ne of the problems that’s leading to the cracking of many Web sites is that software is not kept up to date. It is not an easy task unless the process is made simple and at times automatic because people are adverse to change and to risk (associated with updating software, never mind the risk of getting cracked). Keeping abreast of security fixes and new upgrades for Web-based software is not easy unless one uses an operating system like Debian, which can be updated regularly and has strict requirements for inclusion. There are several points worth making here:
1. Some CMSs are better equipped for this type of scenario. In my ~15 domains I have a dozen of so different CMSs and some are antiquated, e.g. php-nuke, and depend upon updates coming upstream, e.g. php-bb with the infamous uploader hole (~2008). Other software, such as WordPress (it’s my favourite as I was also part of the devs community for many years), alerts all users about the need to update the software. They keep up appearance by reducing the number of reports of cracked sites.
2. In recent years people have been using scripts like Fantastico-packaged set to install the software. Softaculous is another one. 3 days ago WordPress issued a security fix (local privilege escalation and XSS for the most part, not too critical for some site setups), which automatically sent me several E-mails like the following (from domains where I used Softaculous to set things up):
"The following script updates are available:
To upgrade these scripts go to your Control Panel -> Softaculous -> Installations.
There you will be able to update the scripts.
>From Softaculous Cron Jobs ([IP removed])"
Each bit of software typically keeps administrators abreast of security holes, but some software does not do this. WordPress alerts even writers, urging them to contact their admin for updates. Other bits of software require that one subscribes to a mailing list or regularly checks for updates. Back in the old days, and the way MediaWiki still works for the time being, people are advised to subscribe to a mailing list (or blog) with announcements about security fixes. If many customers have Joomla sites, then it’s useful to be subscribed to such fora and then update everything for everyone in batch mode (for WordPress I need to update 8 sites each time a fix comes out, and for some I need to do this manually from the shell due to different server settings).
It helps to have a database of installed software, recording which server is running which piece of software. It would be surprising if no such listed had already been compiled by those who operate many servers. It helps know what can be updated at the same time by the same person with the same files.
Some updates are merely about new features and might not even be backward compatible. Some software, like WordPress 2.0, is LTS (for inclusion in Debian stable), so it’s unlikely to require much updating. So, one can just look at what has changed and only update if the update is security related or has a data-jeopardising bug (in WordPress 3.2, for instance, people who rushed to update not for security reasons merely suffered from bugs and then had to update again to 3.2.1).