Stay safe: keep your scripts updated

You point your web browser at your blog, eager to post a new article. Instead, you’re greeted with large graffiti lettering covering your blog page. The graffiti says that the Knights of Order have claimed your site, because your site was insecure. You have been defaced.

Microsoft France site defaced

Defacing or other damage is the result of hackers gaining access to your site. While it can be done due to weak passwords, it is often caused by insecure or outdated user-installed scripts.

Defacing is but one result of script insecurity. Defacers usually either replace or alter the site’s home page, often taking credit for the hack by proclaiming their feat with their name. Microsoft France’s site was defaced by self-described “Turkish Hackers”, and they identified their next target as Microsoft.com.

While defacing often involves no further damage, it is embarrassing to a business site. It looks highly unprofessional that the business was so insecure as to allow such incursion.

Other hacks go much further. Whole sites have been deleted, user and client data stolen, and the hosting account may be used for spam and illegal activity.

Scripts add benefits, but also potential holes

Clients install scripts to add specific functionality to their sites, such as a blog, discussion forum, shopping cart, etc. What must be understood is that while a script opens up a new, desirable communication between the web server and the outside world, there can be unwanted holes.

Bugs and security flaws are a fact of life in web applications. I personally think that part of the reason is that such software tends to be rushed out these days. Developers want a new version or feature reach the market quickly, to beat competitors and attract interest. I think that often that pre-release testing is too brief or insufficiently broad.

Web scripts and applications are, by their nature, potential weak points. They process information and open routes to the web browsing public, as that is their purpose. With that comes the potential for undesirable access, possible unforeseen holes or flaws that could allow someone to modify or take control of the script or even your account.

Keep informed about your scripts

It is your responsibility to keep your hosting account secure. You chose which scripts to install, so you must keep informed about required updates and patches. Your web host does not monitor every client to know what is being installed. You must educate yourself.

Learn about the recommended ways to secure your scripts, which configuration options are more or less secure, and how to stay updated.  Currently the most popular scripts are likely:

WordPress
Magento
Joomla
Drupal

Each of those scripts is widely used, and each has a large on-line community devoted to sharing information. Some have newsletters or alert systems to which you can subscribe, to keep you informed about new security patches and updates.

Keep scripts updated

Outdated scripts are one of the biggest security weaknesses. In a strange twist, the more open and diligent a script developer is about security updates, the more vulnerable users of outdated versions may be. When an update is issued, the developer’s site will list what was changed and what security holes were closed. This can appeal to hackers, who now know what holes were in previous versions. They then target users of those outdated, insecure versions.

Maintain your scripts with the latest patches and updates. Methods vary depending upon the script. It tends to get easier over time. For example,  WordPress has an auto-updater that will update to the latest version via your web browser. Others may require you to download some patch files and install them into the appropriate web directory.

Don’t be a target

Police say that burglars who encounter a house with good outdoor lighting and solid locks will likely move on to an easier target. The same is true of web hosting accounts. Use strong passwords, don’t expose any sensitive files to publicly viewable folders, and keep your scripts updated. Keep your web presence as safe as it can be.