Your organization probably works with a Content Management Systems (CMS) such as WordPress and Drupal. Choosing a CMS involves consideration of the functionalities and features you need – but whether you’re selecting a CMS now or you already have one deployed, be sure you don’t overlook one of the most important aspects of any web-based software or service: security.
CMS solutions make it easy for users to create web content and publish it to a website without learning HTML and web development. In addition to creation, formatting and publishing, a CMS also includes related functions such as searching and retrieving content, format management for converting scanned documents into HTML, and revision control that tracks what changes are made and by whom.
A major difference between printed and electronic content is that the latter can be easily corrected, updated or otherwise changed at any point after publication. An important function of CMS is to manage the evolving versions of each piece of work, often involving multiple authors and editors.
Like other web server software and services, CMS is a popular target for attackers, so it’s imperative that you take steps to secure your CMS.
Whether you run your own CMS server or use a cloud-based service, security is an issue that you shouldn’t ignore. The most popular CMS solutions, such as WordPress, Drupal and Joomla, are based on open source code. This means they have the same security benefits – and disadvantages – as other open source software.
Vulnerabilities can be discovered and patched more quickly because anyone can access, evaluate and make modifications to the code. On the other hand, these fixes may not be distributed as universally and the source code is also available to attackers, which may make it easier for them to develop exploits for it. There is also the issue of accountability, which with open source is often not clear-cut.
Popular CMS solutions – like any very popular software in widespread usage (think Windows) – is an attractive target for attackers because of the size of the potential victim pool. Automated large-scale attacks against WordPress-based websites are not uncommon, and no wonder, with an estimated 20% or more of websites now running on it. There are even websites dedicated to instructing aspiring hackers on how to hack WordPress.
The many plug-ins that are available for CMS platforms also increase the attack surface and expose your installation to additional threats. These third party plug-ins (many of which are very popular and installed on millions of CMS deployments) are developed by many different devs, with varying degrees of security, and each has its own individual vulnerabilities that can be exploited.
Anatomy of a WordPress attack
In this example, we’ll be looking at WordPress since it’s a CMS that’s used by so many large and small organizations. However, some of these concerns and countermeasures are also applicable to other platforms.
An attack against WordPress can take many forms – which means a multi-layered defense in depth strategy is necessary to protect it. Attacks include brute force attacks to crack admin credentials and penetrate services such as SSH, databases, server management etc.; vulnerability exploits against the server operating system or the WordPress application itself; attacks on installed plugins.
An attack begins with surveilling the site to find out the software version (because different versions have different known vulnerabilities), attempting to view contents of directories, and analyzing which plugins are installed either using HTTP requests or scripts/tools to automate the process. This is the reconnaissance phase in which the attacker is gathering information.
The attacker will then move into the active attack phase, in which passwords will be cracked via brute force, social engineering or even intercepting clear text passwords by sniffing network packets or from password-stealing malware on the machine.
The application can be attacked using SQL injection, remote code execution, cross-site scripting and other common exploits once vulnerabilities have been discovered. There are many vulnerability scanners available that the attacker can use to find the weaknesses on a system, including port scanners that look for open ports that might offer the attacker a way in, and more broad-range scanners that search for vulnerable scripts, misconfigurations that leave the system vulnerable, and many other exploitable characteristics of the network, the server and the application.
Roles and responsibilities
If your organization hosts its own CMS servers on premises, the responsibility for securing them obviously lies with your in-house IT department. However, if you use a hosted CMS service, the division of responsibility for security measures can be a little cloudier (pun intended).
Whether you use the WordPress.com site as many small companies do or use a third-party WordPress hosting service, security of the servers is obviously the job of the hosting service. WordPress.com regularly monitors for potentially harmful activity and unauthorized access to content. WordPress hosting providers such as Bluehost, SiteGround and iPage do the same, as do hosting services for other CSM platforms.
When selecting a WordPress hosting provider, it’s important to understand the difference between shared hosting, in which multiple customer sites share one WP server, and managed hosting, in which the host takes care of everything for you, including security and premium support services. Managed hosting companies generally provide very tight security, along with daily backups, automatic updates and more. Of course, you get what you pay for; managed hosting is significantly more expensive.
In any event, even with a managed hosting service, there are still some things that you can do to help increase the security of your CSM.
Important: Remember that, just as the ultimate legal liability for the accuracy of your tax returns falls on you, not your tax preparer, similarly the ultimate responsibility for the security of a CSM site belongs to the owner, not the host.
CSM breach prevention and mitigation
Security begins with identity and in most cases, CSM still rely on traditional usernames and passwords to authenticate identity. Thus the passwords used by both users and administrators of the CSM need to follow best practices. As with all passwords, they should be hard to guess but easy to remember, so relatively lengthy passphrases based on a random collection of words work best. Or you can use passwords randomly generated by a good password manager.
Multi-factor authentication, when available, provides much better protection for accounts than passwords/phrases. WordPress.com and many other providers offer a two-step authentication option that sends an authentication code to your smartphone via an app or text message. You enter this in addition to your password/phrase.
A simple but often overlooked means of making it harder for hackers is to logout of your account when you’re finished, especially if you work in a shared environment.
You should also take advantage of the ability to assign roles and/or permissions. WordPress allows you to set different roles for different users, such as Contributor (can draft posts but not publish), Author (can publish his/her own posts), Editor (can publish or edit their own and others’ posts) and Administrator (can change settings and has complete control of the site). Limit the number of persons who have administrative access.
If you’re running your own WordPress servers, you have full responsibility for security and should take steps to harden and lock down the software.
NOTE: We mentioned shared hosting and managed hosting concepts above; when you install WordPress on your own servers, this is called self hosting.
Follow the principle of least privilege: users and applications should have permissions only for the resources they need and no more, and only for as long as they need it. This goes double for administrators, who have the most power.
Implement a multi-layered defense plan that includes firewalls, anti-malware, security monitoring and auditing solutions, multi-factor authentication, roles and permissions, and more. Of course, the CSM software should always be kept updated with the latest security fixes.
Keep plugins in check
Just as you should remove or disable features in the server OS that aren’t needed, you should also remove or disable any application plugins that you don’t need, and only install plugins and themes that come from sources you trust. Backup the data and databases on a regular basis.
Finally, there are security plugins available for WordPress and some other CSMs that can help with preventing and/or detecting suspicious activity, as well as auditing and change management add-ons that can give you more detailed tracking of activities.
Content management can be a challenge in today’s information-intensive working environments, and CMS can help you to get a handle on the creation, publication and organization of all that content – but don’t forget the need for security to protect your information, and (if you’re self-hosting) your servers and network, as well.