The recent #drupalgeddon incident and comments from a customer made us rethink how we apply Drupal updates for customers (2020Media is a leading UK Drupal hosting provider. We offer a tuned hosting environment for Drupal that is fast and responsive).
For those who missed it on the BBC news and elsewhere, ‘drupalgeddon’ was a security weakness in the Drupal content management system which allowed attackers to take over websites.
Mark Stockley, an analyst at security firm Sophos, said the warning was “shocking”. “Many site owners will never have received the announcement and many that did will have been asleep,” he said. “What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.” There is strong feeling on both sides with many arguing against “dumbing down” Drupal.
We do not apply updates automatically to any and all Drupal sites we host for a very good reason. The risk of breaking a customer’s site is too great. It’s worth noting the Drupalgeddon security problem was the first such in 9 years. So it’s arguable the risk of such a security problem happening again on such a scale is manageably small. Drupal updates typically replace the entire Drupal codebase, leaving just the /sites/ folder untouched. If a customer or their developer has made any changes to a core file, these changes will be wiped out.
Sometimes a bug will be fixed or a feature changed as a result of an update. The site may well have a work around in place already for the bug and the update will then cause the site to break. These are just a few of the reasons.
The problem for us is, we did not build the site in the first place, nor are we familiar with it’s inner workings. So for us to be sure the site is in a working state after an update is very hard to do. A working homepage does not signify the site is 100% working. If the customer is going to be involved, which in our view they have to be, to check the site after the update, they should be involved all the way through – from the point of getting a Drupal notification email of an update, or getting a notification from the Drupal security list through to the timing of the update, to checking the site afterwards in case a roll back is required.
What changes have we made? Actually very little. We have simply streamlined our internal processes to make the technical side of doing the update a lot quicker. A lot of our customers have several sites with us. So we are now using some simply scripting so we can update all a customers sites, once they give us the go ahead.
The WordPress brute-force login attacks show little sign of abating and we recommend all users ensure their sites are secured against this attack.
Since spring 2013, hackers have been calling the WordPress login url with “standard” usernames (like ‘admin’) and thousands of passwords. In our experience nearly all users have ‘admin’ as a user account so this makes them especially vulnerable.
Well – not a solution exactly but it should protect your site being hacked.
The solution we propose is to change your username to something only you know about. If you are creating a new WordPress site, don’t use the default ‘admin’. Choose a new username.
If you have an existing site, you can’t simply delete the user ‘admin’ – therefore there are lot’s of free plugins around to change it instead. The one we’ve been using is called ‘Username Changer’. Install it, activate it, change your username and then remove it. It’s a one off job.
2020Media can help
Additionally 2020Media would like to see these WordPress attacks stop – realistically this is not going to happen – it’s a distributed attack from botnets, and things will change only when it’s not worth the hackers while any more.
2020Media are happy to change your login username for you plus we can add additional server-side security which will mitigate the denial-of-service aspects of the attack.
The Managed WordPress service from 2020Media is something anyone not logging in to their WordPress site on a weekly basis should seriously consider. Even if you do, get peace of mind as updates to WordPress, Themes and plugins are done for you. Read more