When my colleague, Dave McMillen, isn’t jamming on his drums in one of the many bands he rocks out with, he is telling you about the security concerns regarding content management systems (CMS) in his recent IBM Security Threat Research paper. Businesses leverage these systems to address the need for quick changes to Web content, while cybercriminals leverage their popularity by targeting unpatched installations.

Rich in Features and Vulnerabilities

The three big CMS platforms that are widely used today are WordPress, Joomla and Drupal. CMS platforms have evolved significantly over the past decade and a half, and today, they are rich in both features and vulnerabilities. These products are built on open-source frameworks within shared developer environments just like Linux, Apache and Open Office. Built within them are third-party themes and plugins designed by thousands of authors. Needless to say, CMS platforms are not security-hardened to a great degree out of the box. If I were an attacker targeting a vulnerable CMS, I would say, “Easy peasy, lemon squeezy.”

Speaking of Lemons

Lemons are sour-tasting — much like the feeling after you’ve been compromised. Attackers have many ways to target vulnerable CMS installations. For one, website operators who use weak passwords leave their administrator accounts vulnerable to brute-force attacks. Obtaining access to an administrator account can lead to the distribution of malware.

CMS platforms are also not immune to distributed denial-of-service (DDoS) attacks. In 2014, more than 162,000 WordPress sites were leveraged, creating a super DDoS net that focused on one website and took it down.

With thousands of developers who design CMS themes and plugins for custom use, they are a popular target for cybercriminals. In 2013, a study from security vendor Checkmarx found that nearly 20 percent of the 50 most popular plugins for the WordPress platform are vulnerable to common Web attacks.

Finally, attackers love a good SQL injection or cross-site scripting attack. A simple Google search reveals hundreds of known attack parameters available that affect CMS platforms.

IBM MSS Data and WordPress Attacks

Looking at the data for 2014, IBM found that many SQL injection and command injection attacks were specifically targeting WordPress. These WordPress installations were attacked heavily during the first three months of 2014. The pattern then diminishes from April through September, where it then briefly resurges in October. The retail trade industry was the most attacked industry on WordPress, and nearly half of the attacks originated in the United States.

Read the full research report to learn more about the risks of content management systems

Should We Stop Using CMS?

No. However, it is important to realize that there are several processes that should be implemented if you’re using one of these platforms in your environment, such as the following:

  • Always run the latest version of any CMS.
  • Update CMS systems regularly via continuous patch management.
  • Always use trusted sources for themes and plugins. Never use free themes and plugins.
  • Never use default settings. Change the default “ADMIN” name. Rename default database prefixes to prevent SQL injections.
  • Reduce credentials. The administrator account should only be needed to perform updates or add/change themes and plugins. Those who edit posts or write articles should never need to be at an administrator level.
  • Always use strong passwords.
  • Protect the .htaccess file. Refer to the IBM paper and see the “Securing .htaccess” link in the References section.
  • Use a cloud-based security service.
  • Back up your CMS installations at regular intervals and design a robust disaster recovery plan.

After applying these recommendations, you will have a greater peace of mind regarding the security of your CMS.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…