[Security] Keeping Scripts Up-To-Date
Tuesday, June 15th, 2010 - Security
One of the best ways to keep your website safe and secure from hackers is to always keep your scripts up-to-date with the latest version of any software you might have installed. We all know that keeping your operating system up-to-date is important to keep your computer safe. This is why in Windows you will periodically see a popup in your status tray telling you that updates are available. Scripts on your website are just like software on your computer. Bugs and security holes are found in these scripts and they must be patched in order to prevent serious malicious consequences from happening.
In order to keep the scripts on your account secure, the first thing you have to know is what scripts you have installed on your website. This should be pretty straightforward. In order for a script to exist on your account, you or someone has to install that script on the account. Just keep a log or a note of what scripts you install or have installed on your account. You can’t succeed in keeping the scripts on your account up-to-date if you don’t know what scripts are installed on your account.
You will also want to take into consideration any addons, extensions, or plugins that you have installed with those scripts. An example, Joomla!, a popular Content Management Script, has a lot of extensions that can be installed to work with the base Joomla! These extensions add functionality to the script. Joomla! calls these addons “extensions” because it extends functionality, but WordPress, a popular blogging script, calls these “plugins”. Basically, plugins, extensions, addons all do the same thing, by adding extra functions to the base script, but it is important to note that these remain up-to-date as well. You may have an up-to-date Joomla! install on your hosting account, but if you have an old and vulnerable extension still being used, then your hosting account still is not safe.
Bottom line, scripts, base scripts, and any addons you have installed must remain up-to-date in order for your account to be safe.
How do you know when a new version of the scripts is released?
This is not an easy question to answer. The best way to approach this is to subscribe to the script’s or addon’s mailing list, RSS, or Twitter feed. However not all script vendors will provide this avenue for releasing announcements. In those cases, you just have to routinely check the vendor or developer’s website to see if they have released a new version of the script. Most of your more popular scripts have methods for letting you know of new version announcements. However it is your responsibility to sign up for these announcement services with each script.
A lot of these popular scripts have robust community followings, usually through an online forum on their respective websites. Staying involved in these communities is another good way to stay apprised of recent script developments and issues.
Unfortunately there are just too many scripts available for you to use and that prevents us from being able to inform you of script updates. We may periodically check for some of the more popular scripts (Joomla!, WordPress, etc) and check to make sure that these scripts on your account are staying up-to-date. But it is just not possible for us to be able to do this for all scripts, especially when you consider the vast number of addons that are available for each script. The best way to approach this is for you to take on this responsibility yourself and subscribe to announcement feeds for whatever scripts or addons you have installed on your hosting account.
Script Upgrading Issues
Some people are afraid to upgrade their script or addon because they fear that doing so might break their website. This is a valid concern, there is no doubt about it. However, you have to consider that by continuing to run the old version of the script you are leaving doorways open for hackers and malicious visitors to take advantage of your account.
Generally, developers release new versions of their software to correct bugs that have been found in the software. The same is true with website scripts. New bugs are found in the script and the developers have to fix these bugs. Once they have fixed the bugs they release a new version of the script to correct the issue. However they can’t make you update the script on your hosting account.
If you are concerned about upgrading your scripts and breaking your website then you should raise this issue with the developer or vendor of the script through their website. Upgrading the script on your account MIGHT break your website, but leaving it outdated is GUARANTEED to make your website less secure. Don’t be surprised if your account is hacked or exploited if you choose, either knowingly or unknowingly, to continue to use old versions of your scripts.
Below is a list of popular scripts, their websites, and ways to stay up-to-date with their releases.
Joomla! Updates
Website / RSS / Twitter
Joomla! Extensions Updates
Website / RSS
WordPress
Website / RSS / Mailing List / Twitter
WordPress Plugins Recently Updated
Website
PHPList
Website / Mailing List / Twitter
Zen Cart
Website / Mailing List
SMF – Simple Machine Forum
Website / Twitter
Coppermine Photo Gallery
Website / RSS / Twitter
Gallery
Website / RSS / Mailing List / Twitter
Drupal
Website / RSS / Mailing List / Twitter
phpBB
Mailing List / Twitter
osCommerce
Website / RSS / Mailing List / Twitter
Steven
Next Post Securing Configuration Files