Keeping your Website Secure

Written by Bob Morse

A Tale of Woe

A few years ago we had a client who was running Drupal 6 (Drupal is now on version 8). We regularly ran security updates on both the Drupal core installation and installed modules.  We charge a small fee for this service because we do more than just run updates. We check to make sure if doing so will cause any issues with the site or introduce more problems than the updates would fix. We also have a subscription service to provide such support automatically and at a discounted price.

At one point we started planning upgrading this client’s site to version 7, keeping an eye on the releases to be sure when the latest version was ready for production. Suddenly, the client decided he would not bother having us do the upgrades to his current site since he didn’t think it was worth it. I cautioned him that upgrading from version 6 to 7 could take a while and not doing updates to his current site could leave him vulnerable to attack. He decided it was worth the risk.

You probably know where this is going. I won’t bore you with the ugly details of the attack. But his web host took the site offline and we spent several hours cleaning up the mess before he could get his site back. Fortunately, it was a fairly unsophisticated hack which hijacked his site to send out spam. It did not leave any hidden backdoors in the site’s database or file system that could be used at any time to inject all kinds of horrible malware. Which. Can. Happen.

It was a hard way to drive the lesson home for us. But we don’t try to scare clients with this tale. Maybe we should. For many organizations, their website is more than just a marketing tool. It’s their most visible presence and often a core source of revenue. If the site goes down, is defaced or used by bad actors, it can have devastating repercussions for the organization.


Nothing is Really Free (But it Needn't Be Expensive)

In a previous post, I wrote about securing our hosting servers. However, insecure websites on a secure server can still be hacked (though it is harder!). Many of the tools people use to run their sites, like Drupal and WordPress, are free to download and install. But, being free, they do not come with any support. Proper configuration and maintenance are the responsibility of the end user. This is the hidden cost of free software.

Apparently, the danger is not appreciated by many organizations and website owners. In a scan of around 500,000 websites running Drupal 7, Troy Mursch of Bad Packets found 115,700 sites running outdated versions and thus vulnerable to attack. This shocking number could be even larger as he was unable to determine the status of a number of sites. And this study only took in to account the Drupal core system. The number of modules (small sub-applications that extend the power of the system) that may also be insecure could explode that number of vulnerable sites by many multiples.

In another recently published report the cyber security firm Paonrays, surveyed 153 U.S. management consultancy firms running Drupal or WordPress for their content management system (CMS). They found fully 53% were using CMS versions that were over a year old!

What accounts for such a lapse? It’s difficult to say. It could be just a lack of understanding of the peril of leaving security holes allowing spam to be spewed from the site, or all sales re-routed to a bank account in the Ukraine or “surprise, you’re now running a porn site!”

It could be a financial decision or a lack of technical expertise. But cyber security should never be neglected and keeping your website CMS secure should not be complicated nor costly. It should just be included in the cost of doing business in the Internet age.

Both Drupal and WordPress have free add-ons that will send an email whenever the system, theme, module or plugin needs to be updated. Generally updates are relatively painless. Though, as stated above, caution should be used to be sure any specific update doesn’t break something in your site.

If you would like help keeping your systems current and secure, please contact us. We’d be happy give you a hand.

Cyber Security is Many Layered

Testimonials and recent blog posts

A client testimonial

Morse Media has been my host since August 2006. In that time Bob and Co. has been by my side, making sure my websites and hosting needs are met to my satisfaction. I never get lost in the job ticket shuffle that can happen with other vendors. While I may never meet Bob and Co., I feel I can trust the people that work for Morse Media now and in the future.

Mark Cummings

I hired Morse Media about 2 years ago. We were in the midst of discussing a website redo right before covid shutdown and well we just had to prioritize other things. Bob and his team have worked fast and diligently to help us use our website to communicate to our clients during shutdown. I am so grateful to have a local kick ass web design team I can turn too. They have taken any idea I have and plugged it in with ease. NO question if you need a web designer Morse Media is stellar.

Jennifer McMahon - Primal Decor

Morse Media has provided design and hosting services for my website for many years. They are very reliable and provide prompt, efficient support at all hours. I really appreciate Bob and his crew. They are the epitome of professionals outstanding in their field.

Eric Bergel

Bob has been so helpful over the years. He's always there to answer my questions. He's come to my rescue with issues on numerous occasions. I can't express how awesome it is to know your hosting is not only local, but, a real personal report is established, that you can trust! Thank you Bob!

Patty Nisky

Morse Media is just fantastic! I thought I needed to look outside of the Humboldt County area to find such a supportive and informed Drupal team - but Bob and his team are the best! Excellent customer service, efficiency, and communication.

Jessie Rawson
Read all testimonials