Importance of Updates in Website Security – WordPress, Joomla, Drupal and CMS’s

In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important.

My previous statements are specific to the importance level of updates, it was designed to foster a very different type of conversation than one you would have with an everyday website owner. An everyday website owner doesn’t care about the nuisances or philosophical arguments that occur at higher echelons of a specific domain their concern is what affects them right now.

For the everyday website owner, along with a variety of other best-practices, you should be applying updates as they become available. This post is more specific to you and your needs and what you must understand about the world that is Updates.

Updates Place in the Realm of Website Security

Regardless of what technology you use for your Website (i.e., WordPress, Joomla, Drupal, non-CMS) you have to be mindful of tools, plugins, extensions that are integrated into your platform. There are a number of principles, or processes that have always been known for defining what Information Technology security wheel is compromised of. You can almost think of it as the circle of life for security professionals.

TonyonSecurity - Security Components

Traditional Information Technology Security Wheel

Traditionally updates / patches have always been categorized or closely associated within the security wheel as a subset of Protection. This however is not efficient for end-users. We have to provide more thought into how end-users understand what and where it belongs, in the process we’re forced to start thinking outside of the box around traditional security concepts and adapting them to our own needs as website owners.

That’s where we start talking about things like Good Posture and how it applies to you, the website owner, more importantly how it helps reduce your security risk, in turn providing you for a more pleasant online experience. To accomplish this we have to gain a better appreciation for what the Security landscape should look like for website owners and how we should be communicating it to our clients and other end-users.

TonyonSecurity - Website Security - Good Posture - Administration II

The Website Security Security Landscape

As important a task, notice how it’s but a small speck in the greater approach to achieving an effective security posture. If you’re wondering, updates / patches are housed within the Administration category under the Maintenance component. It’s important that we spend a little time clearly and objectively looking at the full spectrum of security when we educate website owners.

TonyonSecurity - Website Security - Maintenance - Administration Wheel

Website Security – Maintenance Category – Administration Wheel

 

The Value Updates Introduce

The value of updates is the same today that it has been for years. Understand however that updates really fall into 3 main categories:

  1. Security Updates
  2. Patch Updates
  3. Major Release

There really isn’t a standard across the spectrum of security for these classifications, so I’m capturing them as I see them fit in the website security space. It’s not to say that every platform follows or adheres these, they all likely have their own language or terminology around it. For the sake of clarity though, this classification is what I’m going to go with.

Let the arguments int he comments begin. 

1. Security Updates

These are a constant in any software you use. Just last week we saw Security fixes across a number of platforms like Adobe, Microsoft (for your desktop folks) and WordPress and Drupal (for you website owners). I provide that distinction so that you see how closely related the world of security is.

These updates often go out in point releases. They are often very clear in terms of what the release is for. It’s also fairly safe to apply updates to point releases. They will stay within the same branch and never introduce new features. It’s not say that you won’t break something, that is always a possibility, but that is a very unlikely scenario. Also note that in some cases, security updates will be rolled into Patch updates and some will choose to use this specific update for more serious instances (i.e., high severity classifications).

Example: Version 1.1.1 to 1.1.2

2. Patch Updates

These too are constants, unlike security updates however they are really focused on bug fixes, or other non-security related issues. It does not mean though that they don’t at times wrap security issues into them. These don’t tend to be pushed out as vigorously as Security updates. Meaning, a security release will go out the minute the vulnerability is patched, while the critical update, depending on it’s severity will likely go into some release cycle – weekly, monthly, etc..

These updates are similar to Security updates in that they rarely introduce very new features and should not break your environment, but it’s always a possibility.

Example: Version 1.2 to 1.3

3. Major Releases

I reserve this categorization for big releases. Perfect example is to take big moves like XP to Vista to Windows 7 to Windows 8. For website owners, think Joomla! 1.x, 2.x, 3.x and WordPress think 3.0 to 4.0, by the way 4.0 Beta is out so be prepared for some goodies coming to a WordPress site near you. During these major upgrades that is where updates get the worst reputation.

It’s during these periods that you see, often, big changes, both those you can see and those you can’t. Things you can see might be a new interface, or introduction of new features, while the things you can’t can be things like refactoring of code (i.e think reorganization of code, developing new code, optimization of code, etc..). These updates can cause a lot of issues for website owners, especially highly extensible environments like Content Management Systems (CMS) that allow for easy extensibility through extensions, plugins, templates, themes.

Take into the consideration the Joomla! environment. They have been plagued with security issues over the years and the biggest contributing factor to that issue is their lack of backwards compatibility. Meaning those that are on the 1.x branch have a very difficult, and in some cases impossible, time migrating to the 2.x or 3.x branch. That and the fact there is even two distinct 2.x and 3.x branches.

The flip side to that coin however, and the argument you hear in other communities, is WordPress desire to be backwards compatible. It’s a noble approach, leave no website owner behind, it does however contribute to some of the code bloat and inefficiencies and 100% compatibility is always very challenging. The bigger challenge here are bad habits that many developers took in the early days, bot in their configurations and administration of websites in which they would make core modifications.

Regardless, when working with these type of updates it’s always best to take appropriate actions prior to the update itself.

Example: Version 1.0 to 2.0

Managing your Updates

Oh how simple a task this might seem, like most things it’s all about perspective.

