Web security can no longer be an afterthought.

Web security can no longer be an afterthought.Web security can no longer be an afterthought.

In the past few years, I've seen my share of hacked websites. A few WordPress vulnerabilities here, some unpatched Drupal zero-days there. Good passwords re-used, bad passwords from the beginning.

If there's a common thread over the last few years, it's how common place hacks have become, using the term loosely.

But how can we, as developers, digital strategists, marketing directors, or even jack-of-all-trade CEO's stem the tide?

We can start by talking about it.

There's an old saying; talk is cheap, and while that ultimately rings true, the more these hacks are discussed, the more publications talk about the newest vulnerabilities in common CMS platforms like WordPress, Drupal, Joomla, et al, the more the focus the industry at large places on these platforms.

The more you, your company, or even your family, are hounded by articles about poor password management, the more likely you'll be able to convince them that investing in setting up and managing a password manager like 1Password, LastPass, or Bitwarden is worth it.

But there's more that we as developers, agencies, and technical professionals can do, and that starts with educating everyone involved with the project about security related hurdles that must be overcome. This can be as simple as a designer making concessions about password fields, and as complex as writing testing scripts for every piece of code, but the conversation needs to happen, and it needs to happen at every stage of design and development.

Which includes... wait for it...

Updates, updates, updates.

Popular platforms like WordPress, Drupal, Joomla aren't going anywhere. Neither are package managers like composer, npm, yarn, and the new (how exciting!) pikapkg.

When vulnerabilities happen, and they will happen, you need to be prepared to roll out updates on the affected services, and quickly - within the last two years, I've personally seen at least two major properties fall to zero-day vulnerabilities within days.

This is, fortunately or unfortunately, the world we live in now - updates come, and you must embrace them.

Will that occasionally mean your favorite plugin stops working? Yes. Will it mean you need to spend more money and time making sure things continue to work? Absolutely.

But updates are part of life with the internet. The complexity of software currently prevents us from ever truly squashing every bug, every vulnerability.

Of course, you shouldn't be afraid either. Strong hosting partners for WordPress and Drupal like Pantheon and Acquia, can help alleviate some of the stress - especially when it comes to updating (yay staged deployments!) and even some preventative security work.

Most importantly, you're not alone. Other businesses and people are going through some of the same paradigm shifts, and many are talking openly about their experiences.

But security can no longer take a backseat - It has to be a priority.

Have a security story you want to share? Need a new partner for your online presence? Drop us a line at hello+blog@eightfold.io