I love Open Source technologies as so do many church website administrators. Open Source Content Management Systems (CMS) such as WordPress, Joomla!, and Drupal can be used to build some very nice church websites and for very low cost. Besides the robustness and easy of use of these CMSs, one of their other key benefits is their rich, 3rd party plugin and widget libraries. If the CMS doesn’t come with a good form editor, image viewer, or another piece of needed functionality, chances are there are multiple 3rd party components already and immediately available that do this and are free and simple to install.
The facts that Open Source CMSs are free and they come with a vibrant 3rd party component repository are why many church web admins gravitate towards these tools.
However, these same facts also breed complacency and carelessness.
I was shocked to read a report last year by Symantec the online security and anti-virus firm that reported that “religious and ideological websites can carry three times more malware threats than pornography sites“. Religious sites aren’t being directly targeted by hackers; we just make it far too easy for them. Our churches need to be a safe haven on all fronts and that also includes an online safe haven from computer viruses and malware.
Unfortunately, much of this issue is due to a lack of rigor and diligence. Using open source technologies particularly with their corresponding 3rd party components comes with responsibility that your website administrator or vendor needs to assume. Sure that slideshow viewer you just found for Joomla! would look great on the home page of your website, but does it really work? What vulnerabilities come along with it? Did the author consider security issues when he wrote it and is he committed to upgrading it in the future? These are the real questions you need to worry about before thinking about how great it would look on your homepage.
Unfortunately, I get to talk to a church every couple of months that has had their website hacked, broken into, taken over, used to send spam, or is being clandestinely leveraged as a phishing website. Often hackers are not trying to just defame your website, but rather leverage its resources. Once they gain access to your system, they can: steal your email addresses, use your email server to send spam, setup their own web pages so that you’re website appears as a phishing website.
There are far too many hackers out there and we’re making it too easy for them to do their dirty work. There is an amateur class of hackers out there is disparagingly referred to by the “professional” hacker as Script Kiddies. Script Kiddies really don’t know much about hacking, but they do know how to find known, documented system vulnerabilities and then run scripts that search for websites that have not corrected these vulnerabilities. These Script Kiddies are easily stopped providing we website admins do our job in maintaining our websites.
Here are a few simple rules that you can follow to keep your websites protected:
Your CMS will tell you when it is out of date. You don’t have to immediately jump on the next version the day its out, but I set a simple rule of never getting more than 2 point releases behind and always upgrade to the next major version within 3 months. Each CMS will tell you when its out of date. Here’s what I see on my WordPress site. If yours says it’s out of date or worse you don’t know if anyone is checking, you will eventually have issues.
Look Before You Leap With Plugins and Widgets
Before just installing a cool sounding widget, read the reviews and better yet look at the code. Can’t really read the code that you’re installing? That means you’re placing a lot of trust in whoever wrote that widget. You are saying I trust this unknown person to write good code, consider security issues, and keep it updated for me in the future. Should you really be placing your trust there?
Don’t Customize the Code Unless Your Assuming Upgrade Responsibility
The moment you customize the underlying code on a widget or plugin, you break any future ability to obtain an upgrade from its author. So when that author issues a security patch for a recent vulnerability that was discovered with their code, how are you going to implement it?
Someone Needs to Assume This Responsibility
Most importantly, someone needs to assume the responsibility for the above tasks. Religious sites are too often ripe targets for hackers because this responsibility is lacking. How many years ago did that passionate volunteer create your website? Yes, you know how to maintain the content, but what about upgrading the code? If you’re reading this and have no idea what CMS use use, what version of code its currently on, or when the last time its been updated, it is time to look at an alternative. There are a number of fine church-oriented websites services out there. Admittedly, I’m biased to my own product, WeConnect, but here’s a list of quite a few good vendors to choose from.
With a little responsibility and effort we can help make our online world a safer place!