The question used to be whether your website would face a serious security threat. That question has been answered. The question now is whether you'll be ready when it happens — and whether you can recover cleanly when something gets through.
This spring has been one of the most active periods for critical security vulnerabilities in recent memory. Without getting into the technical weeds: a flaw hiding in web server software since 2008 was found and exploited within days. Multiple vulnerabilities in the Linux operating system allowed any local user to silently gain full control of a server. Coordinated attacks quietly poisoned the software packages that developers use to build websites — including the password manager that many organizations rely on to store their credentials. And an AI coding tool, given too much access, deleted a company's entire database and all its backups in nine seconds.
None of this is hypothetical. All of it happened in the last six weeks.
What's driving this?
AI has made it dramatically cheaper and faster to find vulnerabilities in software — including vulnerabilities that have been hiding, undetected, for decades. The same tools that help developers build software faster are being used by attackers to find and exploit weaknesses faster. The time between "patch released" and "attacks in the wild" used to be measured in weeks. Now it's measured in hours.
At the same time, bot traffic is rising sharply, ransomware attacks are continuing, and AI-powered tools with too much access are creating a new category of accidental self-inflicted damage. The cost of being online just went up — for everyone.
What does resilience actually look like?
The organizations that weather this environment well share a few practices:
- They assume they will be compromised — and they build for recovery, not just prevention. That means backups at multiple independent providers, tested regularly, isolated from the credentials an attacker might steal. We now require at least two independent backup destinations for every site we manage.
- They patch fast. When a critical vulnerability is disclosed, the window between disclosure and active exploitation is now hours, not weeks. We have a dedicated hotfix pipeline that gets patches to every managed site within approximately four hours of a fix being available.
- They don't put all their trust in one place. Consolidating everything through a single cloud provider, a single CDN, or a single security vendor creates a single point of failure. We deliberately spread our infrastructure across multiple providers — when one has a problem, it's their problem, not yours.
- They monitor actively. Knowing something went wrong, quickly, is often the difference between a minor incident and a catastrophic one. Logs, alerts, and fast human response matter as much as prevention.
This Wednesday, in fact
The Drupal security team has pre-announced a highly critical security release for Wednesday, May 20 — and noted that exploits could appear within hours of disclosure. Our managed sites will be patched the same day. If your Drupal or WordPress site is managed by someone else, it's worth asking whether they'll have the same turnaround.
Our Protection Plans
This is exactly what our Protection Plans are built for. Whether you're running Drupal, WordPress, or both, we provide ongoing maintenance, security monitoring, and rapid incident response — so you're not scrambling when the next advisory drops, and you're not starting from scratch when something goes wrong.
If you'd like to know what that looks like for your organization, we'd love to talk.
For the full technical breakdown of this spring's vulnerabilities and our response, read our detailed operations post.
Add new comment