With the modern Content Management System, even small companies can embrace the experience of creating rich web experiences. In fact, based on an analysis by w3techs on the top 10 million sites, only 43.7% of websites are not using a recognized CMS. That means for top sites more than half are using a CMS. Further analysis points to the fact that of all systems with a CMS, WordPress accounts for 61% of all CMS sites and 34.3% of the top 10 million sites. It would make sense then, that the prolific utilization of CMS’s has not escaped the watchful eyes of cybercriminals. And honestly - they have a good reason to pay attention. Based on an analysis of over 40,000 WordPress sites in the Alexa Top 1 Million, a staggering 70% are vulnerable to hacker attacks. And this opportunity has not been missed by cybercriminals. Based on data from Sucuri, 90% of websites hacked in 2018 used the open source WordPress as a CMS. So how can you enjoy the ability and freedom of designing incredible web experiences utilizing a CMS, but still keep your web property safe?
To Open Source or Not to Open Source, that is the question…To quickly recap a previous article by Primacy on Finding the Right CMS For Your Organization - an open source CMS system typically makes the source code of the core of the application available to the public. This accomplishes several things (For CMS’s with larger developer communities):
- Typically the software licensing is free or much less expensive than the alternative (closed or proprietary CMS)
- The base CMS code is extensively tested by the community which usually results in faster bug identification and remediation
- Support for issues is supported by an entire community of developer and user communities
- Modifications and customizations are relatively easy for platforms with active developer communities
- There are a wide variety of plug-ins that are designed to provide additional functionality
- Security gaps and vulnerabilities are being tracked by the entire community, which means plenty of users that can report potential security holes in the CMS.
- Typically there are recurring license expenses that can be markedly more expensive than an Open Source alternative
- Support of the system is managed by internal resources that are trained on the product and its functions
- Security patches are tested and patched by the CMS vendor
- The CMS vendor manages all of the components of their system and verify the system’s performance and security.
- Bug fixes are reported or discovered and reported to the CMS vendor and their pipeline works on fixing issues based on priority.
Steps to Secure your CMSThere is a term used in cybersecurity circles: defense in depth. It basically means that when defending an information resource you need several layers of defense. There is no perfect or unbeatable security solution, but implementing multiple layers of protection increase the difficulty of compromising your system. When defending your system from compromise you should consider these 4 factors:
Pick the Right NeighborhoodThe internet can be a dangerous place, but there are many hosting vendors that offer effective and secure hosting options for your web solution. Look for vendors that understand the complexity of securing the specific CMS you are looking to implement. Good hosting vendors will:
- Implement a secure firewall that sits in front of your web site to protect it from known attacks
- Offer the ability to lock the IPs that have access to the login screen
- Offer you the ability to back up your system
- Offer additional managed security offerings
Lock the WindowsThe vast majority of compromises occur due to a lack of patch discipline of the core open source CMS, or a compromise of vulnerable plug-ins or themes. It is important that you subscribe to a service that alerts you to vulnerable plug-ins and themes. This is critical as there are numerous free services online that give attackers the ability to scan your site for vulnerabilities. In essence,these vulnerabilities represent an open window into your systems. To protect against this, take these steps:
- Audit your plugins and themes
- Ensure you update outdated or compromised versions of your CMS. Themes, or Plugins
- Implement SSL/HTTPS
Lock the DoorsAnother common threat vector is compromised credentials. It is essential to take every possible precaution in regards to defending the administrative credentials of your CMS. These are after all the proverbial keys to the kingdom. There are several key steps that you can take to defend your credentials. These include:
- Remove the default admin account
- Harden your access control with strong user account names and passwords
- Limit login attempts
- Implement Captcha or other bot defenses for logon attempts
- Restrict access to login site to authorized IPs
- Implement multi-factor authentication
Install a Security SystemThere are specific plug-ins that provide additional security and add another layer of defense and detection. These tools protect your sensitive data, but also alert you to anomalous activities on your site and can provide critical indicators that your site has been compromised. Installing these protections will provide critical information that can help you defend your site, your visitors and your reputation:
- Consider Security Plugins
- Install Monitoring Software to detect breaches