Your Website Security - Who Really is Responsible?

Security May Be Your Job After All

It wouldn’t be Halloween without some scares. The news yesterday that millions of Drupal websites were in danger of being hacked certainly will have brought a few to developers who work with that platform. It’s easy to imagine many web firms being even more hives of activity than usual as they raced to contact clients and get patching. Although not affected myself [ I don’t work with the Drupal platform ] it did spur some thoughts on the topic of website security and responsibility.

Website Security and Hacking
Maintenance Contracts and the Lack of…

I sat and imagined all the calls and emails today between Drupal designers and their clients. I wondered where the split lay between;

  1. Clients with full maintenance contracts specifically covering software updates and website security handling.
  2. Clients without set contracts being informed of the necessity to update/repair/restore and the subsequent negotiation of the fee involved.
  3. Contractless clients being informed of the necessity to update/repair/restore but don’t expect to pay for it. They consider it should be done for free by the site developer as part of their ‘work’ [ I don’t have any of these on my books for the obvious reason… life is too short! ]

I am leaving out those sites we run as favours for friends. In which case I take responsibility for the website security without further concern [ no fibbing now, we all have them ].

The Awkward Conversation

For the small web developer dealing with small & medium sized clients all too often the majority fall into the second category. With finances tight the temptation is to save a bit of money by avoiding the insurance of annual maintenance contracts. Essentially just hoping for the best when it comes to the risk of being hacked or other issues with their website. Don’t security [ and other ] updates and backups to times where other work is needed on your site.

All fine and well you might say, that’s the client’s choice and they should be prepared for the worst. Except of course, it is rarely that simple. Most client relationships go beyond the cordial and formal [ which makes it the rewarding and enjoyable career it tends to be ]. Which can make it difficult to reach a mutually satisfactory agreement on this issue when needs must. For that reason alone a maintenance contract should be considered. Never mind that it will turn out cheaper than a ‘repair and restore’ fee should disaster strike.

What Should You Do About Website Security?

If you have got this far you are probably hoping for some suggestions or tips – luckily for you this wasn’t just some rambling on my part…

  • with a good ol’ plain HTML website that your developer keeps updated for you, chances are extremely high that they will have an up to date backup on their computer should the worse happen. If you haven’t previously, ask them what extra measures they can take to security harden your site. One good thing, hackers will be far more interested in CMS based sites so there’s every likelihood they will ignore yours.
  • Open source CMS based websites [ WordPress, Joomla etc ] are favourite targets for hackers because they are now so widespread. Don’t just leave it to luck, you really need to have some proper arrangement in place. Even if you don’t want an annual contract at least drop your developer an email on a regular basis and ask them to give the site a quick once over. It’s very likely they will be happy to do so for a small fee each time. Also, speak to them about installing and configuring website security and backup plugins/software. I now launch all my WordPress sites with iThemes Security and Backupbuddy installed by default.
  • Bespoke CMS Websites [ also plug’n’play sites, commercial ecommerce software etc ]. Make sure that they have an ongoing development timeline. Also enquire on how often they have an independent security audit of their software. Do they seem tight lipped or waffly over their commitment to website security? Then perhaps it would be best to move your site to another developer and platform.