Software Maintenance & Website Security

hacker

Key Points

Software vulnerabilities are an inevitable byproduct of having a content management website
To ensure security, website software should be checked and updated on a regular basis
If software is not updated, your site will eventually be hacked
Google flags websites as “unsafe” if they are hacked or contain malware
Automatic software updates are conceptually a good idea but there are many considerations before deciding to use them

Your content management (CMS) website, be it WordPress or Joomla, needs periodic maintenance to ensure adequate security.

When you choose to use a content management website, you must make a commitment to periodically maintain it. If software updates are not applied, it’s not a question of IF a website will be hacked, it’s a question of WHEN. If your site gets hacked or infected with malware, Google will flag your site as “unsafe” and warn people not to visit it.

On a content management site, there are many software components such as the core platform, various plugins, a theme, etc. At any given time, this mix of software often contains security vulnerabilities. This is an unfortunate and inevitable byproduct of open source content management systems.

“…the leading cause of infection could be traced to the exploitation of software vulnerabilities in the platform’s extensible components… the integration of plugins, extensions, components, modules, templates, themes…”
from Sucuri’s blog post Website Hacked Trend Report 2016 – Q1

That said, these vulnerabilities usually get fixed relatively quickly thus minimizing the threat to your website. But here’s the problem: website owners must take action to get these fixes applied to their websites. And they very likely don’t know they have software that needs updating. They don’t know their sites are at risk of being hacked. If vulnerable software is not updated, hackers will eventually find a way to gain access to the site. The best defense is to simply keep your site software updated.

As a rule of thumb, have your website software checked and updated at least monthly. It’s critically important to your website’s security to have software updates applied on a regular basis.

But What About Automatic Updates?

Automatic update of the core software, WordPress or Joomla, as well as third-party plugins, is a possibility that exists. However, there are pros and cons with automatic updates.

The obvious pro is that your site would be updated immediately with available software fixes and security patches and thus provide your site the highest level of software integrity and security.

Here are a few potential cons that must be considered before deciding to implement automatic updates:

  • Before applying software updates, it’s always recommended to take a website backup. An automated backup job would need to be set up to take care of this.
  • Any software update has the potential risk of causing a problem or introducing an incompatibility on your site, including the worst case of bringing it down completely.
  • If your website has any custom changes to any software, an automatic update may remove them. If so, they would need to be re-applied manually.

It’s true that the con items exist whether you use automatic updates or manual. However… the important distinction is that with manual updates, you have total control over all of the potential issues. You can easily perform a backup before updating, you can test and verify the backup is good, you can test all software updates on a development server before attempting them on a live site, and you can re-apply and test any software customizations as necessary. You can do all of this in a safe test environment beforehand and on the live site on your own schedule and more importantly with your customer’s schedule in mind. With automatic updates, you can only hope that problems don’t occur on your live site, and you may or may not be available at the time to address them should they occur. Consider a scenario where your site becomes unavailable at a prime time for your online customers due to a bad software update. Also consider how such a problem might be perceived by your customers.

At this point, I still advocate for manual updates since there is more control over the whole process and any potential issues. At some point, automatic updates may address the issues, and I could change my view but not just yet. There may also be some circumstances where automatic updates are fine. For example, sites that are not mission critical or do not serve a large audience.

I personally do allow WordPress to automatically update minor and security releases. This is a built-in feature of WordPress, and I have never had a problem with it causing any issues. I perform major release updates and plugin and theme updates manually.

Joomla does not currently have a built-in automatic software update feature. It can be configured to do so using third-party applications. I have had issues in the past when updating Joomla software, so I continue to manually update Joomla core software, extensions and templates.

Tags: ,

Trackback from your site.

Leave a comment