When my colleague, Dave McMillen, isn’t jamming on his drums in one of the many bands he rocks out with, he is telling you about the security concerns regarding content management systems (CMS) in his recent IBM Security Threat Research paper. Businesses leverage these systems to address the need for quick changes to Web content, while cybercriminals leverage their popularity by targeting unpatched installations.

Rich in Features and Vulnerabilities

The three big CMS platforms that are widely used today are WordPress, Joomla and Drupal. CMS platforms have evolved significantly over the past decade and a half, and today, they are rich in both features and vulnerabilities. These products are built on open-source frameworks within shared developer environments just like Linux, Apache and Open Office. Built within them are third-party themes and plugins designed by thousands of authors. Needless to say, CMS platforms are not security-hardened to a great degree out of the box. If I were an attacker targeting a vulnerable CMS, I would say, “Easy peasy, lemon squeezy.”

Speaking of Lemons

Lemons are sour-tasting — much like the feeling after you’ve been compromised. Attackers have many ways to target vulnerable CMS installations. For one, website operators who use weak passwords leave their administrator accounts vulnerable to brute-force attacks. Obtaining access to an administrator account can lead to the distribution of malware.

CMS platforms are also not immune to distributed denial-of-service (DDoS) attacks. In 2014, more than 162,000 WordPress sites were leveraged, creating a super DDoS net that focused on one website and took it down.

With thousands of developers who design CMS themes and plugins for custom use, they are a popular target for cybercriminals. In 2013, a study from security vendor Checkmarx found that nearly 20 percent of the 50 most popular plugins for the WordPress platform are vulnerable to common Web attacks.

Finally, attackers love a good SQL injection or cross-site scripting attack. A simple Google search reveals hundreds of known attack parameters available that affect CMS platforms.

IBM MSS Data and WordPress Attacks

Looking at the data for 2014, IBM found that many SQL injection and command injection attacks were specifically targeting WordPress. These WordPress installations were attacked heavily during the first three months of 2014. The pattern then diminishes from April through September, where it then briefly resurges in October. The retail trade industry was the most attacked industry on WordPress, and nearly half of the attacks originated in the United States.

Read the full research report to learn more about the risks of content management systems

Should We Stop Using CMS?

No. However, it is important to realize that there are several processes that should be implemented if you’re using one of these platforms in your environment, such as the following:

  • Always run the latest version of any CMS.
  • Update CMS systems regularly via continuous patch management.
  • Always use trusted sources for themes and plugins. Never use free themes and plugins.
  • Never use default settings. Change the default “ADMIN” name. Rename default database prefixes to prevent SQL injections.
  • Reduce credentials. The administrator account should only be needed to perform updates or add/change themes and plugins. Those who edit posts or write articles should never need to be at an administrator level.
  • Always use strong passwords.
  • Protect the .htaccess file. Refer to the IBM paper and see the “Securing .htaccess” link in the References section.
  • Use a cloud-based security service.
  • Back up your CMS installations at regular intervals and design a robust disaster recovery plan.

After applying these recommendations, you will have a greater peace of mind regarding the security of your CMS.

More from Software Vulnerabilities

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today