Importance of Updates in Website Security: WordPress, Joomla, Drupal and CMS’s
In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important.
My previous statements are specific to the importance level of updates, it was designed to foster a very different type of conversation than one you would have with an everyday website owner. An everyday website owner doesn’t care about the nuisances or philosophical arguments that occur at higher echelons of a specific domain their concern is what affects them right now.
For the everyday website owner, along with a variety of other best-practices, you should be applying updates as they become available. This post is more specific to you and your needs and what you must understand about the world that is Updates.
Updates Place in the Realm of Website Security
Regardless of what technology you use for your Website (i.e., WordPress, Joomla, Drupal, non-CMS) you have to be mindful of tools, plugins, extensions that are integrated into your platform. There are a number of principles, or processes that have always been known for defining what Information Technology security wheel is compromised of. You can almost think of it as the circle of life for security professionals.
Traditionally updates / patches have always been categorized or closely associated within the security wheel as a subset of Protection. This however is not efficient for end-users. We have to provide more thought into how end-users understand what and where it belongs, in the process we’re forced to start thinking outside of the box around traditional security concepts and adapting them to our own needs as website owners.
That’s where we start talking about things like Good Posture and how it applies to you, the website owner, more importantly how it helps reduce your security risk, in turn providing you for a more pleasant online experience. To accomplish this we have to gain a better appreciation for what the Security landscape should look like for website owners and how we should be communicating it to our clients and other end-users.
As important a task, notice how it’s but a small speck in the greater approach to achieving an effective security posture. If you’re wondering, updates / patches are housed within the Administration category under the Maintenance component. It’s important that we spend a little time clearly and objectively looking at the full spectrum of security when we educate website owners.
The Value Updates Introduce
The value of updates is the same today that it has been for years. Understand however that updates really fall into 3 main categories:
- Security Updates
- Patch Updates
- Major Release
There really isn’t a standard across the spectrum of security for these classifications, so I’m capturing them as I see them fit in the website security space. It’s not to say that every platform follows or adheres these, they all likely have their own language or terminology around it. For the sake of clarity though, this classification is what I’m going to go with.
Let the arguments int he comments begin.
1. Security Updates
These are a constant in any software you use. Just last week we saw Security fixes across a number of platforms like Adobe, Microsoft (for your desktop folks) and WordPress and Drupal (for you website owners). I provide that distinction so that you see how closely related the world of security is.
These updates often go out in point releases. They are often very clear in terms of what the release is for. It’s also fairly safe to apply updates to point releases. They will stay within the same branch and never introduce new features. It’s not say that you won’t break something, that is always a possibility, but that is a very unlikely scenario. Also note that in some cases, security updates will be rolled into Patch updates and some will choose to use this specific update for more serious instances (i.e., high severity classifications).
Example: Version 1.1.1 to 1.1.2
2. Patch Updates
These too are constants, unlike security updates however they are really focused on bug fixes, or other non-security related issues. It does not mean though that they don’t at times wrap security issues into them. These don’t tend to be pushed out as vigorously as Security updates. Meaning, a security release will go out the minute the vulnerability is patched, while the critical update, depending on it’s severity will likely go into some release cycle – weekly, monthly, etc..
These updates are similar to Security updates in that they rarely introduce very new features and should not break your environment, but it’s always a possibility.
Example: Version 1.2 to 1.3
3. Major Releases
I reserve this categorization for big releases. Perfect example is to take big moves like XP to Vista to Windows 7 to Windows 8. For website owners, think Joomla! 1.x, 2.x, 3.x and WordPress think 3.0 to 4.0, by the way 4.0 Beta is out so be prepared for some goodies coming to a WordPress site near you. During these major upgrades that is where updates get the worst reputation.
It’s during these periods that you see, often, big changes, both those you can see and those you can’t. Things you can see might be a new interface, or introduction of new features, while the things you can’t can be things like refactoring of code (i.e think reorganization of code, developing new code, optimization of code, etc..). These updates can cause a lot of issues for website owners, especially highly extensible environments like Content Management Systems (CMS) that allow for easy extensibility through extensions, plugins, templates, themes.
Take into the consideration the Joomla! environment. They have been plagued with security issues over the years and the biggest contributing factor to that issue is their lack of backwards compatibility. Meaning those that are on the 1.x branch have a very difficult, and in some cases impossible, time migrating to the 2.x or 3.x branch. That and the fact there is even two distinct 2.x and 3.x branches.
