h3>3. Extensions and customizations can become fragile</h3>
103 + <p>
104 + XWiki instances often include installed extensions, custom Velocity scripts, macros, templates, sheets,
105 + UI extensions, Java components or business-specific applications. These elements need to be reviewed when
106 + planning an upgrade.
107 + </p>
108 +
109 + <p>
110 + For more details on organizing custom work, see
111 + <a href="$xwiki.getURL('resources.xwiki-custom-development')">how to keep XWiki custom development maintainable across upgrades</a>.
112 + </p>
113 +
114 + <h3>4. Infrastructure requirements evolve</h3>
115 + <p>
116 + XWiki upgrades can involve more than the application itself. Java, Tomcat, the database, Docker images,
117 + reverse proxy configuration, PDF export services and authentication integrations may also need attention.
118 + </p>
119 +
120 + <h3>5. Business-critical features need validation</h3>
121 + <p>
122 + A successful upgrade is not only one where the server starts. Users usually depend on login, permissions,
123 + search, dashboards, PDF exports, workflows, notifications, custom applications and important pages. These
124 + should be part of the validation plan.
125 + </p>
126 +
127 + <div class="resource-inline-cta">
169 169   <p>
170 - Test login, permissions, search, dashboards, PDFs, custom applications, jobs, important pages and integrations.
129 + <strong>Not sure how risky your current XWiki version is?</strong>
130 + A short technical review can clarify the upgrade path, extension compatibility,
131 + custom code risks and validation needs before production is touched.
171 171   </p>
133 + <a class="btn btn-secondary" href="$xwiki.getURL('contact.WebHome')">Request a quick review</a>
172 172   </div>
173 - </article>
174 - </div>
175 - </div>
176 - </section>
177 177  
178 - ## SAFE PROCESS
179 - <section class="split-section" aria-labelledby="process-title">
180 - <div class="container">
181 - <div class="split-grid">
182 - <div class="split-copy">
183 - <h2 id="process-title">The safest upgrade is the one rehearsed before production</h2>
136 + <h2 id="upgrade-checklist">XWiki upgrade planning checklist</h2>
184 184  
185 185   <p>
186 - A production upgrade should not be the first time the process is tested. A staging environment or temporary
187 - clone allows problems to be discovered before they affect users.
139 + A practical XWiki upgrade plan should cover both the application and the environment around it.
140 + The following checklist can be used as a starting point before upgrading a production instance.
188 188   </p>
189 189  
143 + <ul class="resource-checklist">
144 + <li>Identify the current XWiki version and the target version.</li>
145 + <li>Check whether intermediate upgrade steps are needed.</li>
146 + <li>List installed extensions and verify compatibility with the target version.</li>
147 + <li>Identify custom code: Velocity scripts, macros, sheets, templates, UI extensions and Java components.</li>
148 + <li>Review authentication: LDAP, Active Directory, SSO, OIDC, SAML or MFA.</li>
149 + <li>Prepare a staging environment or temporary clone of production.</li>
150 + <li>Validate backups and clarify rollback expectations.</li>
151 + <li>Test important pages, dashboards, permissions, search, jobs, exports and custom workflows.</li>
152 + <li>Document the steps, issues found and follow-up recommendations.</li>
153 + </ul>
154 +
155 + <h2 id="safe-process">A safer upgrade process</h2>
156 +
190 190   <p>
191 - This is especially important when the instance includes custom applications, authentication integrations,
192 - PDF exports, workflows, advanced permissions or business-critical documentation.
158 + Production should not be the first place where the upgrade is tested. The safest approach is to rehearse
159 + the upgrade on staging or a temporary clone, resolve compatibility issues there, then perform the production
160 + upgrade with a clear plan.
193 193   </p>
194 - </div>
195 195  
196 - <ol class="process-list">
197 - <li>
198 - <strong>Prepare a staging clone</strong>
199 - Copy the relevant database, filesystem and configuration into a controlled non-production environment.
200 - </li>
201 - <li>
202 - <strong>Run the upgrade there first</strong>
203 - Apply the upgrade, resolve compatibility issues and record the steps required.
204 - </li>
205 - <li>
206 - <strong>Validate business-critical features</strong>
207 - Confirm that authentication, rights, search, exports, custom apps and important workflows still work.
208 - </li>
209 - <li>
210 - <strong>Plan the production window</strong>
211 - Define backup, downtime, rollback and communication expectations before touching production.
212 - </li>
213 - <li>
214 - <strong>Document the result</strong>
215 - Keep upgrade notes, observed issues and follow-up recommendations for the next maintenance cycle.
