February 19, 2016

Important Steps to Secure Your CMS

Most Important Step to Secure Your CMS

Content Management Systems (CMS) are great for quickly deploying websites and in most cases require very little expertise to do so. For example, WordPress is known for its famous 5-minute install. Other popular CMSes include Joomla, Magento, Drupal, and many others. There are literally hundreds of available CMSes to use to manage, maintain, edit, and publish content online.

However just because the install and management of the system are easy doesn’t mean you should install once and forget it. It also doesn’t necessarily mean it’s secure out-of-the-box either. See the following links for best practices when installing and configuring some of the most popular CMSes:

WordPress Best Practices – http://codex.wordpress.org/Hardening_WordPress
Joomla Best Practices – https://docs.joomla.org/Security_Checklist
Magento Best Practices – https://magento.com/security/best-practices
Drupal Best Practices – https://www.drupal.org/best-practices

It’s well worth spending a few extra minutes to review your CMS best security practices and implementing those suggestions. It’s also very important to keep up-to-date as patches are released often that include fixes for critical issues. Some of the recent critical issues are listed below:

WordPress – A critical flaw allows XSS attacks against WordPress sites
Joomla – A 0-day remote code execution flaw was recently discovered
Magento – A critical flaw allows access to credit card data
Drupal – Critical XSS and SQL Injections flaws were recently discovered

If your site is using a CMS, it should be kept up-to-date at all times. Keeping the site up-to-date is just one step in the process. You should also keep any themes, extensions, plugins, etc. up-to-date as well. Any themes, extensions, plugins, etc. that are not in use should be deleted. Updates to CMSes are typically released quickly when a vulnerability is found, especially in the case where the vulnerability is a 0-day exploit. 0-day exploits are holes found in software, unknown to the software vendor, that leave the application susceptible to hackers who exploit the vulnerability before it can be patched. For a quick list of the latest security updates for the above CMSes, see the links below:

WordPress Security Releases – https://wordpress.org/news/category/releases/
Joomla Security Releases – http://feeds.joomla.org/JoomlaSecurityNews
Magento Security Releases – https://magento.com/security
Drupal Security Releases – https://www.drupal.org/security

If possible, you should subscribe to these sites via email or via any available RSS feed so you’re alerted to any security or major releases that occur. The number one cause of compromises that we see on a monthly basis is due to neglected code and old installs that were never updated.

Many customers often ask “Why attack us? We don’t have anything to hide!”. While that may be true, if a site is on the internet, it’s guaranteed to be attacked at some point in time. The attackers don’t care about what your business does or what you have to hide (or not hide). Some cyber attackers hack for the “fun of it” and to prove a point. Others attackers have goals to get financial data that may be available. Ultimately, it doesn’t matter why you were attacked; it’s how you make your website less desirable to be attacked. Think of it like this:

If you live in a house with a wooden door that doesn’t have a deadbolt or an alarm system, a robber is likely to try your door before he or she tries to attack the house next door that has a steel door, deadbolt, and a security system. In the end, it’s all about how easy it is and how desirable your house looks. The same analogy can be applied to websites.

The majority of compromises against a site can be mitigated by keeping your core CMS at the latest version and keeping all of it’s relevant parts (plugins, themes, etc) updated to the latest versions as well. Being proactive and taking that simple step can save you in the future from the hassle of cleaning up after a compromise, downtime, and loss of customer confidence in your site.

Edge Hosting is a leading managed cloud hosting provider by taking a proactive approach to secure our customer’s databases, applications, and websites. Our engineers have extensive experience in PHP based applications including WordPress, Drupal, Joomla and many others. We partner with you to architect a highly secure hosting environment that guarantees 100% uptime for you and your customers.

Go back