Wrong Side Of 40

The ramblings of an older bloke

Why don’t you patch that shit!

During routine audits of platforms at a place I work at we noted to our dismay, but sadly not to our surprise, that a number of customers are failing to maintain their WordPress, Drupal and other installations.  This is not only irresponsible but downright dangerous.

In discussions with some customers our technical support team have heard various reasons for this including such phrases as “my customer doesn’t pay me to update the site so I don’t” and “but it’s only a small personal web site, so I don’t see the point” among many reasons.

So why should you patch?

Quite simply, becuase of you don’t your web site WILL be hacked.  This is not a case of it might be, it will be.  I can’t be more clear on this.

If your site is hacked and it contains any information of use to anyone, names and addresses, personal information, then consider that gone – shared with the bad man who will use it for bad purposes.  If you have financial information of any kind then that will be taken too – especially financial information.

There is a common misconception that a hacked site will be obvious –  The words on the site will have changed or or random images will appear.  Perhaps there will be some banner like “hacked by xx crew”. Sure they happen, but generally they are the best that can happen.

The worst and most common we see are those where the hackers will install additional files and scripts and then silently, without your knowledge steal any data that comes their way.  They will also use your web site to steal data from your web site visitors, infect the machines of those unsuspecting web site visitors who didn’t bother to patch their own computers, and use those infected machines for use in a bot net attacking other networks and computers, send spam from that computers mail accounts, or they may just steal their data instead.

The sad reality of the situation is that once your web site has been hacked it’s already too late.  Just removing the badness is not enough.  Often it will be so embeded, especially if you are running an off the shelf or self installable piece of software on your site for blogging or ecommerce.  You’ll need to delete all of the data and start again.

As controversial as this may sound, from our experiance the police will be of little to no use whatsoever.  They have neither the time nor the resources, and given that your average hacker will disguise his location and is likely operating in a country whose own authorities couldn’t care less your loss therefore should be considered total with no recourse to anyone.

There’s another common misconception about firewalls. Many people I speak to think that a firewall will prevent bad things from happening.  It  won’t.  A firewall will prevent access to things, so generally it is configured to prevent access to a server to services other than those it is supposed to be accessed on, like ports 80 and 443 for web traffic, or ports 143, 100, and 25 for email traffic and so on.  It can be configured to stop certain computers from accessing those services as well, but if you think about the job of a service provider then you’ll understand that unless we have reason not to, such as seeing an attack coming in from a particular computer, then we will allow access to a web server from everywhere on the legitimate web ports.  With traffic from everyone including the bad people reaching your web site then, if your web site or application is not secure it can be attacked and hacked.

Of course there are such things as web application firewalls which can identify known patterns in known run sets or identify errors and block traffic accordingly.  This is great if the web application firewall has been tuned to only your web site, but when it is tuned to everyone else on the servers site, enforcing all of the rules hat might protect your web site content will result in blocking content for others, so as a web host we need to be looser in the rule sets we enforce in order to prevent false positives.  Unfortunately this means that the bad man can still reach your web site or application and so once again, if it’s not secure it can be hacked.

Frankly, if we find somebodies site is hacked we’ll turn it off.  The obligation is on the customer to ensure the integrity of the data they upload to our servers.  We look after our systems and we look after the data we are responsible for.  While we might host their data, it is their data and their responsibility is to look after your data.

With WordPress and on our Plesk servers we can configure automatic patching, and so will generally patch anything we find out of date anyway – that might break their site if they didn’t code it properly,  but we have the security of others to think of.  On other platforms, not so much.  Wordpress is pretty good in that with the release of version 4 you can configure your WordPress installation to update itself.  We wish that other software vendors would do the same, but until they do, it should be something you need to do yourself.

It should be a routine thing you do – creating a re-occuring task you do for yourself at least once a week.  Check if patches are available and apply them.

Another thing you should do is back up your web site.  I’ve been in this game for a long time and I’m still amazed by the number of people who fail to back up their web site and databases.  Why would you not do that?

The next worst offfenders are those that back up their web sites and then store the backup in the same web space.  You may as well not bother.

We do back up data for business continuity purposes, but that doesn’t mean you shouldn’t back up your data yourself.  Download it and put it somewhere safe.

Having a backup will at least ensure that in the event of something bad happening you can roll back to a point in time before that bad thing happened, restore from the backup and then do something about it…. Like patch.

olderbloke • 28 January 2016

Previous Post

Next Post

Skip to toolbar