The flip side to that coin however, and the argument you hear in other communities, is WordPress desire to be backwards compatible. It’s a noble approach, leave no website owner behind, it does however contribute to some of the code bloat and inefficiencies and 100% compatibility is always very challenging. The bigger challenge here are bad habits that many developers took in the early days, bot in their configurations and administration of websites in which they would make core modifications.
Regardless, when working with these type of updates it’s always best to take appropriate actions prior to the update itself.
Example: Version 1.0 to 2.0
Managing your Updates
Oh how simple a task this might seem, like most things it’s all about perspective.
For that website owner that manages one website, the proposition is simple. Click on the update button and you’re set, that however is not often the case. That’s more an oversimplification of the process, something we’re all very good at all.
The world of updates can best be categorized into four containers,
1. Manual Updates
This is the more common approach in most open source platforms, and depending on which platform you are using you should consider leveraging the platforms inputs on how to go about performing the update.
Each of the major CMS applications that website owners operate today offer decent instructions for upgrading their respective platforms:
- WordPress.org offers a very comprehensive list of of steps to take when applying an update. For those looking for a simpler approach you can always resort to their watered down version.
- Joomla! also offers some instructions that you can make use of, just be sure you follow the steps according to your appropriate branch.
- Drupal also shared similar instructions, providing you the context and instructions you require.
What you want to be mindful of the three examples above is that they are all open-source platforms. Not every website application is the same. Some applications have fee’s associated with their upgrade paths, specifically when we’re talking Major Release (perfect example of this is vBulletin). In those instances, as a website owner you’re put in a very precarious decision as the option is no longer, just update, but, you now have to consider the risk of updating when there is an economic impact to your business.
2. Automatic Updates
This seems to be all the rave lately, but it’s really nothing new. Most software applications that we’re accustomed to as technology users already employ this tactic. What it’s highly effective for is addressing known bad’s, what it fails at is unknown bad’s. I know, it’s a bit convoluted, but necessary distinction none the less.
We’ve started to see large platforms move in this direction, perfect example is WordPress, introduced in 3.7. It’s very likely we’ll see this happen for other website platforms as well. Frankly, this shouldn’t be a surprise to anyone, we’ve seen this happening across the software environment for years, and we even see it in browsers like Firefox. Who really knows what version of Firefox they actually run anymore, it’s pretty apparent that’s the direction that WordPress is headed.
The challenge these website platforms will continue to have is around their extensibility, again it’s strongest feature. Very few plugins actually offer auto-updates, not even thinking about themes or templates. The reason is a lot simpler than most might thing – the fear of a break. There are many that will say, “The hell with it, the risk outweighs the potential impact.” To those I say, “You’ve obviously never run a business or understand how quickly public opinion can crush you.”
It’s not to say that we should not be considering it for security releases, I think every developer should be thinking of ways to incorporate an Auto-Update feature for Security fixes.
The trick here will be balancing what goes into a Security auto-update. When we start opening this door it’s an opportunity for catastrophe, developer categorizations are all over the place, the overwhelming need to add that one additional feature might be too much for someone to hold back on. The list goes on.
3. Use a Maintenance Utility
This is perhaps the best alternative for the plethora of Do It Yourselfer’s we find in the open source communities, especially in WordPress. The fact that it is so easy to spin off new version of the platform as easily as it is to turn on your computer becomes a disaster for many.
I have seen first hand some of the best developers in communities get hacked, often to a concept of cross site contamination, in which a neighboring site was used to infiltrate the server, in turn affecting the rest of the environment. That’s where you need to start thinking of centralized utility tools like iThemes Sync for WordPress or ManageWP. For the Joomla crowd you have utility solutions like WatchFul.li.
Where things will likely get very complicated for you is if you manage environments in which you control multiple websites across multiple platforms. To that I say, “Good luck”.
4. Use a Maintennace Service Provider
Most of what I address above however are still things that require some level interaction from you, the website owner. This however only applies to a very small percentage of the population. The reality is that most website owners only want to get the website up and running, the thought or care, about things like security or maintenance is the furthest thing from their mind. I don’t blame them one bit.
