There is a problem in the HTML sanitation library used in WordPress prior to release 3.0.4. This also affects the 2.X series, so you should still update!

This release incorporates more than 500 tickets, bugs, and enhancements. A few of most significant improvements include:

• Global undo/”trash can” feature. If you accidentally delete a post or comment you can recover it.
• A built-in image editor. Now you can crop, edit, rotate, flip, and scale your images.
• Batch plugin update and compatibility checking. You can update multiple plugins at once.
• Easier video embeds. Just paste a URL on its own line it is converted to the proper embed code.

We recommend you backup your core files and your database before initiating an upgrade. We have upgraded two websites so far to WordPress 2.9 with no issues, but your mileage may vary. Backups are always a good idea!

I’ve tested the upgrade on one site so far, and it went very smoothly. On that site, I had customized my install.php file and during the upgrade via subversion, I was asked what I wanted to do with that customized file.

After the upgrade was installed, a database upgrade was required, but this was one click of a button.

Looking through the administrative interface for WordPress 2.8, the big things that jump out at me are the changes to displaying and handling themes, widgets, and plugins. I also notice the speed of the site – both the public pages and the administrative back end – is noticeably faster.

Also in the upper right-hand corner of the screen is a Screen Options pulldown menu, where you can change some of the way your post and page screens are displayed. If you change to one column, then change back to two columns, some items may not reappear in the right column. You can drag-and-drop those blocks from the bottom of the page to the right column.

Backing up your site before upgrading is always a good idea. Follow the issues on the WordPress.org forums as folks around the world upgrade to WordPress 2.8.

I’ll keep testing!

But there’s a new kid on the block, and it’s great. If you’re open to purchasing software for protecting your computer, consider Sunbelt Software‘s VIPRE™. Combining antivirus and antispyware in one package, VIPRE provides real-time protection and uses relatively little of your computer’s precious CPU and memory.

I’ve been running VIPRE for a few weeks, and not only has it found bugs other vendors have missed, my computer is running faster and cooler than ever.

It gets better. Unlike any other vendor I’m aware of, Sunbelt offers an unlimited home license for $49.95 a year…for as many Windows-based home computers as you want. They have one and two PC licenses, but if you have three or more PCs, this is an outstanding deal.

But wait, there’s more! VIPRE isn’t just antivirus software. It incorporates Sunbelt’s CounterSpy technology to protect you from spyware.

If you like to follow security blogs, Sunbelt Blog is often a good read.

FULL DISCLOSURE: I have no financial interest in this vendor. I do not receive any commission or other remuneration from sale of this product. It’s just a great product, my new favorite.

Wireless access points (wireless routers) pose a wide range of potential security risks.

Was it a nearby home?

I climbed out of my vehicle, laptop in hand, and started walking around the neighborhood. I found several wireless access points, and all were configured to protect access using Wired Equivalent Privacy (WEP) or WiFi Protected Access (WPA). (You should no longer use WEP because it is too easily cracked.)

All access points were encrypted, that is, except one. One access point was configured to allow anyone to use the wireless connection. The signal became stronger the closer I walked to the administration office of the church.

Not uncommon

Since then, I’ve visited other churches. Several had wireless access points active, and a few were, like my first discovery, not protected.

To folks who engage in wardriving, this is not news.

Neighboring homes and businesses could also be using your internet connection, from surprisingly far away. It’s easy, just pick up a Cantenna online or build one.

What’s the big deal?

So what’s the big deal about having an unprotected wireless access point? In a word, your reputation. Once lost, trust is very difficult to regain.

The opportunity to engage in less than savory activities over a church (or school, or small business, or home) wireless connection might prove irresistible to some. Whether it is browsing web content you wouldn’t want your family to see, or intercepting credit card information passed during online purchases, the potential risk to your
organization is significant.

Knock, knock

If law enforcement officers come knocking on a door, it will most likely be the door of the entity owning and operating that wireless access point, not the person who was using your connection.

Substantial public embarassment and damage to your reputation can occur if you are accused of illegal or inappropriate activities. In the eyes of the law, you are innocent until proven guilty, but in the eyes of your community, you may be considered guilty until proven innocent. It takes only one incident to ruin your reputation.

PugetPro can help you secure your wireless access point and network. You can also find online guidance on securing your wireless network.

You can use OpenDNS without creating an account: just point your DNS to their name servers. Fast DNS and automatic phishing protection is now yours.

