Website security and making sense of it all

We often get asked why do I need to upgrade my website. Some people we ask often reply that they feel it is more a money making process of which most small business owners cannot afford. With that in mind we thought it was important to explain why we need to keep our websites up-to-date and whether or not it applies to you.

If you have a content Management System (CMS) or any dynamic data then you need to keep your website patched. By dynamic I mean data that changes on the fly, for example if you have any kind of functional website that requires a database such as a CMS like Joomla or Wordpress, chances are your website is dynamic and requires the use of programming languages such as ASP, PHP and SQL, all of which are prone to attack.

What is a CMS

Content Management Systems relate to websites that use CMS such as Joomla, Wordpress or Drupal. There are many others out there but for the purpose of this article we will just use those three as an example.

Your web developer would have used a CMS for your website if you had mentioned that you want to be able to update and handle content yourself. This is not only useful but can save you a lot of money because you will not need to keep asking your web developer to make simple changes to your content, rather, you will have the ability to do it yourself. With this option however come a trade-off and that trade-off is security and maintenance.

To be able to offer Content Management the website generally needs database connectivity so you can interact with the website in such a way that you no longer have to update every single page to make one minor adjustment. Instead all the data is stored in a database and accessed by the administration area provided to you to update your content.

As security flaws are found by developers and the community, security patches are released. Generally you will receive notification that a new Security Patch has been released and advised to update your CMS.

Generally our websites are built with Joomla and some Wordpress. Joomla now offers 1 click updates which make it easier for you to manage the updates yourself, where previously it would have been recommended to have your developer apply the updates for you given it wasn’t as simple as clicking a button.

SO back to the question, Why should I apply these updates.

First because it will minimise your risk of attack given the latest vulnerabilities are found and patched. Most web hosts will have backups of your data however this doesn’t guarantee your backup files are not infected given  the vulnerabilities will still be there even if you restore your website from a backup.

This brings to question then how do I protect myself from these attacks? The short answer is there is no guarantee your website will not be attacked however applying security updates much like you do for a Windows or Mac computer will minimise the risk.

For website running e-commerce, booking systems or storing any kind of client data, security patching is a must.

Other Factors to Consider, Blacklisting and Google Search

Once a website is compromised it will generally end up on some kind of blacklist which is out of the control of the web developer, the hosting provider and you. This can cause great loss to you if you rely on Google search results or you rely on your website for business in any manner. As soon as a visitor tries to access your website they will be given a message that the website is not safe.

Blacklist removal can be a painful process.

Here are just some lists you can find your website on if you have had an attack

  • Google Safe Browsing
  • Norton Safe Web
  • Phish Tank
  • Sucuri Malware Labs
  • Yandex
  • ESET

To get your website removed from these lists can be time consuming and costly so it is better to try and avoid the issue altogether.

If you however do not have a CMS and have a standard HTML website that your web developer updates manually, chances are you may not have as high a risk but you still are at risk.
In short all we can do is keep our websites up-to-date and stay informed. The question you need to ask yourself is: How important is my website to my business and if it is down for any period what are the likely outcomes

FREE Tools

You can scan your website for free here, to view any blacklisting you may be on. It is also a good tool for scanning your website regularly so keep it in your book marks.

Other Considerations

Your Hosting provider generally will try and keep their servers up-to-date with the latest technology for both security and usability; this means that programming languages (that most website use) will require updates. As an example our host recently updated our PHP library from PHP 5.2 to PHP 5.4.

For website that were out of date this caused significant problems to the websites due to compatibility issues however our clients that had their websites updated constantly did not have to deal with this issue. It can become costly if we let our website environment become too out-dated.

For hosting providers to provide all their customers the best security they will generally suspend your website if it becomes infected or compromised in any way. This is because they need to protect all their other clients and reduce the risk of the IP address of the host from becoming blacklisted which in turn will affect everyone on that hosted IP.

As you can see from all of the above there are many issues that we need to consider as web developers and website owners when thinking about security. Mostly it is out of the web developers hands however if you maintain a good relationship with your web developer rather than a set and forget relationship you will be informed of security issues that need to be addressed.

What is the responsibility of the web developer and what is the responsibility of the host.

Web developers will generally build you a website and hand over the finished product for you to host where you wish and maintain as you wish, your web developer is not responsible for security related issues or backups unless you have made an agreement with them to do so.

Your web developer should advise you if your website will require maintenance and allow you to make a decision on how you wish to implement updates, if at all.

You should check with your hosting provider if they provide backups regularly, if not you will need to backup your website manually via your control panel if you have access to it. Your host should provide you with basic tools such as virus scanners and good support.

All our hosted sites are backed up weekly however we cannot guarantee that the latest version will be available. To be safe you can view our How To Guide How to Back up my Website OR make alternative arrangements if you wish us to back up your website offline as an extra precaution.

The web host is not responsible for individual website updates however when an update for a particular CMS becomes available they will notify their clients in most cases. Your web host is responsible for the hosting environment only, meaning they will apply security updates for their web servers not websites, keep up-to-date with the latest technology for example, PHP, MYSQL and maintain backups to a degree. Some hosts may differ in their approach so it is important to know what they include for you as a client.

Your web developer may or may not notify you of updates to your CMS however Joogle Web does offer this as a Free service. Remember though unless you have made arrangements with your host or developer it is your responsibility to ensure the safety and security of your website

We hope you have found this article useful.

Joomla 1.5 support and where to from here
Security and your Website

Latest News