A few weeks ago, I wrote about the importance of keeping WordPress up-to-date. It is also important to do the same with most other popular packages. Here’s why:
Let’s say you are a malicious user intent on putting your spam links or other malicious content on someone else’s site. Like anyone else, you like to do do the least amount of work and make the most amount of impact. If you could compromise 1 person’s site or 1,000 sites in 1 hour, which would you choose? Of course, you choose the 1,000 sites an hour approach.
With popular open source software packages like Magento, Joomla, Drupal and WordPress, the source code is available for public review and the organizations that put out the software disclose changes they make to their software packages. So all a malicious user needs to do is review the changes, see what was wrong with the old version, write a program to exploit that mistake, and go searching for old versions of the program. Since many people will have the old program installed, a malicious user can make a large impact with a minimal amount of work.
How do you avoid this? Keep up-to-date with software updates from these programs. Have someone technical help so as to make sure it is done and to make sure the updates don’t break something else.
Am I Up-To-Date?
With Drupal, in addition to annoying security notices in the admin screen, you can almost always determine what version you are on by visiting yourdomainname.com/CHANGELOG.txt. You can compare the version number at the top with the versions available at http://drupal.org/project/drupal.
With Joomla, the version number is either on the top or bottom of the screen after you login as an admin. Comparing that version with the version on http://www.joomla.org/download.html will keep you updated.
With Magento, the security notices are always at the top when you login as an admin.