A free account brings you filtering

If you create a free account, you’ll receive substantial additional benefits. According to OpenDNS, these benefits include:

• Parental controls
• Faster, more reliable internet
• Phishing protection
• OpenDNS guide
• Customization
• Shortcuts
• Typo correction

You can make the filters granular by adding exceptions. For example, I block gambling sites, but needed to access a local casino for show times. The filter blocked me from seeing that page, but by logging into OpenDNS and adding an exception for that site, I was able to get that content. Meanwhile, all other gambling sites remain blocked.

Filtering can be easy

OpenDNS offers some preconfigured choices:

• High: Protects against all adult-related sites, illegal activity,
  social networking sites, video sharing sites, and general time-wasters.
• Moderate: Protects against all adult-related sites and phishing.
• Low: Protects against pornography and phishing.
• Minimal: Protects against phishing attacks.

Custom settings let you configure your own choices:

• Adult Themes
• Adware
• Alcohol
• Auctions
• Automotive
• Blogs
• Business Services
• Chat
• Classifieds
• Dating
• Drugs
• Ecommerce/Shopping
• Educational Institutions
• File storage
• Financial institutions
• Forums/Message boards
• Gambling
• Games
• Government
• Hate/Discrimination
• Health
• Humor
• Instant messaging
• Jobs/Employment
• Lingerie/Bikini
• Movies
• Music
• News/Media
• Non-profits
• Nudity
• P2P/File sharing
• Parked Domains
• Phishing
• Photo sharing
• Podcasts
• Politics
• Pornography
• Portals
• Proxy/Anonymizer
• Radio
• Religious
• Research/Reference
• Search engines
• Sexuality
• Social networking
• Software/Technology
• Sports
• Tasteless
• Television
• Travel
• Video sharing
• Visual search engines
• Weapons
• Webmail

What’s the downside?

There isn’t much of a downside. Of course any requests you make through a web browser will be “seen” by whoever controls the nameservers your request passes through. That’s true right now for whatever internet service provider you happen to be using. The same will be true with OpenDNS, so there is a wash in terms of privacy.

It is rare but possible for one or more nameservers to stop functioning. OpenDNS has good redundancy in their distribution of servers. I recommend you keep a copy of the nameserver IP addresses your ISP uses. If OpenDNS goes offline for any reason, a few moments putting your ISP nameserver addresses into your router will get you back online in a jiffy. In two years, I’ve only had to do that once.

Get started

Visit https://www.opendns.com/homenetwork/start to get started today. Directions are pretty simple:

1. Change your DNS (required).
2. Create an account (optional).
3. Manage settings in your dashboard (optional).

If you’re technologically savvy, jump to the OpenDNS best practices page for interesting information about additional things you can do with this service.

Not just for office use

OpenDNS is also used in homes, K-12 schools, small businesses, and larger enterprises. Visit the OpenDNS home page for more information.

You can be part of the OpenDNS community

Websites are tagged with descriptors. Sometimes they are not tagged correctly. As a registered user, you’ll be able to participate in the OpenDNS community and submit corrections to website tags. While this is beyond what most home users probably want to do, it is a great way to learn more about OpenDNS and web filtering in general.

It’s not foolproof

There are ways for computer users to bypass the content filters provided by OpenDNS, but I’m not going to explain how to do that here.

How is one to judge whether each source is credible? News is no longer believable like it was back in the Walter Cronkite era. The only safe course is to believe everyone and to believe no one, because the truth is simple: nobody knows what will come next in terms of attacks against personal computers.

The complexity of this topic is such that Jane and Joe Computer User have no way to adequately protect themselves without becoming experts in the field of computer security. That’s an unreasonable demand, but
read on, because there is a solution that may just work for you.

Computers should be like toasters

Most of us just want our personal computers to be like toasters: reliable, simple, and automatic. I’m still waiting for the computer that meets these criteria.

Security solutions designed to protect average computers users have become terribly confusing and burdensome to install and maintain. This means some systems are certain become vulnerable, because maintaining these complex systems just doesn’t get done.

There is no common language among professionals

To complicate the life of Jane and Joe, vendors of security products are balkanized, developing and hawking their wares with little cross-talk between them. Even the names for various viruses differ between vendors. That is like having several doctors reviewing a medical issue but each speaks a slightly different language. Leveraging the collective wisdom of these experts becomes impossible because there is no lingua franca, and because normal business models effectively prevent cross-fertilization of key knowledge and ideas.

Computer and data security for home users and small businesses shouldn’t be like bowling, where the skill of the individual determines the outcome. That paradigm presents a world of plums ripe for the picking by those who wish to take advantage of vulnerable people and systems.

There is an obvious need for a solution that integrates the detection, blocking, and removal of viruses, malware, trojans, bots, and all the other labels we give to the stuff seeking to enter our computers and do us wrong.

What about security suites?

I’ve used current versions of several security suites promoted by major vendors, and I find them severely lacking in usability. Some pop up windows so often they are disruptive to the end user. Some simply block content silently, leaving Joe or Jane wondering why some content isn’t being displayed. They are resource hogs. Some are notorious for being difficult to remove from a system when the end user becomes so irritated the preferred solution is to simply uninstall the software.

We rarely talk about another Achilles heal: these software solutions reside on the very platforms they are trying to protect, so if the platform is compromised, it may be possible to silently compromise the security software, giving users a false sense of safety as they do their emailing, banking, investing, and shopping on the internet.

There are some solutions that do not rely solely on virus signature for detection. These products are not as mature as I’d like to see.

We need a security toaster

What Jane and Joe need is a separate hardware appliance dedicated to running the various firewall and virus/adware/malware/phishing detectors/blockers. That appliance needs to be read-only, requiring authorized intervention to update. The appliance should be manageable by an above average computer user, or optionally managed remotely through a subscription service. That’s the best scenario I can think of at this point in time.

A security appliance like this would provide some key benefits:

• Some processing load is shifted off Joe or Jane’s personal computer.
• An additional layer of security means penetration and compromise likely becomes more difficult to achieve.
• A read-only configuration provides some surety against remote attacks against the security system itself.
• A single appliance that consolidates these features can provide protection to multiple downstream computers.
• Remote management can allow average end users to enjoy their computers with far less exposure and worry.
• Offloading the security solutions can make protection less easily bypassed by other users on the same network.

And a security toaster exists!

Do such appliances exist? Yes. Probably the most reasonable one is the D-Link DSD-150 SecureSpot Internet Security Adapter. Described by the vendor as an “all-in-one, whole home, internet security adapter,” this inexpensive device may be a viable solution for folks looking for simplicity and protection combined.

Compare this device with the usual alternative for a home network: individually purchasing, installing, and maintaining the necessary software on each and every computer on the network.

WARNING: Such a device does not mean you should go without antivirus software on every computer, but free or low-cost solutions on each computer may be sufficient to provide the additional layer of protection, rather than buying expensive name-brand solutions. You should always protect every computer in case another layer of
protection fails.

What about open source?

Are there open source solutions? Sure. The one I like the best is DansGuardian. It is a robust, widely used solution that provides real protection. The downside is that DansGuardian must run on a separate computer, and it
doesn’t run on Microsoft Windows. Thus, while I am a proponent of open source software in general, running a separate server on a home network falls outside the context of this article, which is about simple solutions for Jane and Joe Computer User. For that, the D-Link appliance is a more likely solution.

Links to some reviews of the :

• Practically Networked, October 2006
• D-Link DSD-150 SecureSpot Internet Security Adapter on Amazon

(You may wonder why I include WordPress — known as a blogging platform — in this article on content management systems. Well. A blog has content. You manage that content through the WordPress system. WordPress has much more power than many blogging platforms. On that basis, I consider it a content management system more than a blogging system.)

Security

Security can be an issue with each of these CMS engines. You can find more information by digging through the IBM Internet Security Systems X-Force® 2008 Mid-Year Trend Statistics (PDF) document.

Lessons learned

There are several fundamental lessons I’ve learned in using these systems, which I share hoping they will help someone else avoid some pain:

1. Do not assume any content management system is invulnerable to attack or compromise.
   All of them benefit from additional security measures that depend on the operating system you are using, how much you know, and what third-party products you are using to supplement core functionality of
   the CMS.
2. If underlying systems are vulnerable, the CMS is vulnerable. Yes, I’m talking about your Perl or PHP installation, and your Apache or IIS instance.
3. Be wary of all third-party products because they can make your CMS vulnerable.
   A pretty website describing the third-party product doesn’t mean the product is well-coded and secure. If you don’t need that product, don’t use it. Do some research. Read forums.
4. Actively monitor logs for odd URLs and errors, and then adjust your security settings. If you see an odd URL that is returning code 200 (Apache), investigate. It may be innocent…or it may not.
5. Pay attention to folder and file ownership and permissions. It only takes one folder or file with the wrong settings to create a doorway attackers will find and exploit.
6. Stay up-to-date with security notices for your chosen
   content management system and for every third-party product you use to
   enhance your CMS. Some CMS providers make this easier than others.
7. Upgrade as new versions are released…but backup your entire site first.
   Depending on the reason for a new version, I sometimes wait a few days to see if the upgrade breaks other websites using that CMS. If the upgrade is to patch a critical vulnerability, I do not wait…but I do backup the entire codebase as installed on my server, and my database tables, because sometimes upgrades break things.

