This is our fourth post about What makes a website vulnerable. Last week we shared with you the most common security misconfigurations, including the update of the software. This week we shall detail the update problem and related security issues that may arise.
Updating the website is one of the most simple and easy security maintenance measures and, in the same time, one of the most neglected.
Especially small businesses tend to neglect the update of their website, considering it a low priority, a time consuming measure, dangerous for the proper functioning of the website (in many cases it is assumed that an update may cause the website’s downtime) or just a measure without effective benefits.
Therefore, in this article we will detail you the benefits of a correct and complete update of the website, as well as the issues that arise from the lack of updating.
For start, let’s establish what exactly you should consider updating:
- content management system (e.g. WordPress, Magento, Joomla, Drupal);
Also, before start updating, make sure you perform a backup of your website! Regular and full backup is essential to keep your website up and running. While you may think that your website information has not been changed since your last backup, the database is constantly updating (with new users, login data etc.).
Then, updates are necessary because either one of your assets present a specific vulnerability that need to be patched, either your website has become, over time, outdated and the update shall ensure an optimal functioning and security updated to current internet dangers.
Now, let’s take a look on different types of update.
Many websites that have frequent changes in their content use a content management system (CMS) so as to easily manage these changes. In this sense, many businesses choose to use an open source CMS (anyone can inspect and modify the source code) because of their undebatable advantages: system easy to install, design easy to manage, wide variety of extra functionalities, their are suitable for a wide range of content. However, an open source CMS is a two-edged sword because the source code is also exposed to hackers which can analyse the code and find weaknesses they can abuse. A lot of CMS updates are meant to patch a vulnerability, which, in many cases, it has already been published. Therefore, the updates of your CMS should be installed as quick as they appear as there will be always a hacker that shall check the outdated websites to exploit the vulnerability.
In case of customized CMSs, the update process requires extra attention, because the added functionalities may continue to keep the vulnerability which should have been patch by the update. Therefore, in these cases, a penetration test is recommendable to be sure that the vulnerability was patched (especially when the vulnerability was published).
With regard to plugins and themes, both have the ability to become malicious even though they were safe for the website in the beginning. This happens when the respective plugin/theme is sold to a new owner which create a new version of the plugin/theme by adding malicious code. Another case is when an entity/person succeed to add itself as owner of the plugin/theme and gain the possibility to add malicious code.
Also, the plugins and themes may be created as malicious from the beginning. Therefore, you should be extra careful when choosing them, download them only from trusted sources, avoid the free and outdated ones (nothing is free and in the end you may pay a lot more on repairing the breach) and check when they were last updated (to see if the vulnerabilities were patched). No plugin or theme should be install without being vetted before. They are good windows for malicious code.
In case of browser’s extensions, your own computer is the attack vector. Just as plugins and themes, the browser’s extensions need constant update to prevent malicious code. Generally, the extensions (malicious or not) are dangerous because they collect a lot of data about the users (an extension may read and change all your data on the websites you visits, even though your permission is required. In case you do not grant your permission, the extension shall not be installed). Precisely because of the data they collect, the extensions are very tempting for the hackers, being target of malicious code (e.g. Particle, a chrome extension for customizing YouTube was abandoned by its developers, bought by a company and turned into adware).
The web server ensures the running of your website and connects it to the internet. As other components of a website’s architecture, an outdated server is an open gate for malware and viruses. Why? because many updates are used to patch vulnerabilities, the risk being higher when the vulnerability is already published. Thus, as a website owner, you should check if the company hosting the website update the server software regularly and if the updates are part of the hosting package.
Lately many companies choose cloud services instead of server. In this case, you access your data using the internet. So, you should be aware that using cloud services without additional, strong security measures expose your entire data and ease the access of the hackers. Using cloud services, you share your data with a datacenter used also by other entities, you do not have and visibility or control over the storage and management of your data.
Tip: Most CMSs and plugins provide automatic updates. However, this might not be the best solution as the website’s functionality may be affected. We recommend you a strategy that combine automatic and manual updates.