How to secure your content management system

How to secure your content management system

Suppose you want to start your own blog or set up a website where you can easily manage its content, the way it looks, and how often it changes. What you need is a content management system (CMS).

WordPress, Drupal, and Joomla are some of the most popular content management systems used by both professionals and amateurs. The three I mentioned are open-source CMSes, meaning they are software with source code that anyone can inspect, modify, and enhance.

Open-source software hands us a double-edged sword. On one side, open-source software allows people the option to adapt it to their specific needs and preferences, and everyone can see what it does behind the curtain. But on the other side, those with bad intentions can study and probe the publicly-available source code until they find a bug, weakness, flaw, or feature they can abuse.

Who uses content management systems?

CMSes aren’t just used by individuals, but companies as well. Many companies, from small outfits to large enterprises, use a CMS in some form. They are ideal for blogs or other publishing outlets that change and update content often, but can also be used for any site that needs to add new information on a regular basis. Basically, they are used for website creation and management.

The advantages of using a well-known, open-source CMS are clear. They include:

  • A well-documented system that’s easy to install and adapt
  • A simple UI/UX design for easy management
  • Suitability for different kinds of content
  • Regular updates
  • Built-in logging (of visitors, users, and link backs)

Also, the availability of many plug-ins and themes with a wide variety of extra functionality, looks, and layouts for the CMS can be considered an advantage—most of the time. As long as they don’t introduce vulnerabilities or even backdoors into the system, they can be a welcome addition.

Update, update quickly, and don’t forget to patch

When using a CMS, and especially a popular one, you will have to keep an eye out for updates. Apply them at your earliest convenience and be sure to do so quickly if the updates are intended to patch a vulnerability that has been published. Website hijackers will make sure that they are aware of the latest vulnerabilities and go after any site that hasn’t been patched for it.


Also read: A look into Drupalgeddon’s client-side attacks


One problem with customized CMS versions is that you have to be careful during the updating process. Depending on the customizations that you made, updates can break the functionality that you added to the system. You will also have to make sure that your changes do not keep the vulnerability that you were supposed to be patching alive. What helps to prevent these problems is to make the changes in separate program modules and not in the main modules of the CMS, because those will get updated regularly.

Backups

While it is customary to create a backup before you apply updates or other important changes, it is also recommended to create regular backups—weekly or even daily, depending on how often you post to the CMS.

wp scheduled updates

A weekly backup is adequate for many websites.

If you should find out that some intruder made changes to your website, it is a good idea to have a recent backup that you can restore without losing too much work, and without having to comb through every piece of code to check if anything else has been tampered with. Delete the files of the compromised CMS before restoring the update to make sure that none of the attacker’s files are left behind. Remember that when the attacker gained access, he also gained the ability to change your CMS and run his code on your server.

Security by obscurity

We are not saying that using a less popular CMS is better. Trying to maintain security through keeping a low profile should never be a goal in itself. If businesses happen to like a less popular CMS, they should still make sure that it is secure and maintained in a way that is acceptable for their organization.

If you have the resources and in-house knowledge to build your own system and keep it secure, good for you. If it pays off for your company to have a custom-built CMS, then you will have a specialized partner that can keep things under control and be able to solve any problems you find with it. Even better. But for most companies, it is so much easier to use one of the popular content management systems. If this is true for you, you will also be responsible for keeping it updated and secure.

CMS security in a nutshell

There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. They are as follows:

  • Choose your CMS with both functionality and security in mind.
  • Choose your plug-ins wisely.
  • Update with urgency.
  • Keep track of the changes to your site and their source code.
  • Use secure passwords (or 2FA).
  • Give the user permissions (and their levels of access) a lot of thought.
  • Be weary of SQL injection.
  • If you allow uploads, limit the type of files to non-executables and monitor them closely.

For websites that require even more security, there are specialized vulnerability scanners and application firewalls that you may want to look into. This is especially true if you are a popular target for people that would love to deface or abuse your website.

If the CMS is hosted on your own servers, be aware of the dangers that this setup brings. Remember that you are relying on open-source code. Running it on your own servers should be met with special precautions to keep it separated from other work servers.

Secure your CMSes and protect your home or business from introducing vulnerabilities into the heart of their networks. By doing this, you make the web a safer place!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.