Responsible Site Ownership: keeping your site up to date
The Importance of Updating CMS-Based Websites
Modern websites built using content management system (CMS) software require the regular application of software updates in order to keep the site operational and secure. Applying updates is more difficult when previous updates have not been regularly applied, increasing the time needed to respond to newly uncovered critical security vulnerabilities. Failure to apply updates, particularly critical security updates, can result in a website being “hacked” or defaced. Recovering from a hacked website is a difficult and time-consuming operation that can be avoided through regular maintenance.
Both Drupal and WordPress consist of a “core” package provided and maintained by their respective open-source community, but can also be extended using a wide variety of add-ons (“plugins” in WordPress, “modules” in Drupal) that are available from various sources on the Web. In the case of both the “core” package and add-ons, regular software updates are generally released by the maintainers, either to provide new functionality or fix bugs in the existing version, or in some cases to address an identified security issue.
The Case for Regular Updates
Every site built on CMS software will require a permanent, ongoing commitment to keep the site up-to-date with the various types of releases that are made available, such as:
- Updates to the core CMS software (e.g. Drupal or WordPress)
- Updates to CMS add-ons (e.g. Drupal modules, WordPress plugins)
Not all updates are classified as “security updates,” leading some site owners to think that these updates can be skipped in order to save time or the effort of making any necessary changes in their site related to the update. However, the downside of this approach is that security updates are generally dependent on the most recent previous version of the software.
In some cases, highly-critical security updates for the CMS core products or add-ons may be released with very little warning, and exploits for the vulnerabilities addressed by these updates may appear “in the wild” within days or even hours of the release. In these cases, site owners with already out-of-date software may struggle to be able to install, test, and deploy the update in a timely fashion.
Regular and timely application of software updates should be seen as part of the responsibility and cost of modern website ownership.