Absolutely every web site is subject to hacking. Whether your site is a static (non-database) site or one that is built on a database of any kind including a Content Management System (CMS) or blogging platform, it’s out there for the hackers to mess with. There is no way around this, period. Hackers enjoy disfiguring and destroying web sites, it’s what they do and they can simply make a mess of your web site by disfiguring it all the way on up to total destruction.
I think it takes a pretty sick individual to find their fun in destruction of any kind, but if you have a web site, it’s just a fact of life we all must live with. If you’re very lucky, your site will never be hacked, but not everyone is so lucky. I’ve had just one client web site hacked since I’ve been in business and so I do consider myself amongst the lucky ones, so far that is. I know this can happen not only once but to any of my own or my client’s web sites. Just because I design web sites, doesn’t give me or my own web sites auto-immunity. I can’t protect my own site from hackers any more than I can yours.
Can a Site be Hacked More Than Once?
You bet it can! A good web designer will do what they can to protect your site from hacking, but unfortunately not a single one of us can give you a guarantee it’ll never happen to you. There are many of us who’d like to find a way to put hackers out of business, but I don’t foresee this happening in my lifetime. I truly believe that if a dedicated hacker were to keep at it long enough, they’d be able to hack into sites like the U.S. Treasury. I really have no doubt that one day this could happen.
Hackers are one of the biggest reasons, if not the biggest reason, that it’s so very important to keep your web sites updated to current coding standards. If your web site is built on a CMS or blogging system, it’s not unusual for security updates to come regularly. About the time the developers patch one security hole, another one is found. This doesn’t mean they do sloppy work, it does mean that they are doing their very best to keep one step ahead of the hackers. Not an easy job to say the least and I give them credit for doing their very best to accomplish this.
When security updates become available, it’s imperative that you contact your designer and double check to be sure that he or she has upgraded your site to include the newest security enhancement. Chances are they’re already aware of the newest patch, but it doesn’t hurt to check in with them on this.
You do need to be fair and realistic about it, though. Remember, your designer may have multiple web sites to upgrade and although this isn’t usually an overly time consuming process, the more sites that a designer maintains that are in need of an upgrade, the longer it will take. So, give your designer a break and don’t expect that the minute an update becomes available that your site will be at the top of their priority list. Chances are they may already know this needs to be done and have made time in their schedule to take care of it, but an upgrade is by far not necessarily going to happen immediately. This doesn’t mean your designer isn’t doing their job, but they do only have two hands, only so many associates to assist them (if any) and only so much time in a day. Sites that include things like member logins, owner site updating capabilities and shopping carts are going to be first on their list because these sites quite often are the most at risk of being hacked. Because a designer would prefer to avoid a site hacking, they’re more than likely not going to procrastinate.
Am I Going to be Charged for Security Updates?
Absolutely. Remember, it’s your web site not theirs and there is no reason any designer should be expected to eat the cost of the time involved to update a client’s site. Your web site and all related costs are your responsibility. Performing a security upgrade on a web site is considered a part of good and necessary web site maintenance. It’s treated as work performed and billed according to your contract. Depending on the system your site uses and the how involved the update process is, you can expect upgrades to take anywhere from about 15 minutes to an hour or so. That’s really not much time to help insure that your web site is as up to date and safe as humanly possible. Key phrase here is “humanly possible” because no system is infallible.
If you don’t like the thought of being charged for upgrading your system, think long and hard about the cost of repairing a system that’s been hacked. I can assure you, fixing a hacked site is much more costly than applying updates as they become available. A hacked site repair could cost you hundreds or thousands of dollars not only in repair costs, but in lost revenue if your site is totally or even partially disabled. Your site could literally be defaced and displaying embarrassing content that you definitely don’t want your customers to see! A serious hack could actually take your site completely out of service. The fix to repair the one client’s site I mentioned had been hacked was to re-create the entire site. Obviously, this wasn’t an inexpensive adventure.
If your designer has advised you that one or more security upgrades is necessary and you refuse to allow the designer to perform them in the interest of saving money, you can expect that if hackers invade your site and now you want the previously available upgrades … and you want them immediately if not sooner … you could also face the cost of rush repairs which in some instances may run you double the amount it would have cost you had you allowed the designer to perform them as routine maintenance.
How Often Can I Expect to Need a Security Update?
Unfortunately, there is absolutely no way to know this. To ask this question is like asking us to dust off our crystal balls and do a reading. A popular CMS or blogging system is more prone to hacking than those less popular but none of them are immune. It sometimes happens that once a patch is released, a new one may come out very shortly thereafter, or it could be weeks or months before a new security breach is found and a patch is released.
What About Non-Security Related Upgrades?
I normally do not perform routine non-security related upgrades unless there is some other reason they need to be performed. Non-security upgrades may simply include a new function that would benefit the client’s site (but won’t break without them) or other non-essential features that if not upgraded, are not going to affect the site’s performance. The next security upgrade released will include any little enhancements anyway, so there’s no point in performing an upgrade unless it includes a new-fangled feature the client decides they absolutely can’t live without at least until the next security upgrade.
Performing upgrades to a database system is not one of my favorite things to do. I can think of at least a dozen things I’d rather be doing and so I really don’t have a desire to and don’t see a need to be raking the client’s wallet over the coals for non-essential maintenance. If you want a non-essential upgrade, I’ll be more than happy to do this for you, after all you’re paying for it, but you can expect that I’ll suggest that you wait for the next security upgrade.
Why is that? Upgrading a site does carry with it a certain amount of risk. It’s not something to take lightly. Simply put … I don’t want your site to go down or need repair any more than you do and I don’t want to add unwarranted cost to your bill. Fair enough?