bkno

From a security & maintenance point of view, how often should a updates be installed?

7 posts in this topic

Hi,

I'm new to PW and like it a lot so far. With most WordPress and Drupal websites there are frequent updates to core & plugins, some of these are security released so I tend to install any updates ASAP. When supporting many websites this update fatigue is pretty tiresome.

What is your update strategy when maintaining PW sites? Would be interested to hear if you think it is valid to perhaps do a quarterly update or perhaps only even update yearly if there are no security announcements?

Also just to clarify, if there a security mailing list we should subscribe to just in case an urgent fix is ever released?

Thanks!

Share this post


Link to post
Share on other sites

By now there aren't any known security issues with processwire core, so updating is purely needed for accessing new features. There's also no mailing list for security. The best is to follow the weekly blogposts by any of the available channels.

1 person likes this

Share this post


Link to post
Share on other sites

Howdy @bkno, and welcome to the forum.

ProcessWire itself is very secure, in that there have been few, if any, security related updates. In fact, I am not aware of any such update in the couple of years I have been using ProcessWire. Consequently, there isn't a security mailing list like what you have become familiar with in other platforms.

As far as an upgrade regiment is concerned, if you stick with the latest master version you should have no issues. For those times that you do wish to upgrade, the procedure is very simple and as a result, not anywhere close to being tiring as with the other cms/cmf you have worked with. And the only real reason you might upgrade is when new functionality becomes applicable to your site.

The modules that you can install are created by the community, and should be treated as any user-defined content. As with any publicly accessible resource, it is up to the developer to guard against malicious intent. ProcessWire provides a number of tools to assist you, such as sanitizing data submitted by your users. That being said, the community members here are very knowledgeable and very experienced, and again, I am not aware of any security issues with the modules they produce.

The previous security issues you experienced is why I also left those other environments. I have had no disappointments or regrets moving to ProcessWire. In addition, you can browse any topic in this forum and see the quick and accurate support provided by the community members.

I don't intend for this to sound like a sales pitch. I'm only stating the facts as I have come to know them. 

 

There ya go. @LostKobrakai is one of those community members. He beat me to the post. Again. :)

Edited by rick
2 people like this

Share this post


Link to post
Share on other sites

Welcome to the forum @bkno

Just one consideration to add to the others written above: most likely you will only be forced to update an otherwise smoothly running ProcessWire website when the PHP version it is running on becomes obsolete and the new PHP version you wish to upgrade to has deprecated methods no longer supported/available but some functionality of your old ProcessWire depend on those deprecated PHP functions, meaning you will need to update your ProcessWire core and other modules in order to keep up with the changes in PHP.

Sure, it is a general issue with PHP based websites, but since you asked how frequently you need to update, I think it is worth pointing out that due to the nature of PHP one day you will be forced to update or at least want to update if some PHP security flaws emerge in no longer supported PHP versions.

Other than that, you do not have to update at all :) That being said, I recommend updating when you need new features provided by the core or when you want to upgrade to a PHP version which dictates the need of upgrading ProcessWire.

Hope this helps.

1 person likes this

Share this post


Link to post
Share on other sites

Many thanks all! Happy to be here.

Very encouraging to hear - this will enable updates to be done during active development phases with a site, so there can be a general round of testing rather than trying to test everytime after installing frequent updates.

I'll check out the upgrade module.

1 person likes this

Share this post


Link to post
Share on other sites

One thing i'd like to bring up is the fact that because the design of your website is separate from the back end and content of your website upgrades don't break your website.

This is the largest bugbear I have had with WordPress and I no longer do ANY sites with it. It's as if a WordPress site has a lifespan - after a year or 2 I dreaded upgrades to the theme (yes even with child themes) as any update could break my client's site. Even plugin updates could break the site. And a site lasting more than 3 or 4 years - I haven't had one yet. Most of the sites I ran were designed by designers (I handled the back end) always with modifications - and I don't think I have particularly picky customers. Its just WordPress sites are so generic out of the box that you have to modify the theme.

These days I have a designer do me a homepage and an internal page (saving me money compared with them doing the full site) and I implement the pages with various page layouts, blogs - whatever I want. Anything WordPress could have done I can do - though it can take some PHP programming to get what I want. (but I do get EXACTLY what I want)

And I never have to worry about updates. I just noticed a site I was working on from last year was ver. 2.7 and as it's going live I decided that I'd send it off with the latest version. Update to 3.0.63 took less than 5 minutes (and that included taking a backup of the database)

Give Processwire a try - there is a bit of a learning curve on your first few sites but after that (and easily reusing code) you'll never look back.

 

3 people like this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By benbyf
      Hi,
      I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it.
      So here goes:
      If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor).
      Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out...
      https://security.stackexchange.com/questions/155806/what-to-do-about-compremised-passwords-through-malicious-sites-or-site-hacks/155823#155823
       
      food for thought
    • By Can
      Hey guys,
      I'm building a module to keep a user logged in until manual logout. I know about Login Persist, but this one stopped working for me a while ago and it might not even be compatible with pw3 (haven't tested this) as it's not being updated for 3 years
      Anyways, the module works, and now I want to secure user edit screens namely ProcessPageEdit (any user template, as there might be multiple) and ProcessProfile
      by requiring the current password..  I know how to add the additional input (added by hooking into ProcessProfile::execute and ProcessPageEdit::buildForm or Page::render) but I don't know how to intercept the saving and canceling the save if password doesn't match
      I thought about emptying $input->post (don't even know if this works?) if not valid but would be nice not to loose the changed data but instead just notify user about a wrong password..
      would love to get some thoughts and input on this
    • By GKrabach
      For an inherited site, I have a section in the ProcessWire admin section with Tools and Settings as children. Unfortunately, I don't have access to these, even as admin. I know this is controlled in the database, but I don't see any way to change the permissions. Through some research, looks like you can adjust that through  Setup > Templates > Edit Template > Access , however "Templates" doesn't show up under Setup either. Any advice is appreciated.
    • By ragnarokkr
      Hi all guys! I've a BIG problem here and hope you can help me to solve it.
      Suddenly yesterday my PW installation stopped letting me to log in.
      I can access the front-end, but each time i try to log into the back-end it gives me "This request was aborted because it appears to be forged."
      I already have searched into the forum and tried every possible solution, without any result 
      In order:
      site/config.php is readable site/assets/{cache,logs,sessions} is present and 0755 (and setting them to 0777 doesn't make any difference) tried to backup site/assets/sessions directory and make another new empty one nothing is changed with user:group permissions setting $protectCSRF, $sessionChallenge, and $sessionFingerprint to false the error disappears but the login page still remains making the sessions table empty doesn't make any difference enabled/disabled the www. redirection in .htaccess, just in case but nothing enabled $debug and no error removed cookies restarted the server Anybody has an idea? 
    • By Yashi
      Hi, I Just notice, when i disable X-Powered-by header, it remain the header with blank value, why is that, i did couple of test, run with header check tools, and all the tools i test show me X-Powered-By header with blank value, chrome also shows me that way, but firefox remove it if it doesn't have value for it..