Content management systems have become popular and necessary as a way to organize, manage and secure organizational web and enterprise content. At the same time, a CMS offers multiple attack opportunities for targeting commercial or public sector data. How can IT, administrators, creative personnel, and developers ensure CMS security?
In last year alone, more than 18 million CMS users suffered security breaches. Nearly three out of every four (73.2%) of well-known websites are managed with WordPress, the most widely used CMS. Additionally, nearly 55% of all attacks were application-specific (33%) or web-application (22%) attacks.
Types of Content Management Systems
As an overview, there are three broad types of CMS software: open source, proprietary, and Software-as-a-Service CMS.
- You can install and manage an open-source CMS on a web server. While most solutions work out of the box, countless customizations are available to meet the different business needs, such as plugins for e-commerce websites, tools to help you optimize content for search engines, or ways to customize your design themes and layouts.
- Proprietary or commercial CMS software is built and managed by a single company. Using such CMS generally involves buying a license fee to use the software, paying monthly or annual charges for updates or support. You may also need to pay additional costs for customization and upgrades, as well as for training and ongoing technical or user support.
- SaaS CMS solutions commonly include web content management software, web hosting, and technical support with a single supplier. These are virtual solutions hosted in the cloud and based on a subscription model, usually on a per-user or per-site basis. The pricing usually includes data transfer fees (i.e., bandwidth to and from your site) and storage for your content and data ongoing support.
Threats to Content Management Systems
Each of those types of websites is vulnerable to attacks. The most common threats include:
- Data Manipulation: SQL injections and changing parameters or settings is a popular hack. Hackers use malicious SQL statements inserted into an entry field for execution.
- Accessing Data: Utilizing SQL injections or Cross-Site Scripting (XSS) attacks to compromise user data. A hacker uses a web application to send malicious code, generally in the form of a browser-side script or with malicious SQL statements.
- Code Injection: This attack can affect the whole server running a website. Code injections can result in lost or corrupted data, lack of accountability or denial of access.
- Spam: Web crawlers scan the Internet for valid email addresses and send spam accordingly. Attackers can also use an application vulnerability to send spam through the application’s server, turning it into a spam relay server.
- Broken Authentication: This method refers to the incorrect implementation of mechanisms for authentication, while a related term, Session Management, relates to the associated functions such as logging off, session expiry, secret questions, password reset, etc. If the authentication mechanisms have not been properly implemented, it is possible to take advantage of this weakness in order to gain more rights over the application. Some examples of poor implementation of the authentication process include a different return error for a failed authentication, improper process for providing a forgotten password, no existing protection against an excessive number of attempts and reminders, along with authentication questions.
- Sensitive Data Exposure: This attack distorts the integrity and confidentiality of data. Many web applications fail to protect sensitive data (e.g., credit card information or authentication information) in a proper way, with the appropriate encryption. For transferring secure data, web applications can use the secure version of HTTP protocol—HTTPS (Hypertext Transfer Protocol Secure) protocol—which uses SSL (Secure Sockets Layer) for the protection of messages transmitted via the network. Secure Data should be written in an encrypted form with the help of a web application, and they should also remain in that form during transmission via the network in order to ensure their integrity and confidentiality.
Breach Prevention in Content Management Systems
Although the threats are numerous, there are proven ways to shore up your CMS defenses. All teams should consider:
- Strong Passwords: The passwords used by both users and administrators of the CMS need to follow best practices. As with all passwords, they should be hard to guess but easy to remember, so relatively lengthy passphrases based on a random collection of words work best. Or you can use passwords randomly generated by a good password manager.
- Multi-Factor Authentication: Multi-factor authentication, when available, provides much better protection for accounts than passwords/phrases.
- Assign Access Roles: You should also take advantage of the ability to assign roles and/or permissions. WordPress allows you to set different roles for different users, such as Contributor (can draft posts but not publish), Author (can publish his/her own posts), Editor (can publish or edit their own and others’ posts) and Administrator (can change settings and has complete control of the site). Limit the number of persons who have administrative access.
- Layered Security: Opt for a Web Application Firewall (WAF), which adds an extra layer of security to your CMS website to stay protected from attacks.
- Check your Plugins: Although these are often premium, there are quality free themes and plugins as well. Quality in this case means they have a good track record, which you can assess by studying their reviews and number of downloads. The more reviews available, the more accurate your assessment. Never use pirated plugins or themes.
- SSL Certificate: Install SSL on your web server which establishes a secure connection between your server and the client.
- Have Backup: This allows you to reset your compromised website back to its previous state. Do this after you have identified and corrected the security weakness that caused your site to get hacked
Conclusion
Content management can be a challenge in today’s information-intensive working environments, and CMS can help you to get a handle on the creation, publication, and organization of all that content—but don’t forget the need for security to protect your information, and (if you’re self-hosting) your servers and network, as well.