We are seeing an increasing number of forum posts stating that a site maintainer has had their or their clients sites hacked and they are unable to update from joomla 1.5 due to either custom designed components or not having a budget to do their upgrade.
Leaving aside the dangers of custom component design, not
upgrading a site and leaving it open to security risks due to not having the budget is no excuse for a site maintainer with morals.
A client may not have the budget but will eventually end up having to pay for the damage caused by a hack. As a site maintainer who will 3 years after 1.5 reaching end of life keep repeating the mantra "the site still works, you aren't paying me to update it" will come running to the forums for advice on repairing a hack as they simply don't know enough as they are reluctant maintainers - reasonable excuse.
They may ask for help because they don't know enough and want the forum fixers to tell them what to do while telling their clients "I told you so; pay up or push off" - dreadful.
If you have already offered to update their clients sites for free as a loss leader - you are a caring maintainer.
If you cannot migrate a site J1.5 quickly to J3, there are some basic steps that you can take to improve security:-
1. update the site to the final release of the J1.5 series, which is 1.5.26. Unless the site is highly customized and hacks the Joomla! core, this should be possible;
2. even after end of life J1.5.26 there was a "community patch" released that would alleviate a major file upload exploit in the Joomla media manager found in 2013. You are strongly advised to apply it, you can get the patch here: http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626
3. in the Joomla configuration, make sure that user registration is disabled (unfortunately by default in J1.5 anyone can create an active account on your site unless you disallow it) unless of course this is impossible, for example on an e-commerce store;
4. in the media manager options, make sure that the Restrict Uploads option is set to "YES"
5. also in the media manager options, set Check Mime Type to "NO", this may seem counterintuitive, but what this does is it restricts uploads of non-image file types to administrators only
6. Remove any unused extensions, most if not all are not updated any more and may be vulnerable
Here are some ideas for resolving the CBA/CBB/CA issues:-
If you are a sole maintainer - eg you were co-opted as the webmaster -
you should remove be able to take all these steps immediately, then migrate to Joomla 3 ASAP.
If you are a small scale /reluctant maintainer you should follow the advice above and see if you can do it for a minimal amount or free. If you can persuade the community groups or clubs that you help then you will probably get more business by doing this by word of mouth for being a maintainer with morals. If your clients wont update then advise them you can't happily support them if they won't update.
If your one of the "I told you so" camp then you probably haven't even bothered reading this far and are without morals and will charge your clients for fixing the hacked site as you haven't encouraged them to update and secure their site in previous years. You're only in it for the money and do not have the value or morals of open source at heart.
What exact agreements do you have as a site maintainer with your clients? You do have the latest iphone or samsung don't you? Apply the same principle to your clients site.