I have a number of smaller clients on Drupal. Since Drupal gets updated more frequently than Wordpress, and since (for 7 anyway; maybe 8 will be different) someone with a certain skill level with Drupal and FTP has to still do core updates, it is an extra running cost that Wordpress, for all intents and purposes, does not have (all updates can be done via the GUI and by the site owner).
My question is how do others in the community explain this issue to the client/site owner. I have clients who are not that familiar with the details of how websites work, and don't always follow technical lingo. I obviously have to charge for this service, so I am constantly working on my explanation / justification.
I always explain that it is not just a matter of accessing files on the admin pages, or even files on the server. A hacker who gains access could conceivably deface the site, or even insert a malicious script which can affect anonymous visitors.
I am rereading greggles book on Cracking Drupal just to get back up to speed and remind myself on certain factors, but was wondering how others in the community effectively explain this issue.
Thanks in advance for any insights provided!
Comments
Good questions
In my opinions and experience, this needs to be covered up front, even before there is an agreement to take over building or maintenance of a site for a client. It is much harder after the fact to not make it seem that you're now just trying to gouge them for more money.
I would think with some fine-tuning, the language could include: "From time to time, interactive web sites that allow for public access will need to be updated. Hackers are always looking for and creating new ways to hack web sites. Security is extremely important to me and one hacked web site doesn't just affect that one site's owner, but it can affect all the sites existing on a server. I don't want someone else's hacked web site to affect your site, and vice-versa. Because of this, I will need to do periodic updates of your web site, when these updates are released by the official Drupal foundation. I will also need to charge to complete these updates and test that your site is still up and functional. If you have any questions, blah blah blah" and so on.
That's my 2 cents on it.
Thanks
Thanks, plaverty. That's pretty much my script now, although I have to admit that when I first started I did not make this as clear as I should have up front.
As a sidenote, I think this is the hardest part to explain to smaller site owners who ask me about Wordpress. Wordpress doesn't have these running update costs, although other developers have told me that it has greater security issues than Drupal.
WP?
Ok, I see where you're coming from on the WP thing. I guess you can tell people that if they want to go the WP route that sure, they can update it themselves, but when it breaks, it's going to be really expensive to fix and result in a bunch of downtime. If they go with you managing it, you may have a better understanding of why it might break, proper testing and getting it back up when it does break, resulting in little or no downtime.
If they don't care about this kind of stuff, then yeah, go run it yourself.
False premise :)
I think one problem may be that you are undercharging your Wordpress clients. This statement is not quite right:
Whether or not this will work in Wordpress without breaking either the site or site functionality is hugely dependent on the specific plugins installed, as well as the gap between the installed version and the upgrade.
Most of the time it will work--this is one of Wordpress' great strengths--but if it doesn't the site will be broken/offline/irritating/etc until somebody reverts the file system and/or database to the last stable version.
In my opinion, this means that Wordpress updates should generally be treated like Drupal updates: backups of file system and db prior, and a content freeze just prior to running the upgrade. I'd say it also means that such upgrades should generally not be done by the clients themselves (all this assumes a relatively non-technical client...)
Drupal upgrades are also quite quick--there's not even time to make a cup of tea in the time it takes to run
drush up views -yordrush up -y. The part that clients need to pay for is the developer's familiarity with the system, and ability to recover from upgrade disasters. This is much the same regardless of the system in question.Full agreement
A Wordpress site needs to be backed up before site updates are made just like any other piece of web software. There's skill and knowledge in restoring a site. Also the time involved in creating backups should be charged for regardless of whether you're running WP, Drupal or CMS Made Simple.
I frame it to our clients that a CMS is just like any piece of software (a Microsoft Operating System is an easy analogy) and it will require security patches and bug fixes as time goes on. The bonus is that you might even get some new features or usability improvements depending on the module/plugin. :)