How we perform quick and easy daily security audits for WordPress and Drupal sites

March 02, 2017

Security updates are a necessary part of any website maintenance process. Add in multiple Content Management Systems (CMS), seemingly countless modules or plugins, and dozens of sites, and suddenly you’ve made yourself very busy!

One of my jobs at DesignHammer is to help the staff stay on top of any new Drupal and WordPress security updates. Historically, you’d need to visit each site to validate that there are no security updates for the core CMS or any of the modules/plugins in use. While verifying the updates on any one site isn’t that much of a time commitment, it’s difficult to work through dozens of sites without getting distracted by other seemingly more pressing business needs. This makes the work take longer, leads to more infrequent checks for updates, and increases the likelihood of human error.

While there are a variety of tools that will provide with notices of updates via email, Twitter, or a website, these messages are often lost in the noise of day-to-day business. So responsible firms have an updated workflow. Unfortunately with all of the distractions of day-to-day business, these may only be a weekly, or even monthly, check of each site to make sure it’s up to date.

At DesignHammer, we wanted something more efficient for both our time and for our clients' security (and budget). We now perform daily audits for module and core updates on all of our Drupal and WordPress sites that we maintain. While we considered developing our own custom solution to address this challenge, we decided to leverage a product called Lumturio to check each of our sites daily.

The Lumturio SaaS works in conjunction with either a WordPress plugin or Drupal module installed on each site you need to monitor. Once that is in place, there is a simple dashboard that displays feedback on all of your monitored websites, listing CMS (Drupal or WordPress) and core version, the site name, and an indication of any security updates that may be available. Lumturio appears to check the versions of the website software, as well as the latest available versions, multiple times per hour.

Most commonly we monitor the "Sites" tab. This includes not only the CMS and version number, an SSL indication, the site name (which is a link to a detail view of the site information), site status (thumbs up, core updates needed, security updates needed, or updates needed), the number of updates needed, and user-defined tags (which is searchable). There are three sets of radio buttons on the page that offer additional control. One filters the view to only include sites with security updates, core updates, module updates, or no updates. Another will show you only your WordPress sites or your Drupal sites. The final option, directly above the column for the site name, turns on the display of security updates and/or module updates in the site name box. When security updates are selected and available those sites are listed at the top of the list with an indication for those security updates in a red font. Finally, basic alerting through email can be configured for a variety of triggers (all sites, specific sites, any updates, security updates, etc.)

Lumturio Sites Overview

One of the tabs within the detail view of a given site is the update log. This log captures the date of any updates installed on the site, giving you an easy way to see the update history of your sites at a glance.

Lumturio Updates Detail

By drilling down into the detailed view of a site you can see a list of all modules in use by that site along with information about the installed version, currently available version, and the nature of any updates that are available. Conversely, if you browse to the Modules tab you will see a list of all modules in use across your sites, and the percentage of sites that are using it.

Lumturio Sites Detail

On top of all of this, Lumturio’s support has been responsive and helpful. When we first started using it for client sites, the WordPress monitoring was still in development. Some features reported confusing data, and some were just nonfunctional. Support confirmed during the chat that these features were going into development based on this feedback. Within 20 days, all features were working for WordPress correctly.

Ultimately, using Lumturio to monitor updates has allowed DesignHammer to respond to new security and core changes in as little as an hour, while only requiring a few minutes each day to stay abreast of the status of each of the dozens of Drupal and WordPress websites we handle security patching for.

A manual process to monitor our sites would be time-consuming and error-prone, in addition to requiring more technical knowledge to assess the variety of sites and updates. Instead, by leveraging Lumturio’s service, DesignHammer is able to offer a superior site audit without any additional cost to retainer clients. DesignHammer is currently subscribed to the Lumturio Essential plan.

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.