If you are however part of this classification, then for your sake we recommend at solutions like maintenance providers like Maintainn in the WordPress domain. They are for a lack of a better word, your personal website maintenance team, handling a variety of the tasks associated with maintenance, to include updates. I wish I could provide recommendations for Joomla, Drupal and others, but honestly I’m not sure so before recommending something I don’t know I’d encourage you to Google providers that match this description.
The Complicated Language that is Updates
Oh dear, I just scrolled up and noticed how lengthy a post this is. If you’ve made it this far, I commend you and you get a gold star for making it through my rant.
It is however an interesting conversation to have, and to think that this write up was simply to explain that I believe in updates and believe they are a critical piece of the security process for any websites. It is however not a simple discussion. In our need to simplify, we sometimes fail to bring awareness and educate. Trust me, I understand the reasoning behind it. Society as a whole has the attention span of a nat these days, everyone wants the sure fire thing.
Unfortunately, nothing about security, from Network Security to Website Security to Physical Security, is ever simple and the more we try to make it so, the more we are setting ourselves up for failure and grave disappointment.
Hey Tony, if you were to chosen to speak at a little teensy tiny WordCamp, and obviously you’re selected topic is security, how would you spend the next hour? That’s all you’ve got ~ 60 minutes. Then everyone goes on about their business. What do you do? Major bullet points? And how do you convey the most important parts?
I couldn’t agree with you more Tony on the idea of automatic updates. In fact, they make me shiver. Because, you don’t know if an auto update will actually cause an interruption to your site because it clashes with a plugin or theme.
I prefer to update my websites and my client’s websites manually. Even still… I find myself on the edge of my seat with my fingers crossed, hoping that nothing breaks.
And it doesn’t matter that I am a web developer either–and that I can recover a website from just about any anomaly.
All other points that you cover and address about security in your post, I am following like an FO attached to an 81 mm Mortar Platoon (Marine Corps). Because this is something that I know, is not something that should be taken lightly and that website owners need to know the facts…. and from your posts and guidance, I’ll be able to inform my own customers from the knowledge that I get from you.
Semper FI
I believe that the future lies in a system where backups are performed automatically prior along with an algorithm that would be able to detect whether or not there has been a change to the site that would be a negative for the site owner.
I think this is one of the most important things to shed light on why you must read / understand what will happen is you click or not.
This was said by John Oliver in this great video regarding people & clicking on the web.
“If Apple put the entire text of Mein Kampf in their user agreement you’d still click agree,”
https://www.youtube.com/watch?v=fpbOEoRrHyU
Obviously I oversimplified something I wish was the case for all software on the web this is not the case. Your example of maintained in WordPress the company is exactly what people do need if they do not choose a very good managed WordPress hosting provider.
I am worried that SSL will bring on a false sense of security for people but do not understand they still need firewalls and intrusion detection and everything you are discussing in this post.
This is something that people definitely needed to hear and I like that you bring up there is a give and take with speed and security because of Google’s algorithm change and HTTPS I believe this will be a shock to many. That believe rankings are going to magically improve because they purchased an SSL and therefore their safe.
I have a friend you may know that if not I am sure you guys would get along very well this blog is right here and when to show him this site as well.
(This old but I bet you like it)
http://danielmiessler.com/study/infosec_interview_questions/
All The Best,
Tom
Hey Tony, thanks for the post… I’ve got a cool tip for your readers too!
When you’re updating your plugins and WordPress core, the site displays a boring white screen saying ‘Under Maintenance’. Now this can display for seconds or a number of minutes depending on how your server is set. This doesn’t look great to any site visitors.
All you need to do is to create a maintenance.php file and add this into your /wp-content/ folder. You can simply add whatever PHP and HTML you like in here :)
Just remember that WordPress isn’t loaded at this time so don’t add any WordPress PHP… and hey presto… a cool little fix for all your ToS readers!
My WordPress site would always auto update and then i’d find that something wasn’t working with a plugin or a part of the theme occasionally. It felt out of control and it was frustrating because i dont know how to roll back the site when something would go haywire. Anyways, long story short, I started using a wordpress maintenance company and since then i’ve had no worries with any of this. Theres a lot of them to choose from but after speaking with several i went with one called Total WP Support so i have to give them a little plug and say thanks guys. If anyone is in the same boat and needs wordpress support they are at http://www.totalwpsupport.com