The fruit decision: how low should your website hang?

Probably the most significant decision people will make when building their website is the decision about what software to use. A lot of people choose existing CMS or ecommerce apps like WordPress or Magento which makes for a quick setup and reasonable support. Others choose to build their site from scratch or use one of many lesser deployed apps like the Ghost blogging platform or x-commerce. It’s nice to think that everyone evaluates the features of each offering and chooses the one that best fits their needs, but that is not what happens.

Most websites are owned by non-technical people without IT support so the software they end up using is whatever has the lowest cost of entry. That means whatever is in their control panel that can be installed with one click is what gets used.

Please use the back door sign

This situation is what leads to lopsided software deployment statistics such as massive WordPress footprints and, to step away from the Internet for a second, the global market share of Windows. The web software that is best at getting into one-click installers like Scriptaculous or pre-installed on desktop computers become the most popular. These large deployments of identical software provide a good selection of attack vectors for bad actors. If a vulnerability is exposed in WordPress, for example, a bad guy has literally millions upon millions of WordPress websites to attack using that exploit.

Keep in mind that bad guys want to take over your website or your computer. They normally aren’t looking specifically for a Windows box or a WordPress site; they’re just looking to take control in order to turn your asset to their ill will. However, since they need to be able to leverage some entry point, it makes sense to spend the time figuring that out on some platform that has a large number of instances to attack. Spending a bunch of time figuring out how to take over the tiny number of computers running BeOS in the world doesn’t make much sense if the same amount of time can be spent figuring out how to take over the millions of Windows boxes. The same logic applies to websites; if I want a large command and control network, I want to take over the most amount of websites I can with the least amount of effort. So, I’m going to target something with a large footprint like WordPress or Joomla.

All computer people, hackers included, are lazy in nature (OK, maybe not ALL of us). We’re all looking for the low-hanging fruit; the easiest fruit to pick. Therefore, there’s an argument that choosing to run massively popular software makes you the low-hanging fruit and more vulnerable to being attacked. There’s merit to that argument but there’s two sides to most stories.

Consider the other side. Consider the person who purposely chooses a less popular, non-mainstream, piece of software to power their website. One of the advantages of massively popular software is that it attracts a large developer community which has the major benefit of having a reliable patch cycle to fix exploits as they’re discovered. Less popular software usually has a smaller community surrounding it and when things go wrong, it can be harder to get things fixed or even find support to help.

So, on one hand choosing to go with a major player probably does raise your risk of attack but at the same time, it is also probably your best bet to get help, support, and patches to fix whatever nasty exploit has just been discovered and is rocketing towards your site.

In an ideal world we’d like to be low-hanging fruit when we need help because more popular stuff is supported better and has a large community around it. But, we want to be high-hanging fruit from an attack vector perspective; we want to be too much trouble for bad guys to go after. The obvious solution is to try to be middle-fruit but that’s just insanity. That makes your software hard to support and still popular enough to be attacked.

Now is the time when I normally give sage advice about doing a risk analysis and picking a software application that matches your tolerance for risk and your ability to rise to technological challenges. But, we both know you’re going to install whatever is in your control panel so please, pick the most popular one and keep it updated.