Security Updates

Backups are the safety net and an absolute requirement. But the next most important part is doing what you can to stay out of trouble. We've all become accustomed to security updates on our computers. Today every operating system has an update system, and a huge number of attacks are on vulnerabilities that have fixes released but people have neglected to apply.

For web sites, security updates happen at a couple different levels: the server itself, and the CMS application. If you're using a hosted environment, your web host will handle the server updates, but almost certainly will leave any application updates up to you.

This is one cost people don't think about when deploying a CMS - the cost of keeping it up to date. Security updates are generally very easy to apply, but there's a catch: in the fast-moving world of the web, there's new stuff coming out all the time, and sometimes upgrades break existing functionality. And so while your web site may be secure after applying an update, something you count on may suddenly be broken.

At Freelock, we try to balance out the urgency of applying an update with the risk of breaking something critical on your site. We subscribe to security mailing lists, and instead of rushing out to apply everything marked as an update, we evaluate whether it affects each customer, and whether there's a simple way to block the vulnerability without updating first. This keeps your site up and running longer, and buys us some time to upgrade and test the upgrades before rolling out those changes. For most of our clients on a support plan, we maintain a test copy of their site primarily for this purpose.

When we apply updates, we try to apply as many non-security updates along with the security updates. By doing this, we suss out the update issues when we have time to resolve them, so that if a security vulnerability in a particular component comes out that requires an immediate update, there's a much lower chance that applying an update will break your site.

But security updates only prevent you from being attacked through already discovered holes. With a little planning, thought, and testing, we can do better than that. Read on to find out how.