216 - </li>
217 - </ol>
218 - </div>
219 - </div>
220 - </section>
163 + <ol>
164 + <li><strong>Prepare a clone:</strong> copy the relevant database, filesystem and configuration.</li>
165 + <li><strong>Run the upgrade outside production:</strong> record the steps and issues found.</li>
166 + <li><strong>Validate critical features:</strong> login, rights, search, PDFs, workflows, dashboards and integrations.</li>
167 + <li><strong>Plan the production window:</strong> backups, downtime, rollback and communication.</li>
168 + <li><strong>Document the result:</strong> keep notes for the next upgrade cycle.</li>
169 + </ol>
221 221  
222 - ## COMMON MISTAKES
223 - <section aria-labelledby="mistakes-title">
224 - <div class="container">
225 - <h2 id="mistakes-title">Common mistakes to avoid</h2>
171 + <h2 id="common-mistakes">Common mistakes to avoid</h2>
226 226  
227 - <p class="section-intro">
228 - Most difficult upgrades are not difficult because XWiki cannot be upgraded. They become difficult because
229 - the environment, customizations or validation steps were not understood early enough.
230 - </p>
173 + <ul>
174 + <li><strong>Upgrading directly in production.</strong> Compatibility issues should be discovered before users are affected.</li>
175 + <li><strong>Checking only public pages.</strong> Authentication, restricted spaces and admin features also need validation.</li>
176 + <li><strong>Ignoring custom code.</strong> Custom scripts and extensions often create the real upgrade complexity.</li>
177 + <li><strong>Skipping backup validation.</strong> A backup is useful only if restore expectations are understood.</li>
178 + <li><strong>Keeping no upgrade notes.</strong> Without notes, the next maintenance cycle starts again from uncertainty.</li>
179 + </ul>
231 231  
232 - <div class="widgets">
233 - <article class="widget">
234 - <div class="icon" aria-hidden="true">
235 - <i class="fa fa-warning"></i>
236 - <h4>Upgrading<br />directly in production</h4>
237 - </div>
181 + <h2 id="upgrade-rhythm">How often should XWiki be upgraded?</h2>
182 +
238 238   <p>
239 - Production should not be the first place where compatibility issues are discovered.
184 + For many organizations, a practical rhythm is to stay aligned with the current Long Term Support version
185 + and plan upgrades regularly rather than waiting for a major problem. Some environments can upgrade more
186 + frequently, while heavily customized instances may require more planning.
240 240   </p>
241 - </article>
242 242  
243 - <article class="widget">
244 - <div class="icon" aria-hidden="true">
245 - <i class="fa fa-puzzle-piece"></i>
246 - <h4>Ignoring<br />extensions</h4>
247 - </div>
248 248   <p>
249 - Extensions and custom code often create the real upgrade complexity.
190 + The important part is not only the exact frequency. It is having an upgrade process that is repeatable:
191 + review, staging validation, production rollout, documentation and follow-up.
250 250   </p>
251 - </article>
252 252  
253 - <article class="widget">
254 - <div class="icon" aria-hidden="true">
255 - <i class="fa fa-lock"></i>
256 - <h4>Testing only<br />public pages</h4>
257 - </div>
194 + <h2 id="upgrade-faq">XWiki upgrade FAQ</h2>
195 +
196 + <h3>Why should XWiki be upgraded regularly?</h3>
258 258   <p>
259 - Login, permissions, restricted spaces and admin features should also be validated.
198 + XWiki should be upgraded regularly to reduce security exposure, keep extensions compatible, avoid large
199 + upgrade gaps and make long-term maintenance easier. Regular upgrades are easier to plan and validate than
200 + major jumps after several years.
260 260   </p>
261 - </article>
262 262  
263 - <article class="widget">
264 - <div class="icon" aria-hidden="true">
265 - <i class="fa fa-file-text-o"></i>
266 - <h4>No upgrade<br />notes</h4>
267 - </div>
203 + <h3>Is a working XWiki instance safe to leave unchanged?</h3>
268 268   <p>
269 - Without notes, every future upgrade starts again from uncertainty.
205 + Not necessarily. An XWiki instance can continue to work from a user perspective while becoming outdated,
206 + harder to upgrade and exposed to avoidable risks. Visible functionality is not the same as long-term
207 + maintainability.
270 270   </p>
271 - </article>
272 - </div>
273 - </div>
274 - </section>
275 275  
276 - ## CTA
277 - <section class="cta-section" aria-labelledby="cta-title">
278 - <div class="container">
279 - <div class="cta-panel">
280 - <h2 id="cta-title">Need help planning an XWiki upgrade?</h2>
210 + <h3>What should be checked before upgrading XWiki?</h3>
211 + <p>
212 + Before upgrading XWiki, review the current version, target version, intermediate upgrade steps, installed
213 + extensions, custom code, authentication setup, infrastructure, backups, rollback expectations and
214 + business-critical features.