A word about themes and third-party products

Each content management system uses specific terminology to refer to themes or templates, and to third-party products available to enhance the core functionality of a CMS:

• Drupal calls these themes and modules.
• Joomla! has templates and extensions, and within the category of extensions you will find plugins (previously called mambots), components, and modules.
• WordPress has themes and plugins.

Rather than confuse you with talk of modules, extensions, plugins, mambots, components, modules, I will simply refer to these as third-party products.

Drupal

I remember the first time I gave Drupal a test drive, several years ago. I did not grok Drupal at all, and after fiddling with it for a couple of hours, I threw my hands in the air and gave up. Fast forward to the last couple
of years, and I find Drupal much easier to use, although upgrading is sometimes more challenging than I’d like.

Strengths:

• Powerful codebase.
• Potential to use one codebase for multiple subdomains or virtual sites.
• Friendly URLs.
• Secure codebase is actively maintained. See their Security Team page for more information.
• Pretty secure when installed, without doing anything special.
• Third-party modules are actively monitored for vulnerabilities.
• A single security mailing list for Drupal administrators is available, which means one source for comprehensive news about security issues and fixes.
• Tagging of posts, allowing site administrators to provide a richer browsing experience to visitors.
• Plenty of themes to choose from, both open source and commercial.
• Plenty of third-party products to enhance Drupal.

Weaknesses:

• WYSIWYG is not native. If your contributors are technically oriented folks, this may be an advantage.
• No native document management solution.
• Drupal still uses old-school CVS to maintain their code repositories.
• Upgrading is a convoluted process requiring several steps that are not presented to the administrator in a smooth workflow. Upgrading Drupal is not as easy as WordPress (but see my WordPress comments
  below).
• The administrative backend is still somewhat disjointed, requiring that you know where to go to make particular changes, and sometimes those changes require multiple steps in separate places to accomplish
  your goal. In short: still confusing until you become practiced at administering your site.

Joomla!

What attracted me to Joomla! as a CMS? I first became interested before Joomla! was born, when Mambo was the up-and-coming open source content management system. I recall there was some emerging dissension about direction within the group of core developers, leading to a split. Mambo went commercial, and the codebase was forked. Joomla! remains incredibly active, with a large installed footprint in virtually every country on the planet.

Joomla! forums are very active, and peer-to-peer support is very helpful. Some templates are simply gorgeous.

Strengths:

• Powerful codebase. Like Drupal, it can do almost anything you want it to do.
• Wrapper function, which is Joomla!-speak for iframes embedded inside your template to make your website seamless.
• Search-engine-friendly URLs in older versions required various additional components. The Joomla! 1.5.x series makes this much more transparent.
• Powerful third-party modules for document management include DOCMan and Remository.
• The most beautiful templates are made for Joomla! websites. I find more large commercial enterprises actively developing and selling Joomla templates than for Drupal and WordPress.
• Friendly administrative back end. While it does require practice to become proficient in administering a Joomla!-driven site, the learning curve is not as difficult as with Drupal.
• E-commerce solutions abound to help you create and manage an online store or product catalog.
• Good editor for posting content.
• Plenty of third-party products to enhance Drupal.

Weaknesses:

• Implementing friendly URLs may require some serious .htaccess fiddling.
• Not particulary secure “out of the box.” It’s a common mistake to install Joomla and assume the resulting website is secure. Joomla! is reasonably secure but security can be substantially improved if the
  administrator takes time to do some reading and make some configuration changes.
• Joomla! developers do not check security of third-party mambots, components, or modules. Joomla’s Achilles heal is these third-party products that sometimes make the website vulnerable. Of course, the
  same can be said of all content management systems, but I’ve personally seen more issues with Joomla! third-party products than those for Drupal and WordPress.
• There is no single source for news about Joomla! vulnerabilities that includes third-party products. To remain on top of a Joomla! installation, the administrator must regularly visit each third-party
  website or subscribe to each product’s newsfeed.
• No tagging of posts. This is significant. A post can only go into one category. Joomla!, without any third-party products, cannot list an article in more than one category, so creating rich, contextual content
  is very challenging. Joomla! content lives in silos.
• My experience is meta tagging is  not Google friendly. I notice that some crawlers have problems with my Joomla! sites, resulting in substantial duplication of site content listed in search engine indexes.

