Similar to routine oil changes and other maintenance services for your car, ongoing security patches and software updates are necessary to ensure your website stays protected and performant. In the sections below, we review the many factors that will help you determine the right plan and maintenance frequency to meet your website’s needs.
When is a Website “Done?”
When a new website launches, there can be a tremendous sense of accomplishment felt by everyone on the project that worked long and hard to get it to the finish line. After much celebrating, everyone on the project eventually moves on to the next goal because the website is “done”. However, there is another definition of “done” to consider.
“Done is when your last end-user is in his grave” — Kris Buytaert
While this may seem like an extreme view, it’s a critically important mindset to adopt. A website’s codebase, as well as ALL the technology that’s used to power it and consume it, is constantly evolving. Security exploits are discovered, fixed, and patched. Software bugs are discovered, fixed, and patched. Sometimes these fixes introduce new issues, which are again identified, fixed, and released. And the cycle goes on and on.
The point is that these updates are happening all the time. And while it’s not necessary or even practical to try and keep up with all of these updates in real time, it’s important to not let too much time pass by. The longer you wait, the more risk you take on because hackers are aware of the number of open security vulnerabilities to test and use against a targeted site. Now, this is not necessarily cause for panic! There are sites that go without updates for years and they don’t have any issues. However, in other cases a single attack can completely take down a site. In very rare and very extreme cases, there were security exploits bad enough to compromise thousands of websites worldwide.
Long story short, if your website is critical to your business, it’s generally not worth the risk to treat it like it’s “done” at some fixed moment in time and never updated from that point forward. Rather, it’s better to view your website as a living thing that needs some level of routine care to ensure it’s protected and performing optimally.
Types of Website Maintenance
While applying all software updates is ideal, there are some updates that are much more important than others.
Security: These are by far the most important website updates to focus on because they are often the least likely to introduce new bugs, yet they provide the biggest gain in protection from your site being attacked. CMS’s like Drupal release security updates for contributed modules once a week (if available), while updates for Drupal Core are released every month (if available).
It’s important to reiterate that these security vulnerabilities are publicly disclosed to ensure that everyone applies these updates as quickly as possible. Therefore, not applying them does mean that others are aware of these vulnerabilities.
Bug Fixes: When a developer adds a new feature to a codebase, there is generally some level of testing that goes on to ensure that it works as expected. However, once the feature is released into the world, the additional exposure and usage by end-users will tend to create issues that the developer didn’t consider as a use case. When that happens, end-users file bug reports that typically get addressed in future releases.
These types of issues are typically less severe than security updates because they do not allow a hacker to gain access to a site or modify/delete data. However, bugs can still disrupt business operations. For example, if you were running an eCommerce store and could no longer accept online payments, that could be quite disruptive to your company’s sales and performance.
New Features: One of the benefits of using open source software is that the community is constantly adding and contributing new features back to the codebase. As a result, you often get new features mixed in with security and bug fixes. While getting new features for free is a nice bonus, it’s not necessary to apply these unless they are of value to you and your customers.
How Frequently Should We Perform Routine Website Maintenance?
Your mileage may vary depending on the complexity of the site and how important it is to the success of your organization. Below are some factors to consider when performing website maintenance.
Smaller Changes = Less Risk: While it may seem more efficient to simply apply bulk changes at the same time, it also has greater probability of introducing a new bug as result of all the changes. And, since the quantity of changes is larger en masse, tracking down the culprit can be more time consuming. Conversely, smaller changes results in a lower probability of a new bug being introduced, as well as a smaller list of changes to review should an error get introduced.
Drupal’s Security Release Cycle: The Drupal security team releases security advisories for contrib modules every Wednesday (if available) and for Drupal core once a month (if available). Over the course of the year, that typically results in 4-5 major updates to Drupal core and over 100 contributed module updates. Most of those contributed module releases won’t be specific to your site, but some of them will. Pay close attention to these releases and update your modules as needed, especially when a new release of Drupal core comes out!
Risk Analysis: What would be the impact on your business if your site was down for 1 minute? 1 hour? 1 day? 1 week? 1 month? Knowing the answer to this helps quantify the level of risk you’re willing to take on. If 1 day would cause a significant disruption in your business, then you will most likely want to perform updates, at least, on a monthly basis. If 1 hour of disruption would be significantly detrimental, a weekly frequency might be more appropriate.
Other items to consider for website maintenance
The Secondary Benefits: While performing the software updates, this provides the opportunity for a quick check “under the hood” to see if anything else glaring pops up. Sometimes a fresh set of eyes looking through the admin screens can result in the detection and correction of other issues before they become bigger problems.
Typical Cost: Applying and deploying the updates is a relatively fast process. Depending on how extensive the changes are and how they need to be tested, the entire process can be as little as an hour. For larger sites with more stringent change management and uptime requirements, more testing time should be allocated.
Whether your site is a simple blog or a top 50 web property, it’s important to have a game plan on how to keep it operational. Developing the habit of routinely applying security updates, bug fixes, and other maintenance will go a long way in making that a reality. Combined with a hosting strategy that includes high availability and disaster recovery, you will set yourself (and your website) up for success.
Need additional help getting started with your plan for website maintenance? Contact the NEWMEDIA team of website experts today!