A recent report shows that only one-third of Drupal 7 websites are up-to-date. The Drupal data was put together by a company specializing in security, which used the data “publicly available that comes from the Update status/Update manager module in Drupal.” (This data can be viewed on the relevant
Drupal.org project page.)
The data, put together by
White Fir Design, shows that while 79 percent of Drupal sites are using some version of Drupal 7, barely 33 percent of those are running the latest secure version: Drupal 7.26.
It seems common sense to update your software to the latest secure version — particularly when a well-documented security vulnerability is made known and corrected in updated versions. However, sometimes updates slip through the cracks. It can be all too easy to think, “I’ll get around to updating my site later.”
“For Drupal 6,” the report goes on, “the situation is worse.” Both the latest versions of Drupal 7x and 6x were released on January 15, however only 19 percent of Drupal 6 sites have had the corresponding security patch installed. More troubling, “20 percent are at least two years out of date, which means they have missed at least four security updates.”
In a
related piece, the authors point out that a major financial services company, which handles more than $511 billion of assets, is running an outdated Drupal 6.19 on their US site.
This means that the site has missed out on six security updates to the Drupal 6 core, and the site’s software has not been updated in more than three years.
While there can be good reasons to avoid updating to the latest version of a software (Drupal 6 sites do not, as a rule, have to be updated to 7 to be secure), it is always recommended to update security patches that address major vulnerabilities.
However, just because a site is not on the latest version of a software, it doesn’t mean that it is automatically insecure.
As the authors note:
“Because we often see people saying otherwise, it is important to note that just because there is a newer version of software available, it doesn’t mean that an older version is not safe and secure, as long as the older version continues to receive security updates.”
In short, even multi-billion-dollar investment companies can fail to update their website platform to the latest secure version. Don’t make the same mistake. When important security versions are released, be sure that your site is safe and up-to-date. You may not have more than $500 billion in assets to manage, but your website is priceless to you. Protect your investment. Update your site.
As always, if you have any questions about setting up your own site’s updates, don’t hesitate to call a member of our support team. And if you’d prefer to let us completely handle your site upgrade, we’ll be happy to help.