WordPress

I use WordPress for personal blogging and for some work-related websites. I usually select this solution when I’ll have non-technical users posting content, because ease-of-use means they will engage more actively in adding to, and maintaining, their content.

Strengths:

• Powerful codebase, more powerful than many folks realize. It is not just a blogging system.
• Rich tagging and categorizing features, allowing content to be presented in a way that more closely follows how many visitors browse websites.
• Search-engine-friendly URLs usually just work. If they don’t work right out of the box, an older style that appends a friendly string after index.php works.
• Powerful third-party modules for document management include DOCMan and Remository.
• Many templates are now search engine optimized, making crawled content more easily accessible and allowing it to rank higher that sites developed in some other content management systems.
• Spam filtering through Akismet is clean and powerful.
• A friendly administrative back end. Although different than those used by Drupal and Joomla!, it seems to take less time to learn to use it, and fewer trips to forums and tutorials to figure things out.
• The code repository is in Subversion, so upgrading a WordPress instance that was installed through SVN can be amazingly easy. I like to install from SVN, and upgrade directly from SVN.
• Widgets! Third-party products can be embedded in a post or page with a little PHP coding, or can be inserted in sidebars (if your theme supports this) through a simple GUI interface. You add and subtract
  site features with these widgets.
• Good editor for posting content.
• Plenty of templates available.
• Plenty of third-party products available.

Weaknesses:

• Slower than Drupal and Joomla!. I wish it weren’t so, because for non-technical users, WordPress is a great solution. I’ve optimized some database queries, removed some extra code (unneeded, in my opinion),
  compressed cascading style sheets, offloaded common Javascripts, and implementing caching…and still my sites are slower than comparable Drupal and Joomla! sites.
• Many of the templates look so similar that it is sometimes easy to recognize a WordPress site simply by the layout and theme. (The same is true for Drupal sites.) This is changing, with better templates appearing almost daily.

Compare for yourself

Wikipedia has a list of content management systems you can browse. CMS Review provides something called a comparator

that supports side-by-side comparisons for two content management systems at a time…but I did not find Joomla or WordPress in the list provided by the comparator.

The CMS Matrix allows you to select from a huge variety of content management systems and generate a side-by-side comparison of features.

Which CMS is right for you?

If you have a simple personal or company site where you don’t need to maintain a large library of documents or make sales online, consider WordPress. Many attractive WordPress themes are available for both personal and business-style sites. While you can have documents listed in WordPress, and can utilize PayPal buttons and
similar solutions, I don’t find substantial solutions to these needs in the WordPress plugins directory.

If you need an e-commerce solution or an online library, Joomla! may be the ticket. Visit the Joomla Extensions page to begin investigating third-party products to meet your needs. There are many Joomla! themes available. One of my favorite theme vendors is Joomlashack, where well-coded free and commercial themes are available.

If you can invest some time in customizing your template and you need a secure, well-maintained, powerful codebase, Drupal may fit your needs well. There are many Drupal themes available, as well as a large number of powerful Drupal modules.

Friends and family know I am not a big fan of Norton-branded software, for three reasons:

1. For a family or small business, getting human-understandable support can take exceptional effort and excessive time.
2. Uninstalling can be difficult. Norton often leaves stubs hiding in the Windows operating system registry.
3. Pricing practices are simply disrespectful. You can often buy a new version of the program for a fraction of the price of upgrading your existing program. Punishing existing customers to help generate a lower price point for new customers is, in my opinion, abusive.

So when this client said he had made up his mind to jump off the Norton train and asked for some advice, I was happy to oblige.

I looked for a well-tested alternative that would also save the client’s organization some cash. One of the top contenders was BitDefender Total Security 2008. Pricing from NewEgg.com is particularly attractive, and the client chose the two-year license for five computers at a cost of $100.

BitDefender Total Security 2008 is a full-featured package, not just an antivirus solution, containing:

• Antivirus
• Antispyware
• Antiphishing
• Firewall
• Antispam
• Parental control
• Backup
• Tune-up

Norton provides a removal tool to help achieve a complete uninstall. After using the removal tool, BitDefender installed easily.

