With so many well-publicized security scares in the news each week, most business people have a good idea how important it is to keep their computers updated with the latest security patches. What sometimes gets forgotten is the need to pay just as much attention to the security of their company websites.
Security wasn't always such a big web issue. A few years ago, before the widespread use of content management systems (CMSs), most websites consisted of passive HTML files and graphics. While these sites weren't nearly as easy to maintain as today's systems based on sleek CMSs like WordPress, Joomla and Drupal, they were virtually impossible to hack. Because those old sites lacked the active code and database components that make today's backend editing process so interactive and easy to use, there were few hooks that hackers could use to gain their unlawful entry.
Today it's a much different story. CMS-driven websites like the ones we build for clients are chock-full of useful code that provide tons of features that today's users cannot (and should not) live without. Whether these features are built into the CMS platform itself or added later via plug-ins and add-ons each one introduces new code that in some cases and without the right security cautions included, can be exploited to provide a "back door" for hackers to get in.
Fortunately the good guys are well aware of the potential problems. That's why CMS providers like WordPress and Joomla regularly update their systems with security releases. Updating your website to these new versions is usually straightforward, and in the case of the most recent releases of WordPress, can be set to automatically update in the background.
So how often does a CMS need to be updated for security? Usually it's not necessary to update your site the moment these security patches come out. From our experience updating a site two or three times a year to the newer CMS release is usually fine and will keep the hackers at bay.
There's one other security to keep in mind. Most sites today use at least a few plug-ins in addition to the core CMS for things like forms management, calendars or interactive photo rotators. Many of these contain code that can also be exploited by the bad guys. But just like the CMSs themselves these plug-ins also get regular updates.
A good "best practice" to keep in mind is checking with the plug-in providers for security updates at the same time you upgrade the CMS. Keep in mind that a security update for the CMS can sometimes "break" the functionality of the plug-in, or vice versa. When possible, it's best to update the site first and then check the plug-ins, one by one, to see if updates are available and that they still work with the CMS.
Until next time. . .