"Ongoing maintenance" for CiviCRM: Website security updates

Written By Allen Shaw

Yesterday we talked about hosting and infrastructure for your CiviCRM site.

Today let's look at something that's not quite so generic: Website security updates.

What it is:

Your CiviCRM system is going to run inside of a content management system (CMS) like Drupal or WordPress. And both CiviCRM and the CMS must be kept up to date with the latest security improvements.

Security is an arms race, and while the bad guys continue to look for new ways to compromise any popular software, the developers at CiviCRM and your chosen CMS are continually releasing updates to address those potential vulnerabilities.

These updates typically come out on an as-needed basis, several times per year, and somebody needs to apply those updates to your site.

Why you need it:

New security vulnerabilities are discovered on a surprisingly frequent basis.

Applying security updates is the easiest step you can take to deal with this.

If you're not doing it, you are needlessly leaving yourself open to attack, and potentially the misuse of all of your contacts’ personal information.

Who can do it:

This is less technical than the hosting component, and there's a good chance someone on your staff can handle this.

They may need some advisement or training, and they may have questions from time to time. But it's mostly a matter of paying attention, and clicking a few buttons in the admin interface, or unzipping a few files on your hosting server.

On the other hand, because it has so little to do with your internal rules and policies, and is a fairly generic task, it’s something you could outsource pretty easily.

Some hosting providers include this service as a feature of their hosting packages. Joinery does that, and we also offer a separate subscription service to cover these security updates even if you’re not hosting with us.

In summary:

  • It's not so techincal, so you're probably able to handle this in-house; or you can outsource it as a matter of convenience.

  • This not something to be neglected. In-house or outsourced, somebody needs to be on top of this.

Tomorrow we’ll look at a related but separate topic: non-security updates. They’re optional and more specific to your own site’s needs, so are worth considering in a different light.

All the best,
A.

Allen Shaw
Previous

Non-security updates: “Ongoing maintenance” for CiviCRM
Next

"Ongoing maintenance" for CiviCRM: hosting and infrastructure