Security never stops. To keep your website secure, you have to keep upgrading your CMS software. The main upgrades are fairly infrequent, but a security release can come at any time.
How can you hear about these releases as soon as possible, so you can fix your website before it gets compromised? You need to subscribe to security announcements.
I'm assuming here that you are the actual administrator for your site. If you have a developer or developers who administer your site, check with your developers to make sure they stay updated on security announcements.
Watch for Warnings When You Log in
The first step to keeping your site secure is to watch for warnings when you log in. Some CMSs will automatically let you know if they need to be updated.
They may even provide a button that promises to do the update right there for you. In theory, this is great, but be careful: upgrades can break your website, so you may want to test the upgrade on a copy of your site first.
Why These Warnings Aren't Enough
These warnings are helpful, but you cannot rely on these warnings to keep your site secure. Here's why:
You probably don't log into your site every day. This is especially true if you have multiple sites. Remember, a critical security update can come at any time.
You might only be getting warnings for the "core" program, and not the plugins or modules that you've added to the site.
If so, these warnings are actually giving you a false sense of security. You're not getting warnings about the plugins, but these plugins are much more likely to cause trouble than the core program.
To keep your site secure, you'll need to manually subscribe to security announcements.
What You Need to Track
You may think of your website as a single system, but it relies on many different pieces of software from many different groups.
For your CMS, you'll need to monitor security announcements for:
- the core program (like WordPress)
- any plugins or modules you install
- any external libraries that these plugins require
Depending on your CMS, you may need to hunt down the security announcements for each of these parts separately. These are all different programs, with different teams. Each team has its own way of communicating security releases.
What are "External Libraries"?
In this context, you can simply think of an "external library" as another plugin or module that you have to keep updated.
Just as you're combining lots of bits of code to make your site, developers themselves often use bits of code from other sources to make their plugins.
Don't Forget the Underlying Software
Your CMS requires lots of other software behind the scenes. All this has to be kept up-to-date too!
The good news is, if you didn't install a piece of software, your web host, not you, should keep it up-to-date.
Still, make sure your hosting provider keeps their software updated. If they don't, find another host.
Subscribe to Mailing Lists and/or RSS Feeds
So how do you actually get these precious security announcements? It's a little different for each CMS, plugin, and module. Basically, you go to the project website, and see how they post announcements.
Usually, you get security announcements by subscribing to email lists and/or RSS feeds.
For a few plugins, new releases are only announced in a particular forum thread. But most forum threads offer an RSS feed, or else the option to get emailed when the thread updates.
Should you use RSS or email?
In theory, an RSS feed is more reliable than email, since email can fail along the way.
However, if you don't already check other RSS feeds every day, are you really going to start the habit for the sake of unpleasant security updates? Security updates are never good news. You might be safer sticking with email.
Or, do both. As long as you won't get confused about what you've already acted on, this works too.
Go Forth and Subscribe
It should only take a half hour or so to go out and subscribe to all the security announcements you need for your website. So go do it. You'll feel much better.