As a Columbus Oh website design firm, we do security and module updates for every website we build to keep them as up-to-date as possible. The list in this post covers all the reasons we do security updates for websites, as well as what is included in the quarterly invoicing we charge to maintain a website.
Note this is not the hosting piece of a website. That is a separate function and one that is paid directly to the hosting company by our clients. We make sure the hosting is in each of our client’s name, so the hosting company has to answer to you should you call for any reason (i.e.: if your site is down on a Sunday morning.) Since we don’t work 24/7, but hosting companies do, a client can contact the hosting folks and have it looked into.
Security updates are like insurance.
If you don’t have them done on your site, there’s more of chance your site will be hacked. No one can give percentages, but it’s best practices for any website that security updates are done as soon as they come out. We keep our website updated and we’ve had one hack to our site, which was easily remedied since we had all our security updates done.
Of course, even WITH security updates, it’s still possible a site can get hacked, since new threats are being developed every day. (Hell, major retailers and organizations get hacked, as do government sites, even the NSA’s website was hacked!)
But with your site having the most recent security updates, the chances go way down. Updates are developed as Drupal, or WordPress, teams learn of new “points of entry” hackers find into their content management systems. (btw, this is true for ANY content management system used to build websites.)
If your site is hacked...
… and doesn’t have the latest updates, we couldn’t promise we could fix it in 24 hours. Without the most recent updates for the content management system, the layers of reverse-engineering we’d have to go through to see where the hacker’s code found its way into your website would be time-consuming. Which also means it’d be expensive.
However, by having us do security updates regularly, we can more easily fix something that might go wrong because all the modules, and core software, would be up-to-date. This makes trouble-shooting a much easier process. Which means quicker. And if it’s quick, we don’t charge you for our time fixing it.
Additionally, being on the security update plan/schedule, we give priority attention to all our client’s websites should something happen to them. So if it is a quick fix we will do our very best to get it fixed within 24 hours.
Security updates and patches can come out every other week, or every other month: we never know. From our experience, we need an hour a month to keep up on this, and we do those updates within 24 hours of when they come out.
What type of “site security” are you paying for?
Drupal or WordPress, the content management systems (CMS) your site would be built in, as with ANY CMS (and any software), requires updates. Hackers are getting more “creative,” and more aggressive, in their attempts to screw with websites. And they’re not necessarily even targeting your site.
They write code that cruises the internet and tries to worm its way into a website, or database, to screw it up. Just for the “fun” of it. Hackers create equal-opportunity bots, and they don’t really care, or know, what sites they’ve messed with.
What you’re paying for is security updates to both the average of 20 - 30 modules traditionally used in a website and updating either the Drupal or WordPress core software your website would be built with. Updates come out sporadically, whenever modules, and the CMS core, are found to have “points of entry” that are vulnerable to attacks.
The importance of backups.
Most often we use a company called CiviHosting to host a website. They back up every site, every day, and keeps those backups for 1 week.
This is important, because if your site is hacked on a Friday and no one notices it till Tuesday, we can go back to Thursday’s backup and re-install that version of the site. If that were the case, the only thing you’d lose on your site would be any updates (i.e.: a blog) you added over the weekend before we realized your site was hypothetically hacked.
Site monitoring in the event of a hacking attempt.
There’s no “notification system” on a website that tells us (or you) if your site has been hacked without your us having to see it ourselves on your website. CiviHosting (the service we suggest for hosting your website) does have an Abuse Department which contacts the account owners (that’d be you) in case of a security incident (e.g. once a website is already hacked). They monitor their servers 24/7, and have automated monitoring tools and staff on shift at all times.
CiviHosting doesn’t offer anything as an add-on service. However, we understand most of these add-on services are very limited as to what they can actually detect, because the code hackers try to place on a site changes so often. And software can only monitor for certain types of hacks once they know about them. And all too often, they only know about different types of hacks when it’s too late (after the site has been infiltrated).
Why you’d be paying quarterly.
Essentially, you’re covering the time we invest on your behalf making sure your site is secure, which is our time to do security update to the modules, and the CMS core. Occasionally, fixes for when browsers are updated and screw up the way a website looks or works.
The amount you’d pay for a quarterly security update depends on the complexity of your website. And how many modules would be on your website. You’d essentially be paying for 45 minutes, to an hour, a month for us to do this for the safety of your site.
Basically, every piece of software ever created needs updates, and the software used to build websites is no exception. Of course, it’s every website could get hacked at some point. And as rare as it might be, as we said, security updates are like having insurance on your most important marketing tool.
Fortunately, we’ve never had a client refuse to have security updates done to their website. After we tell them the reasons for having us do the updates, they understand.
If you have any other questions about security updates, feel free to contact us.