When my colleague, Dave McMillen, isn’t jamming on his drums in one of the many bands he rocks out with, he is telling you about the security concerns regarding content management systems (CMS) in his recent IBM Security Threat Research paper. Businesses leverage these systems to address the need for quick changes to Web content, while cybercriminals leverage their popularity by targeting unpatched installations.
Rich in Features and Vulnerabilities
The three big CMS platforms that are widely used today are WordPress, Joomla and Drupal. CMS platforms have evolved significantly over the past decade and a half, and today, they are rich in both features and vulnerabilities. These products are built on open-source frameworks within shared developer environments just like Linux, Apache and Open Office. Built within them are third-party themes and plugins designed by thousands of authors. Needless to say, CMS platforms are not security-hardened to a great degree out of the box. If I were an attacker targeting a vulnerable CMS, I would say, “Easy peasy, lemon squeezy.”
Speaking of Lemons
Lemons are sour-tasting — much like the feeling after you’ve been compromised. Attackers have many ways to target vulnerable CMS installations. For one, website operators who use weak passwords leave their administrator accounts vulnerable to brute-force attacks. Obtaining access to an administrator account can lead to the distribution of malware.
CMS platforms are also not immune to distributed denial-of-service (DDoS) attacks. In 2014, more than 162,000 WordPress sites were leveraged, creating a super DDoS net that focused on one website and took it down.
With thousands of developers who design CMS themes and plugins for custom use, they are a popular target for cybercriminals. In 2013, a study from security vendor Checkmarx found that nearly 20 percent of the 50 most popular plugins for the WordPress platform are vulnerable to common Web attacks.
Finally, attackers love a good SQL injection or cross-site scripting attack. A simple Google search reveals hundreds of known attack parameters available that affect CMS platforms.
IBM MSS Data and WordPress Attacks
Looking at the data for 2014, IBM found that many SQL injection and command injection attacks were specifically targeting WordPress. These WordPress installations were attacked heavily during the first three months of 2014. The pattern then diminishes from April through September, where it then briefly resurges in October. The retail trade industry was the most attacked industry on WordPress, and nearly half of the attacks originated in the United States.
Should We Stop Using CMS?
No. However, it is important to realize that there are several processes that should be implemented if you’re using one of these platforms in your environment, such as the following:
- Always run the latest version of any CMS.
- Update CMS systems regularly via continuous patch management.
- Always use trusted sources for themes and plugins. Never use free themes and plugins.
- Never use default settings. Change the default “ADMIN” name. Rename default database prefixes to prevent SQL injections.
- Reduce credentials. The administrator account should only be needed to perform updates or add/change themes and plugins. Those who edit posts or write articles should never need to be at an administrator level.
- Always use strong passwords.
- Protect the .htaccess file. Refer to the IBM paper and see the “Securing .htaccess” link in the References section.
- Use a cloud-based security service.
- Back up your CMS installations at regular intervals and design a robust disaster recovery plan.
After applying these recommendations, you will have a greater peace of mind regarding the security of your CMS.