215 + </p>
281 281  
282 - <p>
283 - If your XWiki instance is outdated, customized or business-critical, the safest next step is to review
284 - the current version, extensions, infrastructure and validation needs before planning the production upgrade.
285 - </p>
217 + <h3>Should an XWiki upgrade be tested outside production?</h3>
218 + <p>
219 + Yes. The safest approach is to rehearse the upgrade on a staging environment or temporary clone, fix
220 + compatibility issues there, then perform the production upgrade with a clear plan and rollback expectations.
221 + </p>
286 286  
287 - <a class="btn btn-primary" href="$xwiki.getURL('services.xwiki-upgrades')">View XWiki upgrade services</a>
223 + <h3>What makes an XWiki upgrade difficult?</h3>
224 + <p>
225 + XWiki upgrades become more difficult when the version gap is large, extensions are outdated, custom code is
226 + undocumented, authentication is complex, infrastructure dependencies changed or critical workflows were not
227 + included in the validation plan.
228 + </p>
229 +
230 + <div class="resource-note">
231 + <p>
232 + Related resources:
233 + <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>
234 + and
235 + <a href="$xwiki.getURL('resources.xwiki-custom-development')">how to keep XWiki custom development maintainable across upgrades</a>.
236 + </p>
237 + </div>
238 +
239 + <div class="resource-cta">
240 + <h3>Need help planning an XWiki upgrade?</h3>
241 + <p>
242 + If your XWiki instance is outdated, customized or business-critical, the safest next step is to review
243 + the current version, extensions, infrastructure and validation needs before planning the production upgrade.
244 + </p>
245 + <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an upgrade review</a>
246 + </div>
247 +
248 + </article>
288 288   </div>
289 289   </div>
290 290   </section>
291 291  
253 + <script type="application/ld+json">
254 + {
255 + "@context": "https://schema.org",
256 + "@type": "FAQPage",
257 + "mainEntity": [
258 + {
259 + "@type": "Question",
260 + "name": "Why should XWiki be upgraded regularly?",
261 + "acceptedAnswer": {
262 + "@type": "Answer",
263 + "text": "XWiki should be upgraded regularly to reduce security exposure, keep extensions compatible, avoid large upgrade gaps and make long-term maintenance easier. Regular upgrades are easier to plan and validate than major jumps after several years."
264 + }
265 + },
266 + {
267 + "@type": "Question",
268 + "name": "Is a working XWiki instance safe to leave unchanged?",
269 + "acceptedAnswer": {
270 + "@type": "Answer",
271 + "text": "Not necessarily. An XWiki instance can continue to work from a user perspective while becoming outdated, harder to upgrade and exposed to avoidable risks. Visible functionality is not the same as long-term maintainability."
272 + }
273 + },
274 + {
275 + "@type": "Question",
276 + "name": "What should be checked before upgrading XWiki?",
277 + "acceptedAnswer": {
278 + "@type": "Answer",
279 + "text": "Before upgrading XWiki, review the current version, target version, intermediate upgrade steps, installed extensions, custom code, authentication setup, infrastructure, backups, rollback expectations and business-critical features."
280 + }
281 + },
282 + {
283 + "@type": "Question",
284 + "name": "Should an XWiki upgrade be tested outside production?",
285 + "acceptedAnswer": {
286 + "@type": "Answer",
287 + "text": "Yes. The safest approach is to rehearse the upgrade on a staging environment or temporary clone, fix compatibility issues there, then perform the production upgrade with a clear plan and rollback expectations."
288 + }
289 + },
290 + {
291 + "@type": "Question",
292 + "name": "What makes an XWiki upgrade difficult?",
293 + "acceptedAnswer": {
294 + "@type": "Answer",
295 + "text": "XWiki upgrades become more difficult when the version gap is large, extensions are outdated, custom code is undocumented, authentication is complex, infrastructure dependencies changed or critical workflows were not included in the validation plan."
296 + }
297 + }
298 + ]
299 + }
300 + </script>
301 +
292 292  {{/html}}
293 293  {{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaDescription
... ... @@ -1,0 +1,1 @@
1 +Learn why regular XWiki upgrades matter for security, stability, extension compatibility and long-term maintenance, especially for production XWiki instances.
metaTitle
... ... @@ -1,0 +1,1 @@
1 +Why You Should Upgrade XWiki Regularly for Security and Stability | Agnease