Your web developer is telling you they need to do a “security update” on your website. But what does that mean? Here are the facts.
What is a website security update?
Behind most modern websites is a content management system, or CMS. Think of it as software for building a website. Like the software on your computer or phone, it requires periodic updates to add new features or fix security bugs. While most of us want new features, we need security updates.
How often are website security updates needed?
Numerous content management systems are available, and the frequency of updates varies by CMS. As a general rule, updates are typically released every 4 to 8 weeks. Updates are usually assigned a new version number to keep track of which features and security fixes you have (or don’t have).
Other bits of software add functionality not available in the CMS itself. These are typically referred to as plugins or modules. Sometimes, plugins and modules are available from the same organization that develops the CMS. Other times, they’re offered by a third party. Plugins and modules usually have their own version numbers and security updates that must be monitored and applied, and the frequency varies widely.
Are website security updates required?
While your CMS may continue to function without a security update, you assume a degree of risk for each update you ignore. That risk depends on the severity of the vulnerability that’s fixed in each security update. At Gray Loon, we believe strongly in building and maintaining secure websites. That’s why we require updates to the core CMS as well as plugins/modules.
How much do they cost?
The cost for security updates depends on the complexity of the updates and the time it takes to apply them. As a general rule of thumb, we recommend setting aside $2,000 annually for updates to both the CMS and any plugins or modules.
How will I know when website security updates are needed?
Many CMS developers offer email notifications when a core update is released. Others publish core update details on a blog. For third-party plugins and modules, it can be trickier to track updates, but methods like security blogs, security mailing lists, etc. help facilitate the process.
Gray Loon monitors the release of CMS, plugin, and module updates, and our project managers notify clients when updates are available. Those updates are typically applied within 24-48 hours of release.
What happens if I don’t do a website security update?
Think of your website as a house. Sometimes, bad guys might try to open your doors or windows. When you don’t apply security updates, you’re essentially leaving a door or window unlocked. Maybe the bad guys will notice or maybe they won’t. The more doors and windows you leave unlocked, the more likely a bad guy will get into your house. As we discussed in a previous blog post, the results of an intrusion can range from annoying to devastating. Either way, it’s not worth the risk to ignore security updates.
Still have questions? Get in touch.