As a small hosting, systems administration, and programing company we’re on the front lines of Internet security. In the old days (oh, say pre 2003) our security focus was on upgrading and protecting the server’s operating system. Hackers would probe servers, find vulnerable applications (Apache, portmap, sendmail, etc.) and compromise the machine in the hopes of gaining root access.
Not any more. Hackers could care less about the OS. They attack web sites since a compromised web site provides them nearly everything they need; the ability to send spam, find user data, and attack other computers. And hackers tend to reach for the low hanging fruit – web sites that run out-of-date open source software such as Joomla, WordPress, and Drupal (among a host of others.)
Don’t get me wrong. I love this type of software. We recommend it and install it for our customers for free. This blog is run by WordPress. Many of these applications make it easy for the non-technical user to update their sites easily and at will. And its all free!
However, once installed on your web site this software must be maintained. When there is a security vulnerability in an open source software application hackers can easily download a copy of the software, review the code, and find the vulnerability. They then write their own code to exploit the vulnerability and then simply use Google searches to identify sites that haven’t upgraded. Within weeks the entire process, from vulnerable site discovery to site hack, is often fully automated. Hackers can sit back and let their software discover and hack sites across the globe, without lifting a finger.
So what is a normal user to do? Pay attention and upgrade your software. If you don’t, and your client’s data is compromised, you may even be liable. New versions of WordPress have an “upgrade” button within the software, which is great. For the software applications that aren’t as user-friendly we’re now implementing our own detection systems that notify our hosting customers when their open source software vulnerable. If you are a hosting customer of ours and receive one of these notification emails we’ll upgrade your open source software for free. However, we won’t do it unless you ask us since your programmer might have put some special sauce in your site that could break when we do the upgrade. So talk to your web developer/programmer first.
If you think keeping your anti-virus software up to date is important then you’ll understand that its even more important – and that you owe it to all of your site’s visitors – to keep your web site’s software up to date and secure.
Questions? Thoughts? Feel free to post ’em in the comments.