When my colleague, Dave McMillen, isn’t jamming on his drums in one of the many bands he rocks out with, he is telling you about the security concerns regarding content management systems (CMS) in his recent IBM Security Threat Research paper. Businesses leverage these systems to address the need for quick changes to Web content, while cybercriminals leverage their popularity by targeting unpatched installations.

Rich in Features and Vulnerabilities

The three big CMS platforms that are widely used today are WordPress, Joomla and Drupal. CMS platforms have evolved significantly over the past decade and a half, and today, they are rich in both features and vulnerabilities. These products are built on open-source frameworks within shared developer environments just like Linux, Apache and Open Office. Built within them are third-party themes and plugins designed by thousands of authors. Needless to say, CMS platforms are not security-hardened to a great degree out of the box. If I were an attacker targeting a vulnerable CMS, I would say, “Easy peasy, lemon squeezy.”

Speaking of Lemons

Lemons are sour-tasting — much like the feeling after you’ve been compromised. Attackers have many ways to target vulnerable CMS installations. For one, website operators who use weak passwords leave their administrator accounts vulnerable to brute-force attacks. Obtaining access to an administrator account can lead to the distribution of malware.

CMS platforms are also not immune to distributed denial-of-service (DDoS) attacks. In 2014, more than 162,000 WordPress sites were leveraged, creating a super DDoS net that focused on one website and took it down.

With thousands of developers who design CMS themes and plugins for custom use, they are a popular target for cybercriminals. In 2013, a study from security vendor Checkmarx found that nearly 20 percent of the 50 most popular plugins for the WordPress platform are vulnerable to common Web attacks.

Finally, attackers love a good SQL injection or cross-site scripting attack. A simple Google search reveals hundreds of known attack parameters available that affect CMS platforms.

IBM MSS Data and WordPress Attacks

Looking at the data for 2014, IBM found that many SQL injection and command injection attacks were specifically targeting WordPress. These WordPress installations were attacked heavily during the first three months of 2014. The pattern then diminishes from April through September, where it then briefly resurges in October. The retail trade industry was the most attacked industry on WordPress, and nearly half of the attacks originated in the United States.

Read the full research report to learn more about the risks of content management systems

Should We Stop Using CMS?

No. However, it is important to realize that there are several processes that should be implemented if you’re using one of these platforms in your environment, such as the following:

  • Always run the latest version of any CMS.
  • Update CMS systems regularly via continuous patch management.
  • Always use trusted sources for themes and plugins. Never use free themes and plugins.
  • Never use default settings. Change the default “ADMIN” name. Rename default database prefixes to prevent SQL injections.
  • Reduce credentials. The administrator account should only be needed to perform updates or add/change themes and plugins. Those who edit posts or write articles should never need to be at an administrator level.
  • Always use strong passwords.
  • Protect the .htaccess file. Refer to the IBM paper and see the “Securing .htaccess” link in the References section.
  • Use a cloud-based security service.
  • Back up your CMS installations at regular intervals and design a robust disaster recovery plan.

After applying these recommendations, you will have a greater peace of mind regarding the security of your CMS.

More from Software Vulnerabilities

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today