The dangers of neglecting your website
Many companies commission a shiny new website, they agonise over the details, the content, the design. They proudly launch their new website – which looks great and works on every device… But then they move on – back to the day job, the distraction of the new company website is over and they can get back to making money instead of spending it.
“With WordPress we can update content ourselves…”
Six months or a year roll around quickly. The good intentions of regularly updating page content and news stories have already gone out the window. Hey, they probably can’t even remember how to do it… and what was the password anyway?
Sound familiar? This situation is all too common, and totally understandable. And who is it hurting anyway? Ok, so they wont get the SEO benefits of having regular fresh content on their site, but that’s not the end of the world, it’s still performing ok, and most of the pages are still relevant anyway.
The more serious concern is keeping the technical side of the site up to date. Let’s take your typical WordPress website (but this equally applies to any content management system). WordPress itself releases an update seemingly every week – featuring bug fixes or security patches, and all those plugins that make your website do what you need it to – they all follow suit and release updates to maintain compatibility with WordPress or fix security issues of their own. The result of this is that when you do finally log in you are confronted with a bunch of little red balloons with numbers in demanding your attention, and links everywhere prompting you to upgrade this, that, of the other…
Where do you start? I bet you wish you hadn’t even looked…
The website still works right? Let’s just log out and forget you even saw it. Well, that’s not such a good idea actually. Remember I mentioned ‘security patches’ as part of the updates? New security issues are discovered all the time, and it’s a constant race to find and patch these vulnerabilities before hackers can exploit them. On the day your website launched your web designer would have ensured you had the latest version of WordPress, your theme and of all the plugin used, but chances are that literally a day later something would have needed updating.
Don’t get me wrong, most of these updates are very minor and provide no visible difference to your website other than a version number displayed on your WordPress admin screen. But keeping everything up to date could prevent your website from being hacked. A hack could risk any data stored on your servers, or could involve having your pages changed to display anything the hacker wishes (typically inserting links to dodgy websites of their own). Either way, the result is typically a costly and time consuming fix that is embarrassing for your brand reputation.
“So if I log in once a week and accept all the updates everything will be fine?”
Mostly. Assuming you have regular backups of your site, just in case, then the best option is to always update everything – and then check your site carefully to make sure nothing has changed on the front end and everything still works as expected.
Hey Mr Postman (SMTP)
However occasionally we get situations like we had recently. A very popular plugin called “Postman SMTP”, installed on over 100,000 websites was discovered to have a security issue (a cross-site scripting – XSS vulnerability to be precise). But the issue here is that plugin author had seemingly abandoned support of the plugin – and had not released an update for around two years. So not only did it go unpatched, but anyone logging in to their WordPress dashboard to accept all the updates would still be non the wiser that there was any issue!
Many web developers were alerted to the issue over the last few months by keeping abreast of the security news within the industry. They should have taken the necessary steps to patch the plugin themselves or replace it with a different plugin that offers the same functionality but is being actively supported and updated (such as “Easy WP SMTP”).
Making it look easy
Realistically most companies don’t have anyone who has the time or inclination to keep on top of all this, so the safest and most cost effective solution is to pay a web developer a retainer to maintain their site. Done properly it will look like they have done nothing at all – the website looks correct, there are no updates to apply when you are logged in, and it never gets hacked. In reality if you actually do nothing it would be a very different story.