Over the last month, users of Drupal CMS have had their update plans shaken. Some have marked the latest security update for Drupal as a learning experience for the Drupal community, but even more than that, it is a general reminder to anyone that owns or maintains websites.
Whether for the Drupal community or the web community at large, the question still stands, “Do you have an update plan?” If you don’t, then it’s time to rethink that. And if you do, it may still be time to review whether the plan is working. The latest security release of Drupal, also known as “Drupageddon,” has forced me to think about my plans, not only with my Drupal sites, but with my Wordpress sites also.
One week after the security release was made public, only 12 percent of the Drupal 7 sites had been updated. This shows that even sites with update plan in place were left unsafe. I have found two main reasons for this.
The first reason is that most plans I have seen include a specified delay built in. Because the frequency of update releases vary from 6-8 months to just a couple days, a maintainer of a larger or higher up-time site typically gives the community time to test out the release before putting it into production themselves. A built-in delay also allows maintainers to stage and test the effects of the update on their sites. No one wants to push an update that could cause more issues than it solves.
Another reason for the delay in updating is simply a lack of planning or even a lack of any support for the website. Too many website owners look at their websites as a brochure, “Build it and leave it.” Others put all priority on the message of the content, as opposed to any implied message that would be set if the site was taken down or hijacked, or worse, if the contact data of visitors was stolen.
If Drupageddon has done anything, it has brought back to the foreground the fundamental need to maintain the infrastructures that are serving our websites. Maintaining website software helps protect the important message we are trying to communicate.
When asked how someone could have avoided the potential ramifications of issues like this I would say the following:
I must admit that I fell prey to Drupageddon because my plan was to wait a week or two before updating to the latest release. None of my personal websites look to have been attacked, but because of the severity of this issue, I cannot guarantee this. My maintenance plan has changed to match the recommendation stated above and I am working to safeguard my sites.
For another post by Harold about Drupal, check out:
Drupal Rules: My New Drupal Best Friend
9 Drupal Modules That Should be Part of Every Website Build