In an earlier blog "The Art of Not Getting Hacked" , I compared software security to the evolution of disease. We create more powerful antibiotics only to be outmatched by more powerful bacteria. It is a never-ending war of creating more secure systems only for new vulnerabilities to be found and exploited by hackers.
Updating a system is like switching to a new, more powerful antibiotic. As vulnerabilities are discovered by hackers and security specialists, the vendors upgrade their software to address those vulnerabilities.
Upgrading is even more vital for the health of your system if you are using open-source systems.
Open-source is one of the most amazing movements of the 20th and 21st century. It provides your system with the power of the crowds -- it is a self-correcting, self-improving system. This is why the best and most popular software systems are open-source. Open-source software is everywhere -- from Wikipedia to Google Chrome and large scale webservers. Even your Android smartphone is built on an open-source system. If you are interested to learn more about open-source systems and how we have contributed to the community, please read my previous blog on open-source
The fuel that powers the engine of open-source, the openness, can, however, become a risk if not recognised and managed appropriately. Being open means that everyone, including the hackers, will have access to the source code and can scrutinise the code to find security vulnerabilities.
What this means is that upgrades are even more vital if you are using an open-source system. So, if your website is powered by an open-source system, ensure it is updated frequently. Your smartphone prompts you to update as soon as a new patch is available and Windows now forces its updates on you whether you like it or not, so why should updates to your website be ignored? When compared to upgrading your personal smartphone or PC, the ramifications of neglecting to upgrade your CMS puts you and the users of your website at the highest level of risk.
One of the security companies we work with, Sucuri, has recently published a report evaluating trends of website hacks on 2016. This report shows how important it is to upgrade your website's CMS frequently.
Sucuri's report clearly shows a strong correlation between the number of outdated platforms and the number of hacked platforms. In the first quarter of 2016, 85 percent of 1600 hacked Joomla websites were running outdated versions.
For more details, please read the original report at https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html
The report also shows that, out of all the hacked websites, 78% were WordPress. This, however, does not necessarily mean WordPress is less secure. There are simply more WordPress websites on the internet than any other CMS. More specifically, the report found that it is very likely that WordPress users install less secure and out-of-date plugins on their websites. Even if your website is up-to-date, running out-of-date extensions increases your chances of getting hacked significantly.
Another interesting finding of the report is that, while Joomla incidents have increased slightly and WordPress incidents have decreased slightly since last year, in general, the number of WordPress hacks has been increasing over the past few years while the number of Joomla hacks has been decreasing.
However, this is not a representation of WordPress getting less secure and Joomla getting more secure. There are many factors involved here, including the number of out-of-date websites and the number of out-of-date extensions/plugins installed on those websites.
As we have mentioned earlier, security is a layered approach. A system is only as strong as its weakest link. Even with the most secure, bulletproof codebase, if the underlying CMS is outdated or if you have out-of-date extensions installed, the system can get hacked very easily.