Why do you need patch your website?

Some people view their website as “set and forget”, especially if the website is a small five page advertisement rather than a constantly updated behemoth of content and users.

Unfortunately, while you might forget your website you can be sure that Russian hackers haven’t.

OPC’s content management system (CMS) of choice is Drupal, which is an open source application that is constantly being updated and protected against security vulnerabilities by a large group of programmers around the world, and it’s the same for the worlds most common CMS Wordpress.

In a recent study it was revealed that there are over 1.8 billion websites, which is one website for every four people, and Wordpress itself makes up 30% of that.

When these CMS’s get a security update, they are released to the world, and everyone is expected to update, because one of the first groups of people to download these updates, are the hackers.

By downloading the update, they can very easily see what security vulnerability has been fixed, and then use that knowledge to hack into any unpatched website.

An example of this happened in April of 2018 in the Drupal community when a patch was released fixing a previously unknown major security issue.  Within days, the hackers had reverse engineered the patch and started attacking sites that weren’t updated.

Drupal’s own security team sent out an advisory that any sites not patched within 8 hours should be considered compromised.

Luckily, OPC and most other development houses patched all their sites within that timeframe, but some people think they wont be hacked, because they are too small, and why is a Russian hacker going to target a small family owned bakery’s website?  Don’t they target the CIA and Whitehouse?

Most hacks these days aren’t about stealing data or defacing websites, and more about stealing resources.

Each website runs on a server, and those servers are full of resources waiting to be stolen.

When a hacker gains access to a site, they can inject worms and viruses that take control of those resources and use them to assist in taking down larger sites like the CIA, or to mine cryptocurrencies.

Some recent hacks have also included code that hijacks the browsers of people who visit a compromised site and use their computer for their own purposes.

And while a small site with a low annual visitor rate can’t do much, when you can potentially harness over 30% of the world’s websites and their visitors it quickly snowballs into a massive issue.  In a recent review of more than 40,000+ Wordpress websites, it was found that 70% of them were vulnerable to hackers because they didn’t patch.

If we do a bit of simple maths, it’s possible that there are over 378,000,000 infected Wordpress websites on the internet.

When these issues are found it can take hours of work by a specialised web team to rectify.  Often times it’s not as simple as recovering a backup of the website, but also requires investigation into the server infrastructure as well to ensure there are no hidden timebombs waiting to go off.

So while it might seem overkill to keep your personal blog about your cat up to date, if you don’t, your adding to the potential army of 378 million hacked websites waiting to be unleashed.

Date posted:
21 November 2018
Authored by :
Toby Wild