Like many other thing in life, websites are not maintenance free. There is some tinkering that has to happen on a regular basis to keep the site tuned and secure. Drupal takes the guess work out of the maintenance process by literally telling you when and what needs serviced. Because Drupal is an open source platform, security risks are often realized long before they can be exploited. Having a huge number of developers with varying talents allows holes to be identified and patched typically before a hacker can discover their existence, however, you have to take the time to install those updates or you gain no benefits.
When your Drupal site needs updated, you will see a banner on the admin pages of your site that looks like this:
Although the security risk severity can vary, it's extremely important to stay on top of these updates in order to maintain the best security for your website and the server it's hosted on. Believe it or not, a securty breach to your website could affect an entire server and any other applications running on it. If your Drupal site has not been updated in the past 2 months, you have critical security patches that need to be applied!
There are many tutorials out on the web that will allow you to implement the updates yourself. Here are a few we suggest, and in case they don't say it, ALWAYS MAKE A BACK UP OF YOUR SITE BEFORE ATTEMPTING AN UPGRADE!
- For updating your Drupal 7 installation: http://www.ostraining.com/blog/drupal/updating-drupal-7-to-the-latest-version/
- For updating your Drupal 6 installation: http://www.ostraining.com/blog/drupal/update-the-drupal-6-core-files/
If it's not broken, why fix it? What can happen if I don't update my Drupal core or modules?
There are a lot of ways that hackers can wreak havoc on a website or a server and sadly, there are a lot of hackers out there just looking for that opening! Here are a few examples of the types of holes that recent Drupal updates were released for:
- Denial of Service: sending a large number of requests to your site, hackers can overload the server disk space and CPU and bring your site and potentially other sites (if you are on shared hosting) down.
- Cross-site Scripting: This can allow hackers to access your site without administrative rights. Effects can range from petty nuisance (hacking your site and changing what the public sees) to significant risk if you handle sensitive data on your site.
- Access bypass: Users who have been blocked might be displayed in a search. While this isn't security vulnerability in itself, some modules override the search results to display additional information, which could result in privacy issues.
Consequences:
- Financial Loss
- Liability
- Cost of Fixing the Problem
- Loss of Brand Reputation/Customer Confidence
- Loss of Business
At the very least, we strongly suggest that you sign yourself up for Drupal Security Alerts at http://drupal.org/security. These come to you via email and give you details about what exactly is affected (the core or a module, and which version) , the severity of the issue and how it can be utilized to attack your site. You are then armed with the information you need to determine whether or not you feel you need to do an update. The time or money (or both!) that it takes to keep your site secure is insurance that greatly reduces your chances of a breach that could cost you money and tarnish your reputation and the confidence your customer's have in your brand.
If you aren't comfortable tackling updates yourself or just don't have the time, JLB offers a service plan for Security Updates for both the core and your modules. Ask us for details!