Arguably the top 3 open source website CMS (Content Management Systems) on the planet are: Drupal, WordPress, and Joomla. Unfortunately their huge popularity comes at a price: they’re more attractive to mischief makers (i.e. hackers) than less popular systems. So keeping your site updated with the latest security patches (much like keeping your PC’s anti-virus software up-to-date) is a smart way to minimise the chance of your website – and perhaps the entire server where it’s being hosted – from being abused.
How often, on average, does you Drupal, WordPress, or Joomla site need to be security patched? We spotted a good article on this subject by a bloke called Steve Burge. We’ve re-printing it in full, below, because it’s been retired from the URL http://admincredible.com/blog/item/37-how-often.
If you want a safe website, you have to update it regularly.
Developers need to provide you with security patches and bug-fixes. It might not be enjoyable, but it’s got to be done.
But, how often do you need to update?
I get asked this question a lot. Until now, I’d always had to guess and come up with an approximate answer such as “every 2 months”.
I wanted to give people a more accurate answer, so I sat down to calculate exactly how often people need to update their Joomla, WordPress and Drupal sites.
Here are the results:
How often do sites need updates?
Let’s look at the raw numbers first:
- WordPress has 62 releases in 87 months between December 2005 and February 2013. That’s an average of 42 days per release.
- Drupal 6 has 26 releases in 48 months and Drupal 7 has 15 releases in 25 months. That’s an average of 51 days per release.
- Joomla 1.5 had 27 releases in 26 months, Joomla 2.5 had 20 releases in 25 months and Joomla 3 had 4 releases in 6 months. That’s an average of 36 days per release.
Some notes: I tried to exclude duplicate releases. So I only counted one version whenever Drupal launched a security release and a bug-fix release at the the same time. I also removed a couple of Joomla versions, such as 1.6.6, which were designed only for a small sub-set of users.
How regularly are updates released?
I found that the regularity of releases varies widely with the software.
Note: with the graphs below, the blue area shows the updates and the red area is the trend line that I added.
WordPress releases have been remarkably consisten over time. We mentioned that WordPress release came every 1.4 months. They really have deviated very little from that schedule since 2006.
Drupal 7 in an interesting case and shows a lot of variation. It took 5 months after launch for the release of Drupal 7.1, but there have been 4 releases in the last 5 months.
Drupal 6, Joomla 1.5 and Joomla 2.5 all show a clear pattern. There were regular updates in the first year and then updates slowed rapidly over time as the versions became more stable.
With Drupal 6, there were 9 releases in 2008 but only 4 in 2012.
With Joomla 1.5, there were 9 releases in 2008 but only 4 in 2011 and 2012 combined.
With Joomla 2.5, there were 10 releases in 2011, but only 3 in the last 8 months.
So, how often do I need to update my site?
- WordPress users can expect to update every 42 days. Because this strong pattern has shown for 7 years, it’s reasonable to predict that it will continue.
- Drupal users can expect to update every 51 days. Drupal 6 users can now expect relatively few updates, but Drupal 7 is harder to predict.
- Joomla users can expect to update every 36 days, although that number is increasing. Joomla 2.5 users can now expect relatively few updates, but Joomla 3 is harder to predict particularly given that it’s been out for the shortest length of time amongst our examples.
Is this all there is to the story?
Simply, no.
On the one hand, it’s now easy to understand why more than two-thirds of Joomla, WordPress and Drupal sites are out-of-date. Updating about every 6 weeks is hard for busy people.
On the other hand, the frequency of updates alone doesn’t tell the whole story. I can think of least five important points that we didn’t include in this blog, but which impact how hard it is to keep a site up-to-date.
We didn’t talk about:
- How often sites need to update their plugins / extensions / modules / templates / themes. Because sites vary on which and how many add-ons they have installed, I’m thinking this would be harder to calculate. If anyone has any good ideas on how this could be calculated accurately, I’d love to hear it.
- How stable or buggy the releases were.
- How easy the updates are to apply.
- How easy it is to move between major versions such as Drupal 6 and 7 or Joomla 1.5 and 2.5.
- How many of these releases were security releases (where quick updates were essential) and bug-fix releases (where users don’t have to move so quickly).
Do you need help keeping your Drupal or WordPress site regularly patched? If so, give Itomic a call, 24/7, on 1300 ITOMIC.