How to Automate Website Security Updates

In this post, we’ll break down the common vulnerabilities of an outdated CMS and how Pantheon’s Autopilot keeps your portfolio of websites secure. 

Image

Hero image by Vipul Jha via Unsplash.

Raise your hand if you have ever received a notification that your personal identifiable information (PII) has been compromised. If you have, unfortunately, you know firsthand that data breaches don’t just affect businesses that were compromised, they affect us personally. 

Not only can attacks and breaches be extremely damaging, it’s quite possible a poorly maintained website could be the point of entry for an attacker. This is why it is important for us to have a security mindset on any project we work on.

Websites Running on an Outdated CMS Pose a Security Risk

Drupal and WordPress websites running outdated core versions, as well as older plugins, modules, and themes (for WordPress users), present a significant security risk. A WordPress security report by KeyCDN estimated that for those sites running WordPress, 52% of vulnerabilities targeted plugins, 37% were centered around WordPress core, and the remaining 11% were associated with themes. 

Organizations, large and small, often store sensitive information online — email addresses, usernames and passwords, data entered into online forms, and much more. If this information were to be lost or leveraged in an attack, it could mean the difference between a successful quarterly report and, in some cases, going out of business. In fact, 60% of small companies close within 6 months of being hacked. With both the financial security and future of the business on the line, it’s crucial for organizations of all sizes to have safety measures in place to secure their websites.

Further, about 35% of data breaches start with websites. Your website is on a server somewhere. That server is next to other computers on a network. In shared environments, it is likely that some of those computers have sensitive information and/or access to the next system in the chain that does. Once a hacker finds a crack in the door, they often have enough to move in. One of the best ways to ensure that a website is secure is to regularly update the core CMS and all related plugins/modules/themes.

Pro Tip: Keep plugins and modules to a minimum and remove anything that is inactive. The more modules/plugins you have, active or not, the broader your attack surface is.

Why Is Keeping Up-To-Date So Hard?

Keeping websites up-to-date can be a challenge for organizations. Sometimes they don’t have the in-house technical expertise to update the CMS/plugins/modules/theme. Other times, they don’t have the budget to have an outside developer take care of it for them. Further, security updates are often time sensitive. The time it takes to find a resource (even if you have one internally) to update your site can sometimes come too late. Attackers wait for no one.

Website Security on Autopilot

As Pantheon further expands tools offered as part of our WebOps platform, the company offers Autopilot to all customers on Gold, Platinum, and Diamond plans. Autopilot keeps sites up-to-date by automatically detecting and deploying updates for WordPress and Drupal CMS solutions in a single, fast workspace environment.

Additionally, for customers with a large number of sites, Autopilot will automatically monitor their entire portfolio of sites, detect when new updates across their site portfolio are available, and perform these updates in an isolated multidev environment. Since each site has its own unique critical dependencies, Autopilot will maintain these — all while keeping each site secure and performing efficiently.

Image

Autopilot’s Visual Regression Testing (VRT) in action.

For marketers and other site owners who don’t live in code, Visual Regression Testing (VRT) alerts users when an update will affect the layout/look of the site. Autopilot will automatically tag pages where things look different for further review (users are able to designate how different a page can look before they are alerted). 

Now raise your hand if you have ever seen images disappear, CSS change, and unexpected fonts after an update. VRT is a welcome tool, bringing closer alignment between the marketing and web development teams. You can now put your hand down.

How to Set Up Autopilot

To work with Pantheon’s Autopilot, switch to the Workspace for the site's Organization in the new dashboard before you continue.

1. In the Global Primary Navigation, click the Autopilot icon.

2. Sites for which Autopilot is available are listed in the All Sites column of the Sites table.

3. Click Activate in the Site's row.

During setup, use the buttons at the bottom to navigate between steps. If you use the browser's back button instead of Go Back, you'll lose the unsaved changes.

4. In the Configuration step, use the On/Off toggles to choose which features and elements should be tracked for, or excluded from, updates then click Continue to set a schedule and deployment destination for Autopilot. Any elements that Autopilot detects as available for exclusion will be listed in each category (Modules, Plugins, Themes). Click Manage Excluded Updates then the Exclude button on the element's row to exclude it from Autopilot updates.

5. Schedule Autopilot to run:

• Never (Update Manually)

• Monthly

• Weekly

Then use the dropdown menu to choose the deployment destination:

• Dev

• Test

• Live

Click Continue to choose pages for screenshot comparison tests.

6. Add pages to track for visual regression testing. Autopilot automatically suggests up to ten URL paths during setup.

7. Click Save to initialize Autopilot on the Site.

Note: Currently Autopilot works best on WordPress sites without multi-site and Drupal sites using Integrated Composer or Drush 8.

If you are a Pantheon customer, and would like to learn more about setting up Autopilot, you can check out our Autopilot Setup and Configuration documentation. For anyone not using Pantheon’s WebOps tools, we encourage you to set up a Pantheon account. Once you become a paying customer, Autopilot is included with the platform.