"Security By Thy Name" by cogdogblog is licensed under CC BY 2.0
For anybody managing a website’s content, having a content management system (CMS) is almost essential. A CMS allows for the quick and easy management of content, whether it’s a blog, page content, updates to events or news. Pages can be edited to reflect how it looks online, the links to the page, and its function within the website, live and without the
need to upload newly-written files.
Many of the open source CMS solutions are widely available and fully editable, but they do have a drawback on the security front and can present a risk due to the weaknesses that can be found in source codes. Research carried out by EnableSecurity found that of around 40,000 WordPress websites, approximately 30,000 were vulnerable to security exploits, and all were found to be using free automated tools. The study also highlighted that 75% of WordPress sites were vulnerable and brought to attention the need to significantly upgrade the security aspects of a content management system.
Actions to secure your CMS
Updates and patches: receive notification of a patch or update? Act on it immediately! Whether it’s for your CMS or any other software, without doubt, this is an absolute must particularly if it is a third-party CMS solution. Similarly, for websites like WordPress that use plugins, always make sure the latest version is being used. For added security, carry out a
risk analysis on any software and plugins.
Patches need to be applied as soon as they are released to get a head start on any potential cyber-attacker targeting your non-updated system via vulnerabilities that are made public. If it is a customized CMS platform, be especially cautious and take extra care when implementing updates as some features could affect the website’s performance and could even create a spur of new vulnerabilities.
A good method is to apply updates in a test environment, such as an offline clone of the site, which will reveal any potential negative effects caused by updates and patches that may affect the website but are not live on the website.
Carry out regular backups: if all the website data was lost, what would be the outcome? Without a backup, especially with content management systems, that data is lost forever. Backups are extremely important for two principal reasons. Firstly, in the event of a cyber-attack, having a backup allows the fast and safe recovery of the website and its data. The
more often the site is backed-up, the less data is at risk of being lost. Secondly, keep a backup of the data before updating any plugins or the CMS itself. If the update is not compatible with some elements of your website, and without the use of a test environment, there is the potential to lose all the data. A pre-patch backup avoids any potential corruption or loss of data. In addition, should an attacker gain access to your website, embedding a hidden code in the site as a back door, a pre-intrusion backup saves many man hours manually going through each line of code to check for any errors and potential
attacks; just upload the backup.
CMS admin accounts: a large number of websites worldwide use popular CMS platforms, such as WordPress and Joomla, with easy-to-use admin portals, but they can also be vulnerable to attacks. Whilst the path to the portals can be changed to secure the data further, there are free, automated programs called crawlers and spiders that are able to
easily find the location of such an admin portal.
For CMS platforms that will be used by more than one person to manage content, access management strategies and user permissions as to what they can and cannot access on the CMS should be set to avoid any weaknesses in the system that is open to targeted attacks. It is good practice to implement an access management strategy: a risk assessment should
be taken for each level of the privileged account which will indicate the areas a user has been granted access to and ensures that non-authorised users are not permitted access to certain areas where privilege is not needed.
For example, a magazine may create CMS admin accounts for journalists to upload articles, but no permission to allow them to edit any other content. Similarly, to avoid account hijacking, CMS admin passwords should be as strong as they can be. Dictionary words shouldn’t be used in passwords and a range of special characters and numbers should be
included.
Implementing two-factor-authentication (2FA) into your CMS login portals adds another layer of security. Anyone with the right permissions accessing the CMS platform via any device will require a code to get into the CMS, making accessing an unauthorized area near to impossible, as long as the device hasn’t been hacked.
SSL certificates: having an SSL certificate indicates that the website is safe and secure. An SSL certificate is able to protect any data traveling between a client’s browser and the web server, avoiding ‘man-in-the-middle’ cyber-attacks or preventing eavesdroppers from viewing login credentials in plain text.
Conclusion
There are many ways to secure a CMS and the above tips should help in performing a self-
analysis of a current CMS to gain an insight into where it may lack security. Similarly for
anyone about to implement a CMS, these tips will help in pre-planning and implementation,
highlighting the security aspects that must be considered and addressed in the development
phase to ensure the protection of data.
JACK FOSTER BIO
Jack started out in marketing communications within a technology environment and over the past 20 years has written a wide range of articles, blogs, guides and white papers on a variety of IT and technology-related topics. With a keen interest in cyber and network security, VPNs, AI and digital transformation, Jack has written guest articles for a number of platforms as well as his own VPN Geeks forum.
