Website updates – you really must do them

Website updates don’t follow the logic a lot of us inherit from the era of software updates that arrived in the mail on a disc of some kind.

Before there ever was broad public access to the internet, going forever without updating your software was a  point of pride for most people who did a lot of computer-driven communications work.

Or it was a mark of world weary wisdom because we’d arrived at the point where we knew that the X.0 release of anything was going to suck rocks. We’d wait. Until X.1 or .2.

The updates were expensive, disorienting, and if they did cause a problem, the solution could be months away.

So trying to get a personal best time and distance between updates made sense.

But you cannot transpose that logic onto your web application.

Because your web application — be it WordPress, Joomla, Drupal or any number of others out there — is not safe and sound in your office.

It’s on a computer on the internet which is, for all intents and purposes, the equivalent of leaving it on the counter in an all-night convenience store off a freeway where the counter clerk is asleep.  Only worse. Because unlike the convenience store, your server gets all the traffic in the world coming through it.

And unlike your computer, which accepts input only from a keyboard, your website is on a server, which accepts input from anywhere. By definition.

But I don’t have anything important on my site

Maybe not credit card numbers, bank account information or medical histories, but you have your reputation and/or your brand. And if someone gains unauthorized access to your site and starts abusing it (which it almost goes without saying they will) these will suffer.

You will have to apologize to clients, prospects and anyone who was coming to your site for any reason about the fact that your site was hacked. You will have to insist that your inability to maintain a website has nothing to do with your competence generally.

And you will lose time. Possibly weeks. You will be restoring your site from backup or recreating it if you didn’t have a backup. You’ll be trying to track down the vulnerability and check the whole attack path to determine if the attacker left any other back doors or malware that might allow them back in. You will be visiting all the security websites to ask that your site be removed from whatever spam or phishing blacklist you’ve been put on.

Or you’ll be paying a security consultant or company at overtime rates to do all of the above.

But no one would want to hack my website — I’m not the CIA/Microsoft

You’re assuming that the hackers are actually human. And you’re mistaking media coverage of famous hacks for what happens in everyday life on the internet.

Most website break-ins are perpetrated by robots which scan the internet for sites that might be vulnerable. They find a site that has the vulnerable application, run the exploit against it, and, if they succeed, install the malware and get straight to work. At some point some human put this process into play and will be interested in the results, but they have no idea who you are, what you do or what a nice person you are.

They’re not interested in defacing your site to show how cool they are or to denounce you for being a tool of the capitalist class or whatever. They want your site as a platform to send spam, serve porn, collect passwords or phish other data from unsuspecting visitors. And for that, one site is as good as the next.

What if I don’t have time to do all this?

Self-hosted websites do indeed take time and expertise to run smoothly. The skill required to apply updates, do backups, and tweak performance can be acquired if you have a bit of time and some curiosity. But if you don’t you can get someone, like me for example, to do it for you. For a small site it’s generally about an hour a month. Plus you get my advice on improvements, best practices and life in general. A bargain at twice the price, really.

Or you can move your site to a software-as-service setup like or Wix, or Weebly where the service itself looks after security, updates and backups. The monthly hosting cost ends up a bit higher, and it may limit the sorts of things you can do with the site, but if you can fit within those constraints and aren’t bothered by an extra $10-20 per month, it might be your best bet. That will be cheaper than paying me or someone like me.