Keeping your Website Secure

Written by Bob Morse

A Tale of Woe

A few years ago we had a client who was running Drupal 6 (Drupal is now on version 8). We regularly ran security updates on both the Drupal core installation and installed modules.  We charge a small fee for this service because we do more than just run updates. We check to make sure if doing so will cause any issues with the site or introduce more problems than the updates would fix. We also have a subscription service to provide such support automatically and at a discounted price.

At one point we started planning upgrading this client’s site to version 7, keeping an eye on the releases to be sure when the latest version was ready for production. Suddenly, the client decided he would not bother having us do the upgrades to his current site since he didn’t think it was worth it. I cautioned him that upgrading from version 6 to 7 could take a while and not doing updates to his current site could leave him vulnerable to attack. He decided it was worth the risk.

You probably know where this is going. I won’t bore you with the ugly details of the attack. But his web host took the site offline and we spent several hours cleaning up the mess before he could get his site back. Fortunately, it was a fairly unsophisticated hack which hijacked his site to send out spam. It did not leave any hidden backdoors in the site’s database or file system that could be used at any time to inject all kinds of horrible malware. Which. Can. Happen.

It was a hard way to drive the lesson home for us. But we don’t try to scare clients with this tale. Maybe we should. For many organizations, their website is more than just a marketing tool. It’s their most visible presence and often a core source of revenue. If the site goes down, is defaced or used by bad actors, it can have devastating repercussions for the organization.


Nothing is Really Free (But it Needn't Be Expensive)

In a previous post, I wrote about securing our hosting servers. However, insecure websites on a secure server can still be hacked (though it is harder!). Many of the tools people use to run their sites, like Drupal and WordPress, are free to download and install. But, being free, they do not come with any support. Proper configuration and maintenance are the responsibility of the end user. This is the hidden cost of free software.

Apparently, the danger is not appreciated by many organizations and website owners. In a scan of around 500,000 websites running Drupal 7, Troy Mursch of Bad Packets found 115,700 sites running outdated versions and thus vulnerable to attack. This shocking number could be even larger as he was unable to determine the status of a number of sites. And this study only took in to account the Drupal core system. The number of modules (small sub-applications that extend the power of the system) that may also be insecure could explode that number of vulnerable sites by many multiples.

In another recently published report the cyber security firm Paonrays, surveyed 153 U.S. management consultancy firms running Drupal or WordPress for their content management system (CMS). They found fully 53% were using CMS versions that were over a year old!

What accounts for such a lapse? It’s difficult to say. It could be just a lack of understanding of the peril of leaving security holes allowing spam to be spewed from the site, or all sales re-routed to a bank account in the Ukraine or “surprise, you’re now running a porn site!”

It could be a financial decision or a lack of technical expertise. But cyber security should never be neglected and keeping your website CMS secure should not be complicated nor costly. It should just be included in the cost of doing business in the Internet age.

Both Drupal and WordPress have free add-ons that will send an email whenever the system, theme, module or plugin needs to be updated. Generally updates are relatively painless. Though, as stated above, caution should be used to be sure any specific update doesn’t break something in your site.

If you would like help keeping your systems current and secure, please contact us. We’d be happy give you a hand.

Cyber Security is Many Layered

Testimonials and recent blog posts

A client testimonial

I have been so very satisfied with the professionalism and customer service of Morse Media. Since my shift to Morse Media, my website has been maintenance free. My clients love the design, always commenting on the ease of user access.

Robin Ronay

Three paws up to Morse Media for keeping the Tripawds network online!!!

Hosting more than 1,200 three legged dog and cat blogs with 14,000± registered members is an ongoing challenge. Bob Morse and his team take the worry out of dedicated hosting and server management. Reliable, responsive, thorough, cost-effective, and friendly; with expert troubleshooting skills and fast answers if/when the need arises...the #Tripawds Nation is forever grateful. Thank you Bob!

Jim Nelson

Morse Media has been my host since August 2006. In that time Bob and Co. has been by my side, making sure my websites and hosting needs are met to my satisfaction. I never get lost in the job ticket shuffle that can happen with other vendors. While I may never meet Bob and Co., I feel I can trust the people that work for Morse Media now and in the future.

Mark Cummings

I love Morse Media. Tech support for hosting is awesome helping me get through my tribulations with IMAP.

Mike Buettner

Bob—you are a genius! Thank you so much for always being there to solve my problems with such patience and expertise. I feel so fortunate to work with a local company that understands my situation and responds so promptly.

Kathrin Burleson
Read all testimonials