It’s not too surprising that the web is more complicated than most people are aware. There are some who probably still think that there is a single server delivering files that are just like any other document.
In reality, the web is made up of an ecosystem of different pieces of hardware and software. Most web pages are delivered with the help of a database and a lot of software to make it appear properly in your browser. After the content is assembled, it is usually cached for future use. The website might sit on a physical server or a virtual server. Busy sites might have many servers distributed in various data centers around the world.
Some static content may be delivered through a Content Delivery Network (CDN). This is a special network of servers where you can store your static content which will serve the file which will be fastest for the visitor.
Most small organizations just aren’t knowledgeable enough about their website to understand all the inter-related software and services that are involved, and why should they be, unless they are in the business.
It matters when people start thinking about securing their site. Far too often something is forgotten or not fully understood. We find that when people procure their own hosting solutions they assume that their provider is taking care of upgrades. Usually this isn’t the case, with the competitive nature of web hosting, generally all you can rely on is reliable power and Internet access.
The Linux kernel occasionally requires security upgrades which only take effect after the server has been restarted. Web servers like Apache and Nginx needed to be restarted after some upgrades too. Most organizations would like to have some control over when this is happening.
Sometimes updates have impacts on other pieces of the infrastructure. Countless websites have gone down because an upgrade was done on the server which impacted the sites which were hosted on it. With evolving languages like PHP, it is not unusual for functions to change names, have their functionality modified, or be deprecated and removed between releases.
Likewise, upgrades to CMS’s sometimes fail because they require more up-to-date versions of code on the server. For example, the performance improvements in PHP 7 are considerable. A lot of people will want to move to the latest code base for that reason alone, but don’t expect to be able to run your Drupal 7 site on it just yet.
Web hosting and application development are different fields, and one cannot simply outsource security upgrades for someone else to do. No web hosting company can “take care” of your server security in isolation of the application that is running on it. Ultimately, someone familiar with your website and its content needs to be involved in performing security upgrades.
Make sure you know what software you are using to deliver your website and keep it up-to-date. The need for organizations to understand security has never been higher.