Security 101: Keeping PHP Scripts Up-to-Date November 17th, 2008
An exploited website is every webmaster’s worst nightmare. There is nothing scarier than logging on to a completely defaced website or receiving a notice from abuse that your account became a spammer and your IP was blacklisted. The thoughts begin to race from there. What about backups? Do I still receive all my email? Have I lost clients or money? This nightmare scenario (and the associated headaches) can be easily avoided if you take a simple step and make sure that your scripts are always updated to the latest version.
Web hosting is driven far by the wonderful engine of free and/or open source software. Scripts such as phpBB, SMF, Joomla, Drupal, and so on are freely available to webmasters in place of paid alternatives which would cost no less than a few thousand dollars. However, where the source of script is available to you, it is also available to anyone else. This even holds true to those who would like to cause a little trouble for fun, fame, a challenge or even for money. Aside from this, even a poorly coded custom script can be just as much of a security hole, so it is important to always stay abreast of things. Modifications for open source scripts are also yet another source of exploits. Many folks are surprised by this information, but it’s a good idea to know exactly what you are installing on your website. All it takes is a badly coded modification or outdated software and you’ll fall victim to the next round of attacks launched by a group of Turkish hackers or a 15-year-old “script kiddie” sitting in his basement and using software that he found in a backchannel IRC room.
With open source software, you have the benefit of a community that is constantly using, searching, and securing the script. Most of these scripts offer a mailing list, RSS feed, or news alerts about exploits. A premier example of this is the Drupal mailing list which sends out alerts for security issues both with the actual software and the modifications that come with it. The software that Idologic employs should also alert you when an update is available. However, some folks may choose to install their scripts by hand, and so our alerts would not be available in that case.
It is supremely worth the few minutes it takes to signup for these lists on the software website. These lists publish information that is vital to you. When a new version of software is released, it generally applies a fix or few to security issues. If you continue to run an outdated version, it is literally a matter of when (and not if) your website will be exploited. And trust us, you are going to lose visitors and customers when your website plants a virus on their desktop. It’s just not worth the headaches when you can do a few simple things to keep updated. We do encourage all of our customers here at Idologic to stay aware and up-to-date!