Thanks to content management systems like WordPress, Joomla, Drupal and Typo3, the number of websites has practically exploded in recent years. According to Netcraft’s recent figures, there were nearly 903 million websites as of November 2015 – with the number continuing to grow rapidly.
These modern content management systems make it possible to easily manage websites and publish new content. However, the sheer convenience they have to offer often makes people forget that software, much like a car, needs regular maintenance too. The figures published in the latest semi-annual report Reporting and Analysis Centre for Information Assurance (MELANI) shed light on this trend.
A shocking fact: over 70% of all WordPress sites in Switzerland are unprotected
MELANI presented the case of two WordPress security gaps that emerged last year (CVE-2015-3429 and CVE-2015-3440) to show how appallingly little is invested by many Swiss website operators in the security of their own websites. Although a security update was available for both security gaps the very next day, 75% of all WordPress installations in Switzerland still had not installed the security update even after two weeks had passed.
Does it really matter? Yes, it does! The consequences for website operators are disastrous!
Because with the right tools, criminals can automatically discover vulnerable websites, making it quite easy for them to manipulate these websites with malware or viruses. Even worse, the data obtained by exploiting a security gap sometimes even enables criminals to blackmail website operators. According to MELANI, this happened several times during the first half of 2015 alone – and particularly often in the case of SMEs.
Once the website has been hacked, other unpleasant consequences are still to come. To prevent further harm to visitors of the affected website, as a web hosting provider we are required to block such websites. If the website is also operating with a .ch. domain, there is a fair chance that the Swiss domain registry will block the domain name. As a result, not only would the website be unavailable; it would no longer be possible to send and receive e-mails either.
The reasons why CMSs – or entire web applications in general – are not regularly maintained and updated is a matter of speculation. What is clear, however, is that many users aren’t even aware that this kind of software requires maintenance. Websites that are created by an agency for a customer, for example, also pose a major problem: once the project is complete, the websites – including the CMS – are handed over to the customer as a ‘turnkey’ solution. Most customers are unaware that they are also responsible for performing the necessary maintenance on these installations.
Protect yourself before it’s too late!
It’s good practice for website operators to perform regular maintenance on their websites and the applications running on them. This includes, for example, the prompt installation of security patches and other updates released by software makers. This is especially true for plug-ins – unused plug-ins should not just be deactivated, but deleted from the webserver as well. Inactive websites such as test installations should also be removed from the server. MELANI has prepared a list of several other security precautions in a PDF.