Plugin compatibility 2.0 vs 2.3? & Security

1. Before I decide which Elgg version I am going to use,
I notice some of the apps don't say they are 2.3 compatible. 
are some of the old plugins (for 2.0 and 2.2) still compatible with the 2.3, or is it likely they need to be upgraded. 
I am going to be installing 
-  enGap(Build and Design your own mobile App) (2.1)
- and others (which are mostly marked as 2.3 compatible but some may be 2.0 2.1 2.2)  

2. Security 
Some scripts like "zen-cart" out of the box don't get infected even after 5 years.. . or like Wordpress with bullet-proof and Acunetix plugin don't need updating.  They keep on coming out with security updates but not needed with same old php version. 
I am talking about the hacks where they gain access to your files / database  through file vulnerability or mysql injection 
About Elgg, how many times has version 2 needed definite required update for security. I will leave it there running the same version on php 5.5 for as long as I can.  I can harden security. I can update if needed, if so should I follow a newsletter updates or subscribe to a topic or group  
Elgg looks great and I look forward to developing a great site and app with it and making plugin customizations. Thank you! 

  • Elgg tries to keep its API within major versions as backward compatible as possible. That means that a plugin written for Elgg 2.0 - 2.2 should also work on Elgg 2.3. For Elgg 1.10 the backward compatibility of the API efforts started with Elgg 1.10, so a plugin written for Elgg 1.10 should still work on Elgg 1.11 and 1.12. But you can't expect a plugin released for any 1.x version of Elgg to work on Elgg 2.x.

    Only in rare cases a plugin releases for an older 2.x version might not work on more recent versions of Elgg 2 because the plugin author might have been too creative in his usage of the Elgg API in ways not expected by the Elgg core developers or using some plugin specific code that might not be compatible with later versions of Elgg even if the API as such is stable. If a plugin author hasn't updated the compatibility info you can just try the plugin on more recent versions of Elgg and it will work in almost all cases. Or you could ask the plugin author on a plugin page directly if he expects any issues.

    Regarding the security question I don't know what to tell you. On the one hand, Elgg hasn't had any security issues "in the wild" I know of for many years. On the other hand, there's never a 100% guarantee that a code of a certain complexity is free of issues not yet discovered. That's not only the case with Elgg but the same with Wordpress, Jomlaa etc. And I also don't think that Wordpress has been bullet-proof security-wise over the years at all!

    You can read about the upgrade policy of Elgg at So, Elgg 2.3 will get security fixes until the release of Elgg 5.0 which means at least about 2 years after the release of Elgg 3.0. And until then you might not want to stay on Elgg 2.3 anyway not mainly due to security fixes but maybe also to be able to take advantage of new features and other improvements added by then.

  • To expand on iionly excellent answer.

    Elgg since 1.10 follows Semver ( which means a plugin made on 2.0 must be able to work on every higher minor version (so 2.1, 2.2, etc).

    In 3.0 Elgg can break the API so this plugin could stop functioning.

    Regarding security.

    I know that several security audits have been done on Elgg websites throughout the years. This is no guarantee that Elgg is perfect, but in the audits I know about no issues were found.

    If you want to be secure always use the latest version of Elgg (currently 2.3.x)

Beginning Developers

Beginning Developers

This space is for newcomers, who wish to build a new plugin or to customize an existing one to their liking