E-Commerce

Why do websites get hacked? Websites get hacked for a bunch of different reasons:

Mavis asks,

I have already spent thousands of dollars on my [Zen Cart] website. What would be your advice for [a company] who wants to transfer their site to a new host but not redesign it?

Just like a physical store, the costs of running an e-commerce site very quickly exceed the costs of opening it. And any time you're handling money, you automatically become a target for thieves -- you need to take security seriously, or you're bound to get robbed.

At Freelock, we're huge fans of Drupal. But we keep running into customers (or potential customers) who are terrified of it. So here's our take on why.

5. I just want a web site! It's too complicated!

Drupal is not just another web site builder. In experienced hands, it's easy for a Drupal developer to spin up a simple web site on Drupal -- I've done it in a matter of a couple hours, complete with initial content. But if you're not experienced with Drupal, the learning curve to get something useful is steep.

A question came across the Drupal Developer's list today asking whether Drupal could auto-update itself, like WordPress. As someone who thinks about security a lot, the very thought of this horrifies me.

It's a bad idea for several reasons, but the biggest reason:

It could easily lead to the biggest most powerful bot-net on the planet.

This could just as easily happen to WordPress, too. It already has, in fact, to a small extent.

That's the essence of a question I got today. And it's not one that can be answered easily, because there's no such thing as a site being "secure." It's not an either/or question, it's really a "how much" type of question. How hot is it today? Let's take a look at the temperature -- hot for you may well be different than hot for me. I'm from Alaska, after all...

Short answer: it depends.

We still do most of our projects in Drupal 6, mainly because it's been around a few years, and modules we use on many sites are not yet stable for Drupal 7 (and some are still a ways off).

However, for sites that don't need particular modules, Drupal 7 at its core is a nice improvement.

My first Drupal 7 site is a personal one, http://www.hikeswithhazel.com. So far as a user, it doesn't seem that different from Drupal 6, especially if you turn off the "Overlay" module which pops open editing screens in what I find to be a highly annoying way.

All the planning and preparation in the world won't prevent an incident, but it can greatly reduce the consequences.

Nothing better prepares you for responding to disaster than experience. In the world of web applications, sometimes we act as firefighters, coming in to rescue the smoldering remains of a hacked site, a crashed server, or an unexpected traffic burst.

No matter how diligent you are at preventing vulnerabilities and securing your environment, it's impossible to be completely secure on the Internet. What you can do is plan for how to limit the damage that people can do when they manage to compromise some part of your system. This line of thinking is called "Defense in depth" -- you can't just apply security updates and call it good.

It amazes me that still in 2011, the standard way web designers upload code to a server is FTP ("File transfer protocol"), a protocol that is completely insecure, easy to snoop, slow, hard to use, and often problematic through firewalls. There are many better ways.

Backups are the safety net and an absolute requirement. But the next most important part is doing what you can to stay out of trouble. We've all become accustomed to security updates on our computers. Today every operating system has an update system, and a huge number of attacks are on vulnerabilities that have fixes released but people have neglected to apply.