For that website owner that manages one website, the proposition is simple. Click on the update button and you’re set, that however is not often the case. That’s more an oversimplification of the process, something we’re all very good at all.

The world of updates can best be categorized into four containers,

1. Manual Updates

This is the more common approach in most open source platforms, and depending on which platform you are using you should consider leveraging the platforms inputs on how to go about performing the update.

Each of the major CMS applications that website owners operate today offer decent instructions for upgrading their respective platforms:

What you want to be mindful of the three examples above is that they are all open-source platforms. Not every website application is the same. Some applications have fee’s associated with their upgrade paths, specifically when we’re talking Major Release (perfect example of this is vBulletin). In those instances, as a website owner you’re put in a very precarious decision as the option is no longer, just update, but, you now have to consider the risk of updating when there is an economic impact to your business.

2. Automatic Updates

This seems to be all the rave lately, but it’s really nothing new. Most software applications that we’re accustomed to as technology users already employ this tactic. What it’s highly effective for is addressing known bad’s, what it fails at is unknown bad’s. I know, it’s a bit convoluted, but necessary distinction none the less.

We’ve started to see large platforms move in this direction, perfect example is WordPress, introduced in 3.7. It’s very likely we’ll see this happen for other website platforms as well. Frankly, this shouldn’t be a surprise to anyone, we’ve seen this happening across the software environment for years, and we even see it in browsers like Firefox. Who really knows what version of Firefox they actually run anymore, it’s pretty apparent that’s the direction that WordPress is headed.

The challenge these website platforms will continue to have is around their extensibility, again it’s strongest feature. Very few plugins actually offer auto-updates, not even thinking about themes or templates. The reason is a lot simpler than most might thing – the fear of a break. There are many that will say, “The hell with it, the risk outweighs the potential impact.” To those I say, “You’ve obviously never run a business or understand how quickly public opinion can crush you.”

It’s not to say that we should not be considering it for security releases, I think every developer should be thinking of ways to incorporate an Auto-Update feature for Security fixes.

The trick here will be balancing what goes into a Security auto-update. When we start opening this door it’s an opportunity for catastrophe, developer categorizations are all over the place, the overwhelming need to add that one additional feature might be too much for someone to hold back on. The list goes on.

3. Use a Maintenance Utility

This is perhaps the best alternative for the plethora of Do It Yourselfer’s we find in the open source communities, especially in WordPress. The fact that it is so easy to spin off new version of the platform as easily as it is to turn on your computer becomes a disaster for many.

I have seen first hand some of the best developers in communities get hacked, often to a concept of cross site contamination, in which a neighboring site was used to infiltrate the server, in turn affecting the rest of the environment. That’s where you need to start thinking of centralized utility tools like iThemes Sync for WordPress or ManageWP. For the Joomla crowd you have utility solutions like WatchFul.li.

Where things will likely get very complicated for you is if you manage environments in which you control multiple websites across multiple platforms. To that I say, “Good luck”.

4. Use a Maintennace Service Provider

Most of what I address above however are still things that require some level interaction from you, the website owner. This however only applies to a very small percentage of the population. The reality is that most website owners only want to get the website up and running, the thought or care, about things like security or maintenance is the furthest thing from their mind. I don’t blame them one bit.

If you are however part of this classification, then for your sake we recommend at solutions like maintenance providers like Maintainn in the WordPress domain. They are for a lack of a better word, your personal website maintenance team, handling a variety of the tasks associated with maintenance, to include updates. I wish I could provide recommendations for Joomla, Drupal and others, but honestly I’m not sure so before recommending something I don’t know I’d encourage you to Google providers that match this description.

The Complicated Language that is Updates

Oh dear, I just scrolled up and noticed how lengthy a post this is. If you’ve made it this far, I commend you and you get a gold star for making it through my rant.

It is however an interesting conversation to have, and to think that this write up was simply to explain that I believe in updates and believe they are a critical piece of the security process for any websites. It is however not a simple discussion. In our need to simplify, we sometimes fail to bring awareness and educate. Trust me, I understand the reasoning behind it. Society as a whole has the attention span of a nat these days, everyone wants the sure fire thing.

Unfortunately, nothing about security, from Network Security to Website Security to Physical Security, is ever simple and the more we try to make it so, the more we are setting ourselves up for failure and grave disappointment.

 

The Dilemma that is WordPress Security

The past few weeks WordPress Security has come to the forefront of the discussion again, as it often does every few months. As is often the case, it’s highly emotional and generates a lot of discussion. Chris Lema shared a post, Our discussions … [Continue reading]

Explaining XSS and CSRF By Google

Came across this video earlier today and found it very informative - explaining the difference between XSS and CSRF (XSRF). I find that most people rarely understand or differentiate between the two so hopefully this video helps. It's laid out in a … [Continue reading]

Secure Your Traffic on Public WiFi’s

getcloak

Often when I give talks on website security one of the various discussion points is, and rightfully so, around your individual posture when interacting on the web. This often means being aware of things like transferring your data insecurely over the … [Continue reading]

Sucuri Is Hiring!!

Please pass this on to your contacts, my company, Sucuri, is actively hiring. If you think you'd make a good fit please let us know. … [Continue reading]