If this is a solution you might be interested in, take a look at some online product/performance/usability reviews:

• Top Ten Reviews: BitDefender
• PC Mag reviews BitDefender
• ZD Net reviews BitDefender
• IT Reviews article on BitDefender

Update

I have since installed BitDefender on WinXP and Windows Vista computers, and find it works quite well.

That’s good, right? Well, yes…and no.

As a way to quickly get a basic website online and publish content, installers are a great help. After reading a few web pages of text, clicking a few buttons, and typing some basic information into a dozen or so text boxes, your new website will become accessible to the world. There is no easier way to create and deliver web-based content using a leading content management system than by using an installer to get going.

One CMS I use for some websites is Joomla!. Out of the box, Joomla is powerful and pretty secure. Some significant security researchers and major corporations use Joomla to manage and display their web-based content. They wouldn’t do this if they couldn’t keep their web content safe from unauthorized alterations.

We’re not picking on Joomla. The same factors apply to most other content management systems.

Does that mean all Joomla websites are secure? No. Just read some of the current posts on the Joomla security forum to see that not all Joomla websites are secure.

Attack vectors constantly change

First, we know attack vectors change constantly. I read log files, and while most of the attacks against servers I manage are well-known, every week some new styles are logged. Usually, these are just variations on a known vector. Occasionally, I get to see a new attack, one targeted toward a vulnerability just discovered or not well known.

Your CMS codebase changes

Second, the codebase of your CMS changes as vulnerabilities are found and patched. That doesn’t mean your particular implementation of a CMS automatically changes. Patches must be applied to your installed codebase in order to keep your core system secure.

So what’s my point? The folks trying to break into your site are constantly banging away on the front and back doors to your website. If you simply create a CMS-based site and then turn a blind eye to the underlying system, your system will likely eventually be compromised. When you leave your codebase static, you create opportunities for bad folks to exploit newly found vulnerabilities.

How do you avoid this kind of situation without investing lots of money? There are options, but all take a bit of care.

Don’t use a CMS

A CMS is ideal when you have content that grows or changes frequently. If your content is relatively unchanging, consider not using a CMS. You can post HTML-coded pages and avoid some of the exposure created by a misconfigured or poorly maintained CMS.

It’s not hard to create simple HTML-coded pages. For most folks, however, using a WYSIWYG editor makes it much easier. Microsoft’s Expression suite of products can create powerful web pages on your desktop computer, and then you upload the finished pages to your public website. Similarly, Adobe’s Contribute software allows you to make changes to your web pages from your desktop.

Properly configure and maintain your CMS

Directory and file ownership, access controls, permissions, and similar settings can keep the bad folks from compromising your website. If you are unfamiliar with the things listed in the previous sentence, we recommend hiring a professional to review your website settings. On Linux and Unix-like systems, htaccess files can be constructed to block many attacks.

We also recommend managing your CMS over SSL-encrypted sessions. To confirm you are surfing over an encrypted session, look for the HTTPS in the web address and for the padlock in your browser’s task bar, just like you would when purchasing things online.

You should also subscribe to whatever security forum provided for your particular content management system. When vulnerabilities are announced that apply to your CMS configuration, backup your site and data, then patch your system.

A properly configured and maintained CMS can be just as safe as posting plain HTML pages.

Use a hosted CMS

A previous article titled “Five minutes to create your online presence” would seem to be in conflict with the theme of today’s article. Actually, that article is a solution to the difficulty of installing and managing your own CMS. Vendors who host a single codebase for many independent websites tend to keep up with patching their code. That
means a hosted blog or wiki may give you a way to have your website without worrying about maintaining the underlying code.

However, if you install and use themes, modules, extensions, or other add-ons not created by the CMS developers, you may need to keep up with patches for those non-core products.

Be wary of contributed modules

Joomla has a very active community of folks creating a wide variety of small programs that extend the functionality of the core Joomla system. Drupal, WordPress, and other systems have similar communities. When you install and use one of these third-party extensions or modules, you may also be creating vulnerabilities. Not all programmers are as security aware or capable as the developers of the major content management systems. For folks using these third-party add-ons, we recommend frequent monitoring of each add-on’s home page, forum, or notices so you can stay on top of new code releases.

One of our services is monitoring the system and configuration you are using, and optionally installing patches when new code becomes available. To do this, we create a profile of your installed code and third-party add-ons, then add those vendor and developer sites to our list of regular visits. When code changes are published, we check them against your profile. This change monitoring and management service can give you great peace of mind, preserve your reputation, and help assure uninterrupted information flow to your customers and members.