Who will remember to update my website?
A few things to consider before you decide to use open source software.
Let me make this clear right from the start, I am not saying that open source solutions are insecure, or that they are less secure than proprietary software. That’s a debate I will stay out of and it’s irrelevant to this article. Today I just want to point out some things you may like to consider before you choose the open source solution instead of the proprietary one.
All software suffers at some point from bugs, and some of those bugs will create security problems. In website software security, issues tend to lead to embarrassing messages on your company home page, or worse: your website could be quietly peddling porn or other nasty things in the background. It’s something you would prefer to avoid.
The most important thing to do is ensure that that when security vulnerabilities are found that they are fixed very quickly. The open source community assert that the army of developers out there probing, fixing, and enhancing the software ensure that any vulnerabilities are prompting dealt with. I’m not going to argue with that either, because that’s not the point I want to make.
Rather, the point I’m getting to is that the army of developers dutifully updating the vulnerable open source code are not working on your web site. None of them. Not one.
Just because the latest version of your favourite open source solution is now secure from Internet threats does not mean that your website is. Unless someone has gone into and updated your website specifically, it will continue to run the older, insecure version of the software, right up until your website is pOwned by some 13 year old kid with appalling grammar and a taste for celebrity porn.
So, who is responsible for updating your website? In most cases it’s you. Your web developer has moved on to other projects, and it’s highly unlikely that you have a support contract with them to cover the updates. (You are watching the security lists and product announcements aren’t you?)
No matter, at some point one of your customers will let you know your site looks a bit odd.
When this happens, you need only jump on to the server, grab the latest source, check that it’s compatible with all the third party modules you use (and that that it isn't one of them that caused the problem), update and test it, then restore your content from the backup you made earlier. (You did make a backup didn’t you?).
In the meantime Google may have wiped you from the Internet, but that's another issue. If you’re keen there's some good instructions on cleaning up a hacked Wordpress website here. (It's pretty common so at least there's some good help available.)
Too hard? You could pay for a support contract and let someone else take care of it, but these are rare in the open source web site developer/designer business.
There’s a good reason for this. In most cases, each of the websites the designer creates are unique installations and may be on different host servers all over the world. If the designer is even mildly successful they would be updating dozens of websites manually on a continual basis, including not just the core software but all of the various modules on each website. It’s a huge job, and it’s boring. AND, given that most of the “web developers” using open source solutions are designers, marketers and SEO consultants rather than programmers or server admins they are simply not interested. It's really not their problem after all; they didn't create the software.
Not sure it’s a big issue? Wordpress, Joomla and Drupal open source platforms are so popular they are huge targets. Because they are permanently connected to the web vulnerabilities are typically exploited remotely and automatically. No one needs to specifically target your website, the bad guys just release a worm on the net and let it do its work. A quick Google search for remote exploit vulnerabilities in these common platforms turned up around a dozen for each over the last two years. Search for website defacement and the common platforms and we find many recent examples. It’s a very real problem.
Wordpress is the most common platform and updating it is not difficult. The admin console will let you know there is a new version available (if you have access to it). If you are running multiple plug-ins however you can never be too sure that none of them will break without research or trial and error. Make sure you update the plug-ins too by the way; these days it's actually more likely vulnerabilities will be found there. For most businesses it’s something they would prefer not to deal with.
There are some large hosting sites that provide template based versions of Wordpress and take care of the updates for you. They typically provide limited design and other customisation opportunities however and negate some of the advantages of an open source solution. For those on a very tight budget however they are a good option.
Alternatively there are proprietary solutions. Proprietary solutions are not immune from security issues by any stretch, but they are certainly a less obvious a target for hackers. If you are a malicious 13 year old with time on your hands what would you rather attack, 10 million Wordpress sites or a proprietary host with a few thousand at most? Most proprietary solution providers will include service plans that keep not only the bug fixes coming, but enhancements and other updates as well. If you've picked the right company you can rest more soundly knowing someone is looking out for you. Or at least in a worst case scenario you know exactly who to blame!
Author: Mark Illot - Bloomtools Sydney Central