What You Need to Know About Security Updates for Your Website

December 14, 2020
The Importance of Running Security Updates for Your Website

It’s no secret that running your website on a CMS (Content Management System) like WordPress or Drupal comes with the added responsibility of CMS and plugin maintenance. In this blog, I will go over what security updates are and why it’s important to keep your CMS and plugins updated as often as possible to protect your website.

What are security updates?

WordPress and Drupal are both considered open-source CMS software. That means that their software’s codebase is freely available and distributed to the public so that developers can contribute to its source code and modify it. Since the software’s code is free and accessible, it leaves it vulnerable to being compromised. Hackers will sometimes exploit loopholes in the code to insert malicious attacks.  

No need to panic though, because both WordPress and Drupal have dedicated teams that stay on top of these issues and release new version updates whenever these loopholes in the code have been found and fixed. These are called “Security” updates, and they should be implemented as soon as possible after they’ve been released.  

WordPress plugins (or Modules in Drupal) are open-source code and most of them are created by third-party developers. Therefore, just like your CMS’ software code, it can be just as easily (and in some cases more easily) exploited for loopholes and attacks.  

Most plugins don’t have a full development team behind them working around the clock to fix any security vulnerabilities, so plugins are often the source of a website hack. Because of this, you should try and keep plugins on your site to a minimum and keep them updated as often as possible.  

Always check the plugin’s last update date before installing it; if the plugin hasn’t been maintained within the last year, it would probably be wise to stay away from it. The date of the plugin’s last update can be found on the plugin install page.

How do I know when my CMS or plugins need an update, and how do I run them?

The method for running updates on your website depends on which CMS you are using. For WordPress, most updates can be done via the Dashboard area of your site. For Drupal 8 and above, you will most likely require access to your server with a command-line interface which can be challenging for the average user.

WordPress Updates

In WordPress, your website will alert you when your site needs an update directly from your Dashboard screen when you first log in. It will look like the image below:

WordPress’ dashboard interface indicates when your WordPress installation requires an update..

In the screenshot above, the WordPress website has a new version 5.5.3 available. You can update it by clicking “please update now” and following the prompts. This will update your WordPress installation to its latest update. To update plugins, you can either click the “Updates” tab or go straight to the “Plugins” page. From there, you can update each plugin individually. 

Enabling Auto-Updates

As of WordPress 5.5, a new feature has been added on the Plugins page where you enable automatic updates on a per-plugin basis. This is useful if you don’t want to manually update each plugin individually every couple of weeks, but the downside to it is that you won’t know if a plugin update breaks any functionality on your site. Use with caution!  

Before running any updates, make sure you back up your website files and database, so you have a copy should anything go wrong during the update. Sometimes updating plugins can break functionality on your site, so it’s a good idea to test and check your website after the updates have been made.

Drupal Updates

Since the release of Drupal 8 in 2016, Drupal websites are now mostly all managed through a command-line interface using a PHP package manager called Composer. This makes it harder for non-developers to manage and update their Drupal website. To find out if your Drupal site needs an update, there is usually an alert banner displayed in the admin area of your site that looks like this:  

Drupal’s admin interface indicates when your Drupal installation or modules have security updates available.

By clicking “available updates”, you can see the modules that require updating as well as the Drupal core version. If any of these updates are marked as a “security” update, it is highly recommended they be updated immediately. Modules can be updated on this page using the Drupal interface, but unfortunately the core updates will have to be done manually using Composer in the command line. A Drupal developer can help you with this process.  

Whether you have a WordPress or Drupal website, it is imperative that you stay on top of your core CMS and plugin security updates in order to protect your website from malicious attacks. Do you have an outdated website that needs a theme, plugin or CMS update and require some help? Our team can assist you with all your maintenance needs.