by David Snopek on February 1, 2016 - 8:14am
A couple of times now, we've gotten a reaction like this to our Drupal 6 Long-Term Support offering:
Your cheapest plan ($125/mo) is too expensive. We just want to keep getting security updates for Drupal 6, but don't want any support and maintenance. Can you provide a "security updates only" plan for us?
This is something we thought long and hard about...
A cheaper plan would appeal to a larger group of users, and allow us to work with people with smaller budgets. These are definitely things we want! We'd like to be able to help as many people as possible, and NOT only big enterprise companies with massive budgets (they can already get all the help they need).
But in the end, we decided that we'd be doing our customers a disservice by trying to reduce our offer any further.
Read more to find out why!
No matter what happens, we've got your back!
When someone signs up for a support and maintenance plan with myDropWizard, we want to be able to say, "no matter what happens, we've got your back!"
If we only notified you that security updates were available, then you'd still have to:
- Drop everything and perform the update before hackers started trying to exploit sites
- Test that the update doesn't break any critical functionality of your site
- Fix any issues caused by the update after the fact (if you didn't realize it broke the site before applying the update)
- Remediate in the case that your site gets hacked
The last point is super important, and I'll address it in detail in the next section.
But the big idea is, if we just provided you with the security updates, we'd be off the hook if the update wasn't applied quickly enough, or our update broke your site.
We want to be responsible for these things!
What if your site is hacked - and no update is available?
As part of the official Drupal 6 LTS, several vendors are collaborating to find and fix security issues in Drupal 6 core and all the contrib modules used by our customers.
But what if your site is hacked and no security update was made available in advance?
Of course, all the vendors will be doing their best to find and fix security vulnerabilities before they become a problem. But the facts of the situation are:
- Fewer people in the community will be looking at Drupal 6 code
- Fewer people will be reporting security issues
- Drupal 6 will still be a very tempting target for hackers (Drupal.org reports that there are still ~125,000 Drupal 6 sites)
If all we did was provide security updates, we'd be off the hook if your site was hacked before a security update was made for it. You'd be on your own!
This is why one of the most important serivces we provide is remediation if your site gets hacked. We'll help you restore from backups and fix the vulnerability the attacker used.
(And this is why we make our own daily backups of your site! Of course, you probably have your own backups - but what if they break, or it takes time to pull them? Also, to properly remediate we need a backup of the compromised site as well - which can get forgetten in the scramble to get the site back online. By keeping our own backups, we have everything we need, and can just get to work right way!)
We ensure your site stays online and secure
It isn't about the mechanics of providing security updates - it's about ensuring the result!
If we reduced our offering to just notification of the updates, the result wouldn't be our responsibility anymore, we'd feel like we weren't really looking after our customers and only doing half the job.
I hope that makes sense!