What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

The Fall of October CMS: Why Laravel Developers Moved On

If you've been in the Laravel ecosystem for any length of time, you've probably come across October CMS. Founded in 2014 by Alexey Bobkov and Sam Georges, it positioned itself as the antidote to bloated content management systems. Built on Laravel, it promised a clean, developer-friendly CMS that would make building websites simple again.

For a while, it delivered on that promise. Laravel developers finally had a CMS that spoke their language, used familiar conventions, and didn't force them into a completely alien workflow. It even won the popular vote for Best Flat-File CMS in 2018 and became the second-most starred PHP CMS on GitHub.

So what went wrong?

The Licence Switch That Broke Trust

On 12 April 2021, October CMS abandoned its MIT licence and moved to a proprietary software model. The founders cited sustainability concerns, but the way it was handled left a bitter taste. The core maintainers - the people who had been doing the vast majority of the maintenance work, PR reviews, and feature development for the previous two to three years - were either let go or resigned between 3rd and 4th March 2021.

The maintainers described a systemic breakdown in communication with the founders that had been building for years. Plans that could fundamentally change the scope of the project were thrust upon the maintenance team without warning. When they asked for information so they could prepare, those requests were denied.

The result was a fork. The former core maintainers - Luke Towers, Ben Thomson, Marc Jauvin, and Jack Wilkinson - created Winter CMS, a free, open-source, community-driven continuation of what October CMS had been. As they put it at the time, the founders had decided to abandon the community that built the project in favour of a small group of professional agency partners.

For many developers, this was the final straw. You don't build your client projects on a platform that can pull the rug from under you. The move from MIT to proprietary meant that every new project now required a paid licence, and existing contributors who had given their time freely to an open-source project found their work locked behind a paywall they never agreed to.

Chronically Behind on Laravel Versions

One of the most frustrating aspects of October CMS for Laravel developers was how far behind it consistently sat on Laravel framework versions. October CMS was stuck on Laravel 5.5 for years while the framework moved through versions 6, 7, 8, 9, and beyond. Each new Laravel release brought performance improvements, security patches, and quality-of-life features that October CMS users simply couldn't access.

This wasn't just an inconvenience - it was a genuine security risk. Running outdated framework versions means missing critical security patches. It also meant developers couldn't use modern Laravel packages, many of which required newer framework versions. You'd find yourself wanting to pull in a well-maintained package only to discover it needed Laravel 9 or 10, while your October CMS project was pinned to a version that had long since left active support.

Version 3 eventually moved to a more recent Laravel version, and now Version 4 is in beta with Laravel 12 support. But the damage was done. Years of being stuck on outdated dependencies eroded confidence in the platform's ability to keep pace with the ecosystem it was built upon.

A Marketplace Full of Abandoned Plugins

Every CMS lives or dies by its ecosystem, and October CMS's marketplace became increasingly problematic. Plugins were abandoned by their authors, GitHub repositories were deleted, and there was no effective quality control mechanism to flag or remove unmaintained extensions.

Community members raised these issues repeatedly. Developers requested the ability to fork abandoned plugins, suggested automatic quality checks for plugins whose repositories had been deleted, and asked for better marketplace curation. The plugin ecosystem that had once been a selling point became a liability - you couldn't be confident that the extensions you relied on would continue to receive updates or remain compatible with new versions.

The shrinking community only compounded the problem. Fewer active developers meant fewer maintained plugins, which meant fewer reasons for new developers to choose the platform, creating a downward spiral that was difficult to reverse.

The Security Incident That Made Headlines

Perhaps the most damaging episode in October CMS's history came in January 2022, when a known vulnerability (CVE-2021-32648) was exploited to deface multiple Ukrainian government websites, including the Ministry of Education and Science and the Ministry of Foreign Affairs. The vulnerability was a critical authentication bypass with a CVSS score of 9.1, caused by an improper type comparison in the password reset functionality - using == instead of === when comparing reset codes.

The vulnerability had been patched in Build 472 nearly a year before the attack. The Ukrainian sites were running outdated versions. This highlights a broader point that we feel strongly about: applying security updates promptly is not optional. It doesn't matter how good a patch is if nobody installs it.

But the incident also raised questions about the platform itself. A critical authentication bypass caused by loose type comparison is a fairly basic security oversight. It was added to CISA's Known Exploited Vulnerabilities Catalogue and became one of the most high-profile security incidents associated with any Laravel-based CMS.

What This Teaches Us About Choosing Tools

The story of October CMS offers several important lessons for anyone building web applications, particularly within the Laravel ecosystem:

Governance matters as much as code quality. A project can have excellent technical foundations, but if the governance structure allows a small number of people to fundamentally change the terms without community input, that's a risk you need to account for. Before committing to any platform, understand who controls it and what mechanisms exist to prevent unilateral decisions.

Staying current is non-negotiable. If a CMS or framework consistently falls behind on its dependency versions, that's not just a feature gap - it's a security gap. Every month you run an unsupported version of Laravel (or PHP, or any other dependency) is a month where known vulnerabilities go unpatched in your application.

Ecosystem health is a leading indicator. When plugins start going unmaintained and community forums go quiet, that tells you something about the platform's trajectory. A healthy ecosystem is one where third-party developers are actively building, maintaining, and improving extensions.

Open source isn't just a licence - it's a contract of trust. Developers contribute to open-source projects with certain expectations about how their contributions will be used. When those expectations are violated, the community doesn't just leave - they take their expertise, their plugins, and their recommendations with them.

What We Recommend Instead

For Laravel developers who need CMS capabilities, the landscape has evolved significantly. Craft CMS is a particularly exciting option right now. It's a mature, well-maintained platform with a thriving ecosystem, and from Craft CMS 6 it's adopting the Laravel framework to replace Yii - bringing the best of both worlds together. For teams already working with Laravel, this is a significant development.

If you need something lighter, Laravel itself has become increasingly capable as a content platform. Packages like Filament provide excellent admin panel functionality, and headless CMS approaches using Laravel as an API backend with a React or Next.js frontend give you complete control over both the content management experience and the presentation layer.

Whatever you choose, the key takeaway from October CMS's story is this: the tools you build on need to be actively maintained, transparently governed, and committed to staying current. Your clients depend on it, and their users' security depends on it.

Keep Your Software Updated

The October CMS saga is ultimately a cautionary tale about what happens when software falls behind. Whether it's a CMS, a framework, or a simple dependency in your composer.json, keeping your software current is one of the most important things you can do for the security and longevity of your projects.

At The API Guys, we build and maintain Laravel applications with security at the forefront. If you're running legacy software that needs updating, or you're looking to migrate away from a platform that's no longer serving you well, get in touch. We'd love to help.