As we onboard a slew of new clients due to our joining forces with FuseIQ, I wanted to take a moment to explain our stance on maintenance, particularly around applying non-security updates for Drupal and WordPress.
Many people have a tentative approach to applying updates. "If it ain't broke, don't fix it!" is a saying we've all heard for generations, and sometimes it's hard to see changes as anything more than a risk you take that might potentially break things. But that's almost like saying "If I can't see it, it can't hurt me" -- in times of pandemic, does anyone really believe that?
In security circles, there's a saying, "all bugs are security issues." The point being, anything the software does incorrectly bears some level of cost or risk to some set of users. Most people understand by now that if you don't fix a critical security issue, on the Internet you're likely to get found and hacked. But really, what is the cost of not applying a minor, non-security related issue?
The concept of "technical debt" is that it is the sum total of all the stuff currently broken or outdated in your systems. It's usually related to what your ideal system might be, if you could have that today. If you do a great job building a site that does everything you need it to do, it may have no technical debt on the day of launch (quite unlikely, but at least possible), but this does not last. Why not?
- Updates to the CMS software
- Updates to plugins or modules
- Updates to the software language
- Updates to the underlying server packages
- Updates to the underlying operating system
- Updates to web browsers
- New development toolkits that do more
- New devices that are substantially different than those that existed when you launched
- New or changing business requirements
- New partnerships
- New customer preferences
- New standards for search
- New ways to reach customers
- A pandemic changes your whole way of doing business
- Your entire business model has to change to keep up
... something in that list is likely changing every day. Hopefully mostly in small ways, but as we've all seen, sometimes in drastic ways. Regardless, if you are not keeping your site up to date, you are accruing "technical debt" that will need to get paid sooner or later, or else your site becomes less effective.
And that is the true cost of doing nothing -- the opportunity cost of losing customers you might not have lost if you fully supported the newest device, or were able to communicate effectively to your customers how you can still deliver value to them when their entire world has changed.
The cost of "Security updates only"
Some sites are more complex than others, and some are more brittle than others, more likely to break in unexpected ways if anything changes. This is why many people suggest only applying security updates, and ignoring updates not marked as security-related.
But there are some serious downsides to this approach:
- Minor, incremental updates individually are far less risky than major updates -- going from one version to the next is far less likely than skipping 8 versions to apply a critical security update. Which means if there is a critical security update, the site is much more likely to break when you apply it, compared to if you had applied all the interim updates along the way.
- Environment changes sometimes get forced on you by hosting companies -- and many non-security updates fix issues with new versions. Not applying "regular" updates means more things broken on your site if this happens, and often more developer time to fix.
- It's far easier to automate updating everything, compared to just updating one security fix at a time.
- Most non-security releases fix bugs, or add new features, which might benefit your users -- making your site operate better or give you new abilities that help you stay relevant.
- If you're not fully up-to-date, and it takes longer to apply and test a security update, your site might be vulnerable to attack for a longer window. We've seen vulnerabilities where the time it took to get exploited was less than 2 days after a vulnerability was disclosed -- if it takes a week to update your site, you might have to pay the consequences of having a hacked site.
So in short, if your site is not kept fully up to date, it accrues a lot more technical debt. It becomes more expensive every time you apply an update, it carries more risk, and your users don't benefit from any of the improvements that might come with other regular updates.
"But," you might ask, "isn't constant updating going to take a lot more of my time, cause more frequent breakages, and cost me more?"
How to keep Technical Debt under control
You're always going to have some level of technical debt. Your website is never going to be perfect. But it can be plenty good enough to be a huge value to your business or organization -- you just need to care for it in similar ways as you would care for any other property.
If you think about a physical store, it's pretty clear there are regular maintenance needs. Once the store is built, the fixtures installed, inventory purchased and the shelves stocked, you still have constant things that need to happen:
- Daily janitorial service
- Fix any broken windows
- Manage and check security systems
- Deep-clean carpets occasionally
- Fix holes in the roof
- Redesign the storefront
- Train the staff
- Come up with new merchandising fixtures to highlight specials
... the point is, successful retailers are constantly doing stuff to their stores, and constantly working with staff to improve sales. Your website, whether or not you do e-commerce, is exactly the same in this regard.
What would happen to your store if you did not have janitorial services? If you left holes in the windows, or the roof? If you did not do a fresh paint coat now and then, or change up the storefront? If you did not train your staff?
The point is, if your website is valuable to your business, you should stay on top of maintenance, and be constantly experimenting to see what works and how to improve sales. If you're not doing this, you will be falling behind your competitors who do.
How Freelock manages updates
As the store owner, you should not be doing janitorial work. You can outsource that easily. (Sure you can joke about being the head janitor, and pick up a broom now and then if you'd like, but it's not the job that only you can do).
Freelock can do all the maintenance work for you, for far less cost than you doing it yourself, or even having a staff member do it. We have automated a large part of the process -- particularly automatically running two kinds of tests with every release, backing up sites before and after every release, and checking every site every night for changes.
It's far easier, and less costly, to apply all updates any time we touch a site, than to limit updates to just security releases. And with tests in place to catch things that break, we can do this with high confidence that the update does not cause major issues.
It is fairly common for an update to cause a minor issue, however. And this is exactly where technical debt comes back in -- it's far easier to pay that upgrade cost one small issue at a time, as we go -- instead of ending up having to fix a dozen small issues that combine into one big showstopping issue, all at once, under pressure due to a known security risk. And by "cost", in this case it's the cost of demanding your attention and ours when we're both swamped with other demands.
So... When we take over a site, there is a higher-than-usual cost to get you set up, brought completely up-to-date, and create the tests to cover your particular critical site needs. Once all of that setup is done, our maintenance cost tends to be lower than many other firms, thanks to our automation as well as our hands-on approach to providing fixes -- once we've hit an issue on one site, and resolved it, we usually can apply that fix immediately to any other site we manage that has the same issue.
Our "protection plan" is the base maintenance we provide, for either Drupal or WordPress. With these plans, we generally apply all updates to all our managed sites, on a monthly basis. We monitor security lists, and if there's a critical security vulnerability we judge to affect your site, we apply that within 1 business day, and security vulnerabilities we deem not a risk for your site we usually apply within 1 week.
Feel free to reach out, or comment below, if you have any questions or feedback!