Many times our job as an agency is to impress upon clients that websites are more than just pamphlets or posters for their organization. They are living documents that change over time, and they are an investment in your company. Whether it be news, blog posts, upcoming events, product announcements, or just fixing a typo, the age of static websites is long gone. Clients need the ability to update their websites without learning HTML or any of the other languages/technologies that go into a finished site.
Enter the Content Management System…or the beloved "CMS" to those in the know. The CMS allows the client to ignore the nuts and bolts of a site and instead focus on its message. More importantly, the client avoids paying a Webmaster to update the site's content. This is such a widely requested capability that Mission offers it by default; we don't build sites without CMS's unless there's a very good reason NOT to do so.
There are many types of CMS's – both proprietary and open source – in a number of different programming languages. We often get asked about PHP because of the popularity of WordPress, Drupal and Joomla. But platform/CMS decisions are always based on and tailored to a client's needs. Any CMS gives the client a lot of flexibility; support and documentation is abundant, new features can be added without rewriting the site from scratch, and the site will scale automatically depending on the client's content.
At the time of publication, WordPress was used by 21.6% of the top 10 million websites on the Internet, and it accounted for 60.2% of websites that use a CMS (source). This is seven times the market penetration of Joomla (2nd place), and eleven times that of Drupal (3rd place).
So what's the downside, you may wonder? Well, popularity is a double-edged sword. If you are popular, then you are also a target, as evidenced in this recent attack that exploited over 162,000 WordPress sites for nefarious purposes. Security is oftentimes a cat-and-mouse game; hackers find new ways to break into websites, and software developers figure out new ways to keep hackers out. Hacking is a risk/reward endeavor. All things equal, a hacker would rather exploit hundreds of thousands of sites instead of just a few dozen.
You've probably noticed your computer asking you to apply updates and/or restart. Many times these updates are annoying and interrupt your workflow. But they are extremely important, as out of date software with known security flaws is likely one of the most common culprits of unwanted intrusion. And no one is immune, from small local businesses to worldwide corporations such as Reuters or NASDAQ. A hacked website can result in bad press, de-ranking or de-listing from Google and other search engines, and a loss of trust with your customers/users. Fixing and restoring a hacked website is an arduous and expensive task, and it's almost always avoidable. As the old adage goes, an ounce of prevention is worth a pound of cure.
At Mission, we always recommend that our clients allow us to keep their CMS up-to-date to prevent these types of attacks. But many times, updating all or part of the CMS can cause incompatibility with existing features, breaking or sometimes even completely disabling a website. Preparing for an update involves making a complete backup of the website; all files and data are duplicated in the event of a complete disaster, something most clients are not equipped to handle. After installing updates, the site is thoroughly tested to insure proper functionality and compatibility.
Once a client realizes that running a website entails maintenance (just like a house or car), they are much more apt to protect their investment. In most cases, routine updates don't take very long and go pretty smoothly. But by having a backup, if an update is incompatible we are able to roll back the changes, formulate a plan and provide a quote on how to bring the site up-to-date while still maintaining features and compatibility. Our goal is to have no downtime. If an important security update causes your website to go offline, it shouldn't have to stay down until we fix it. Instead, it should be fixed concurrently and deployed after it has been tested.
Sometimes it is difficult to see why preventative maintenance matters. After all, if it's not broke, why fix it? But consider it like an oil change – if you wait a few days, you're probably fine. Even if you put it off for a week or two. But eventually, that $40 small inconvenience will seem like nothing compared to replacing an entire engine. Hackers are already pretty sharp…don't make their job any easier.