I'm pretty much assuming that everyone has heard about this already, but I'm surprised it hasn't been mentioned in the group. So just in case there are those who are maintaining Drupal sites who haven't seen the news...
A highly critical security bug has been found in Drupal core a few weeks ago and a fix was released last week on March 28. It's very strongly recommended to deal with this asap due to the severity of the bug.
Details here: https://www.drupal.org/sa-core-2018-002
This issue affects versions 6, 7, and 8, and fixes are available for all those versions.
Martin Hansen Team Lead, Web Services 519.725.7875 x2120 | 888.817.3048
PeaceWorks™ Technology Solutions 101 - 554 Parkside Drive, Waterloo ON N2L 5Z4 www.peaceworks.ca
Mission driven technology solutions
This communication is intended for only the party to whom it is addressed and may contain information that is privileged or confidential. Any other distribution, copying or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return email and delete this message from your computer.
Please note: If you do not wish to receive promotional emails from us, please reply to this message indicating your preference and we will refrain from sending further promotional emails.
Thanks for bringing this up. Our web developers made the update right away but I was surprised that Acquia, our hosting company, didn't send out a notification.
Hi Courtney, I would agree with the others' comments.
However, the estimate could be justified, I think it's just unclear what work they are including. To just apply the security update (whether you are doing a drupal core version update, or just applying a patch to the files) should be on the order of 10-30 minutes, including connecting to the server, doing the work, reporting back to you, etc.
But there may be other work that the developer is including in their estimate. They may be updating all your modules. You also listed "testing", I'm not sure what would be covered here and how extensive. Maybe there are other complications too, that we're not aware of.
It seems a little odd that this wouldn't be included in your retainer. This update is not any more complicated that any other version update in drupal (in fact it's quite a simple update, as others said). The only difference is the security urgency around it. So there could be rationale for this to be "extra work" if it forces the developer to deviate from a previously agreed maintenance schedule. But the work itself is not unusual otherwise.
If I were you, my next step would be to ask for more clarity on what specifically is included in that estimate. If you do get more info there and would like further feedback feel free to reply back. :)
I'm sorry to hear that your site got hacked. :-( It really is hard to clean up a site and server after getting hacked because it's difficult to tell what things the attackers left there. In some cases, people have reported that the attackers added a cronjob to re-infect the site in case it got repaired!
I'm on the Drupal Security Team, and so I have a lot of experience with this issue, but from the other side. �� If there's anything you think the Security Team could do to improve in situations like this, please let me know! And I'm going to try and be on the call tomorrow.
Also, I'm not trying to turn this into a sales pitch, but my company (myDropWizard.com) offers a service to apply any Drupal security updates the same day they are released! We got both the recent security releases deployed to all our customers right away and none of them got hacked.