Discuss

last person joined: 10 days ago 

Ask a question. Give advice. Share resources. Looking for software or hardware recommendations? Want to know how others are using text messaging in their work? Trying to find examples of IT policies? The NTEN Discuss forum is a great resource for all of the above and more! It's the general discussion list for the NTEN community, and folks all over the US (and the world) are sharing their questions, answers, and news about nonprofit technology.

Seeking Drupal feedback

  • 1.  Seeking Drupal feedback

    Posted Oct 09, 2019 14:22
    Hello all

    We have a Drupal 7 website that is no longer staffed. Our organization is still interested in keeping it online for the foreseeable future for various reasons.

    I completely understand that best practice is to just shut it down. But right now, that is not an option.

    Seeking feedback on:

    1) How can we find out how much it would cost to keep the site's CMS, plugins and modules updated so it is less vulnerable to hacking?

    2) What other factors do we need to be cognizant about as far as web security in keeping an inactive website alive? What aspects should be deactivated, for example, to make the site less prone to malicious intrusion?

    Thanks for any feedback! I'd love to have some Drupal agencies reach out if this sounds like something you might be interested in talking with me as a potential project.

    Thanks

    ------------------------------
    Redante Asuncion-Reed
    Washington DC
    ------------------------------
    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 2.  RE: Seeking Drupal feedback

    Posted Oct 09, 2019 14:38
    Hi there Redante -

    The first two things I'd do are the below...

    1) Get Sucuri running on the site. Prices start at $200/ year, and this will scan for malware on 12 hour intervals. You can also request them to run a scan, and it will detect if any existing malware is on the site or tighten up any areas that may need it. The good news is that Drupal is less inclined for malware since the code base is pretty lean.

    2) If something super-terrible happens, you'll want a backup. You should check with your hosting provider to see what options they have. I'd recommend doing Cpanel/ Plesk backups at the site level, and also doing a mirrored server backups at rolling 3 days, 1 week, and 1 month intervals. If you're super paranoid (and one should be with security), then you can also do something like DropMySite (it's 30 bucks a year).

    I hope this helps a bit!

    All the best,
    Kevin

    ------------------------------
    Kevin LaManna
    Principal |
    Chicago, IL

    www.mondaylovesyou.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 3.  RE: Seeking Drupal feedback

    Posted Oct 09, 2019 16:11
    Many thanks Kevin! This is very helpful!

    ------------------------------
    Redante Asuncion-Reed
    Washington DC
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 4.  RE: Seeking Drupal feedback

    Posted Oct 10, 2019 08:59

    (Cross-posted from NTEN Drupal)

     

    Hi Redante, I would second what Kevin has said (I don't have firsthand experience with those specific services but I'd recommend the same principles). Backups are definitely key, and retaining some over a longer period (don't keep just the latest 1 copy). Keeping one in a safe place is also advisable, i.e. just grab one you have now and download it to your org's local file server.

     

    I would say if the website is still providing value then I don't think best practice is necessarily to shut it down. Just support it as best you can and you can always shut it down later if you need to.

     

    Keep in mind website ongoing maintenance should be a fairly small cost of your overall organization. If the website is still valuable then I would say generally those costs are probably worth it. Mainly that should involve the hosting/domain service, and a technical resource for software updates. This could be an existing technical staff, an external person, or some sort of service.

     

    Hosting/domain should run you something like $10-20 /month. The maintenance part depends, for example I often recommend applying security updates every 3 months, and depending who is providing this service for you it might be around roughly $100-200 each time.

     

    Another option you can consider is having someone do a quick audit of your site to make sure there aren't any existing gaps. If nothing else you may be able to do some of this yourself for starters: check the drupal status report on the site and the available updates report, check the user list to make sure that's up to date (disable old users), and you can also consider subscribing to drupal's security mailings if you really want to go down that rabbit hole. :)

    https://www.drupal.org/security

    https://twitter.com/drupalsecurity

     

    Hope this helps!

     

    Martin

     

     


    Martin Hansen
    Senior Consultant / R&D Lead
    519.725.7875 x2120 | 888.817.3048


    PeaceWorks™ Technology Solutions
    101 - 554 Parkside Drive,
    Waterloo ON  N2L 5Z4
    www.peaceworks.ca

     

    Mission driven technology solutions

    This communication is intended for only the party to whom it is addressed and may contain information that is privileged or confidential. Any other distribution, copying or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return email and delete this message from your computer.

    Please note: If you do not wish to receive promotional emails from us, please reply to this message indicating your preference and we will refrain from sending further promotional emails.

     




    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 5.  RE: Seeking Drupal feedback

    Posted Oct 09, 2019 14:46
    Putting my moderator hat on for a moment...

    Agency peeps -- if your response would be of general interest to the whole list (i.e., it contains actionable advice beyond "hire us!"), feel free to respond to the list.  If you are solely offering your services, please respond to Redante directly off-list.

    Many thanks!

    Jess

    ------------------------------
    Jess Snyder
    Senior Manager, Web Systems, Digital Media | Digital Media
    jsnyder@weta.org | 703-998-2002 | @jesseves

    WETA Public Television and Classical WETA
    3939 Campbell Avenue | Arlington, VA 22206
    www.weta.org | facebook.com/wetatvfm | @wetatvfm
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 6.  RE: Seeking Drupal feedback

    Posted Oct 09, 2019 14:52
    Hi Jess -

    I hope your note wasn't in response to my reply to his question. I simply provided two actionable steps that one should take, without anything commercial in nature. My reply only contained two different third-party services that we have no commercial affiliation with.

    Best,
    Kevin

    ------------------------------
    Kevin LaManna
    Principal |
    Chicago, IL

    www.mondaylovesyou.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 7.  RE: Seeking Drupal feedback

    Posted Oct 09, 2019 14:57
    Nope, not at all!  Your post was great!

    It was just a gentle reminder -- we generally ask that agencies not use this list to promote their services directly.  It helps ensure that the discussion is about Drupal and doesn't descend into an advertising free-for-all.

    Jess

    ------------------------------
    Jess Snyder
    Senior Manager, Web Systems, Digital Media | Digital Media
    jsnyder@weta.org | 703-998-2002 | @jesseves

    WETA Public Television and Classical WETA
    3939 Campbell Avenue | Arlington, VA 22206
    www.weta.org | facebook.com/wetatvfm | @wetatvfm
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 8.  RE: Seeking Drupal feedback

    Posted Oct 09, 2019 14:58
    Ok, whew! :-)

    ------------------------------
    Kevin LaManna
    Principal |
    Chicago, IL

    www.mondaylovesyou.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 9.  RE: Seeking Drupal feedback

    Posted Oct 09, 2019 15:06
    And whoops!  I thought this post was to the Drupal list, not Discuss.

    (Sorry for overstepping, Discuss mods!!!)

    @Redante Asuncion-Reed, I suggest you post your question directly to the Drupal list as well -- y​​ou'll get more targeted responses.

    ------------------------------
    Jess Snyder
    Senior Manager, Web Systems, Digital Media | Digital Media
    jsnyder@weta.org | 703-998-2002 | @jesseves

    WETA Public Television and Classical WETA
    3939 Campbell Avenue | Arlington, VA 22206
    www.weta.org | facebook.com/wetatvfm | @wetatvfm
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 10.  RE: Seeking Drupal feedback

    Posted Oct 11, 2019 13:40
    If your site doesn't contain any logged in functionality, you can archive a static version of that site which will reduce your attack vector.

    https://www.drupal.org/project/tome is a new project that we have not yet tried, but seems to show promise. You can deploy to the excellent https://www.netlify.com service to reduce your hosting costs.

    if you want to keep the site up as a CMS vs an archive, you can engage an agency to perform an audit and action plan for you. We highly recommend a host that delivers Drupal as a platform like Pantheon (https://pantheon.io) which makes security updates to Drupal core push-button. Contributed modules are a different story though and require someone at the helm to address.

    Avoid shared hosting. It's insecure for many reasons. We wrote a blog post called Sharing is not Always Caring: Why Shared Hosting is not a Safe Bet that explains more.

    ------------------------------
    Andrew Mallis
    CEO & founder @ www.kalamuna.com
    Oakland, CA
    mallis@kalamuna.com
    925-255-5204 x700
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline