As I'm sure you know, nearly all software applications provide regular, easy-to-implement updates that fix bugs and patch security issues. So why then is it still the case that one of the primary reasons for software security breaches is an out-of-date application? (Read: The Three Most Important Things About Security - Update, Update, Update) Most software updates are quite easy to do, so why are they often discounted, overlooked or forgotten? Open-source Software If you have a Web site that uses a content management system (CMS) such as Drupal or WordPress, the software is built on a foundational set of code called the core. And, if there are features that the core does not have, functionality can be added with additional code called modules or plug-ins. In fact, the way these applications are built, it is extremely common for a Web site to have at least a dozen or so modules / plug-ins, and some have many more. Both Drupal and WordPress make updating the core very easy, and both applications can be set to alert you when an update is available. The same is often true for modules and plug-ins, even if notifications are not as common, and updates are not always as easy. Now, unlike applications such as operating systems, neither Drupal nor WordPress will automatically update the software for you - you need to choose to update the software. And this is a good thing. Why? Because software updates can break your site. I suspect that this is one of the root causes of update neglect - because it takes time and diligence. Here are the basic steps we take when updating a software application for a client.
- Create a clone of the site's web server on a different server.
- Copy the web site's content and database.
- Set up the site on the cloned server.
- Review the cloned site's configuration to make sure it is 100% disconnected from the live system; that no automated emails will be sent from the clone; that there are not hard coded links in the code that point to the live server, that Google Analytics in the cloned site are turned off, etc.
- Review the cloned site to make sure it's in proper working order.
- Assess any issues, roll back as necessary, identify what may be causing problems, fix the issue or bid to fix the issue, repeat.
- Create a backup of this cloned system in case we need to roll back.
- Apply the core update.
- Test the site.
- Assess any issues, roll back as necessary, identify what may be causing problems, fix the issue or bid to fix the issue, repeat.
- Apply the module / plug-in updates one at a time.
- Test the site in between each update.
- Assess any issues, roll back as necessary, identify what may be causing problems, fix the issue or bid to fix the issue, repeat.
- Provide the client secure access to the cloned site for their testing
- Assess any issues, roll back as necessary, identify what may be causing problems, fix the issue or bid to fix the issue, repeat.
- Once the client approves the site, adjust any previously made configuration changes so this cloned server can become the live server.
- Address content changes on the live site with either a database / file level update to the clone or have the client make these changes after the new launch.
- Change DNS records so the domain points to the cloned server.
- Test the new production site.
Depending on the complexity of the software application, this process can be much less involved than it appears - but each step needs to be taken to insure a successful update. If on the other hand, you are upgrading your application from one major release to another (see Drupal. Ready. 5, 6, 7, 8), the process will likely be on the more involved side with additional code or theme development being required throughout the process. Custom Software / Stack Updates Whether you have an open-source software application or a custom software application, the web server itself needs to be updated as well. In the open-source world, the web server software on which the application runs is often called the stack, and the most common one in use is the LAMP stack. LAMP typically refers to Linux, Apache, MySQL, and PHP, which are the operating system, the web server, the database, and the programming language. There are a lot of variables that are involved in upgrading the server software including the interactions between the server software itself. Upgrading the stack is often a joint effort between your web hosting provider and your application developer. And though it's not the application, the same diligent application testing process should be adhered to when doing so. Additional Resources: Updating Drupal core: https://drupal.org/node/1494290 Updating WordPress: http://codex.wordpress.org/Updating_WordPress LAMP stack: http://en.wikipedia.org/wiki/LAMP_%28software_bundle%29