CMS Security Handbook: The Comprehensive Guide for WordPress®, Joomla!®, Drupal™, and Plone® by

Understanding the Need for the Patching Process

You may be thinking that you don't necessarily need to patch, or that you don't really have the time to go through the process. That is definitely the mindset of many site owners today. However, if you ignore patching, you are doing so at your own peril. That is not a lighthearted statement; it's backed up by research.

For example, in 2003, a worm was released on the Internet that swept literally around the world in a few short hours. Its target was Microsoft SQL servers. It attacked any SQL Server instance that did not have a specific patch. The issue was that the patch had been available for several months. Applying it would have neutralized the attack. The cost was incalculable, and the downtime was embarrassing. Companies (both large and small) were hit by this attack, crippling infrastructures, and stopping worldwide commerce. Numerous studies have been conducted using publicly available information that shows the act of patching would have stopped the bulk of attacks. One study published in 2000 written by Hilary K. Browne and William A. Arbaugh of the University of Maryland, and John McHugh and William L. Fithen of the Software Engineering Institute, was entitled, “A Trend Analysis of Exploitations.” In that study, the authors proposed a theory that states after a patch is released, users who do not apply it are exposed to an excessive window of opportunity for attacks. Specifically, they noted the following: