A few years ago we had a client who was running Drupal 6 (Drupal is now on version 8). We regularly ran security updates on both the Drupal core installation and installed modules. We charge a small fee for this service because we do more than just run updates. We check to make sure if doing so will cause any issues with the site or introduce more problems than the updates would fix. We also have a subscription service to provide such support automatically and at a discounted price.
At one point we started planning upgrading this client’s site to version 7, keeping an eye on the releases to be sure when the latest version was ready for production. Suddenly, the client decided he would not bother having us do the upgrades to his current site since he didn’t think it was worth it. I cautioned him that upgrading from version 6 to 7 could take a while and not doing updates to his current site could leave him vulnerable to attack. He decided it was worth the risk.
You probably know where this is going. I won’t bore you with the ugly details of the attack. But his web host took the site offline and we spent several hours cleaning up the mess before he could get his site back. Fortunately, it was a fairly unsophisticated hack which hijacked his site to send out spam. It did not leave any hidden backdoors in the site’s database or file system that could be used at any time to inject all kinds of horrible malware. Which. Can. Happen.
It was a hard way to drive the lesson home for us. But we don’t try to scare clients with this tale. Maybe we should. For many organizations, their website is more than just a marketing tool. It’s their most visible presence and often a core source of revenue. If the site goes down, is defaced or used by bad actors, it can have devastating repercussions for the organization.
In a previous post, I wrote about securing our hosting servers. However, insecure websites on a secure server can still be hacked (though it is harder!). Many of the tools people use to run their sites, like Drupal and WordPress, are free to download and install. But, being free, they do not come with any support. Proper configuration and maintenance are the responsibility of the end user. This is the hidden cost of free software.
Apparently, the danger is not appreciated by many organizations and website owners. In a scan of around 500,000 websites running Drupal 7, Troy Mursch of Bad Packets found 115,700 sites running outdated versions and thus vulnerable to attack. This shocking number could be even larger as he was unable to determine the status of a number of sites. And this study only took in to account the Drupal core system. The number of modules (small sub-applications that extend the power of the system) that may also be insecure could explode that number of vulnerable sites by many multiples.
In another recently published report the cyber security firm Paonrays, surveyed 153 U.S. management consultancy firms running Drupal or WordPress for their content management system (CMS). They found fully 53% were using CMS versions that were over a year old!
What accounts for such a lapse? It’s difficult to say. It could be just a lack of understanding of the peril of leaving security holes allowing spam to be spewed from the site, or all sales re-routed to a bank account in the Ukraine or “surprise, you’re now running a porn site!”
It could be a financial decision or a lack of technical expertise. But cyber security should never be neglected and keeping your website CMS secure should not be complicated nor costly. It should just be included in the cost of doing business in the Internet age.
Both Drupal and WordPress have free add-ons that will send an email whenever the system, theme, module or plugin needs to be updated. Generally updates are relatively painless. Though, as stated above, caution should be used to be sure any specific update doesn’t break something in your site.
If you would like help keeping your systems current and secure, please contact us. We’d be happy give you a hand.