Why CMS security matters
A CMS is a web-based application asset susceptible to being an attacker's target, just like any other web application. Built on commonly used technologies such as HTML and CSS, the function of a CMS is to help manage the creation and modification of digital content, e.g., a website or blog.
Challenges with securing a CMS
While many organizations spend resources on securing their main applications (e.g., website.com), they often neglect to audit the security of their subdomains across their enter attack surface, such as blog.website.com. More often than not, it is more about the technology than the content itself that's interesting to hackers, which is why CMS security also needs attention.
A CMS is susceptible to vulnerabilities often found in WordPress plug-ins that act as an attack vector for attackers. WordPress plug-ins often leak sensitive information without you even noticing. Adding more plug-ins to your CMS substantially increases the risk of your site becoming vulnerable. It's also essential that organizations are constantly updating their plug-ins to the latest version to avoid running plugins with unresolved security issues.
CMS security tips
1. Use the latest version of your CMS
If you are running an older version of your CMS, upgrading and checking the CMS's technical resources page for the latest release information is recommended.
2. Use a password manager
It's a no-brainer that your CMS password must be strong. A password should be generated via a password manager, and you shouldn't be able to remember it! Another tip is to not change it too often. Contrary to popular belief, changing your password regularly can do more harm than good, as you are more likely to choose a weak password that's easy to remember.
3. Add two-factor authentication
Strong passwords are great, but there's always an extra layer of security to add to the mix. Adding a two-step authentication to your login is a simple yet powerful measure.
4. Manage the admin panel
When exposing your CMS admin panel, it potentially allows an attacker to bruteforce the login. The attacker can test common passwords, which is likely to succeed as many people reuse them. Exposing the admin panel also widens the attack surface and gives attackers one more page to check for vulnerabilities.
5. Stay up to date with the latest vulnerabilities
CMS security with Detectify
Popular CMS solutions are an attractive target for attackers. With Detectify, you can:
Stay on top of the latest vulnerabilities
New vulnerabilities and issues emerge all the time. You'll get access to the latest vulnerability scanning with constant monitoring and scanning of your attack surface.
Continuous scanning across the attack surface
Test your CMS continuously for the latest vulnerabilities with recurring weekly scans in development, staging, and production environments.
See what you need to update
CMS updates often reveal vulnerabilities in previous versions in the changelog, exposing websites that are not automatically updated.
Find business-critical vulnerabilities
The more you add to your CMS installation, the higher the risk of your site becoming vulnerable. Identify and remediate the most business-critical vulnerabilities.
Integrate directly into your workflow
Set up Slack, Jira, Trello, Splunk, OpsGenie, and Webhooks integrations to receive results in the tools you prefer.
Go beyond OWASP Top 10
Find SQL injections, vulnerabilities behind authentication, input sanitation problems, SSL and encryption misconfigurations, and more.
Which CMS is more secure - open-source vs. closed-source content management platforms
Cost and usability are usually key factors when deciding whether to implement a closed or open-source CMS. It's also important to consider the security maintenance needed to keep the CMS running.
Using an open-source program means that anyone can access the source code, and there is freedom to change it and customize it for your website's needs. A lot of eyes on the code also mean attackers are potentially interested in testing and breaking the code, especially in widely used platforms. Examples of open-source CMS' are WordPress, Joomla, and Drupal.
Some people are testing and probing the security of closed-source CMS platforms, but at a different rate than open-source CMS platforms. However, closed-source platforms have internal security teams testing and making fixes to keep up with security challenges. Examples of closed CMS' include SharePoint, Blogger, and Shopify.
At Detectify, we can scan for vulnerabilities on both open-source and closed platforms.
What are the differences between open-source and closed-source CMS platforms?
- Often low cost or free.
- Anyone can view the source code and modify it to their needs.
- Developers can contribute features in the form of plug-ins and themes.
- No one 'owns' the platform itself or its security.
- Support available from other users and in online forums.
- Self-initiation of vulnerability checks in code.
- A common target for malicious hackers to find vulnerabilities.
- Have licensing fees.
- The source is not accessible by users, but the provider handles the backend.
- Unique solution for business needs and few options for plug-ins and themes.
- The vendor may have its own security testing products.
- Central support from the vendor.
- Security patch releases to fix vulnerabilities.
- Not as commonly hacked but can still be exploited.