Content management systems are becoming popular and necessary as a way to organize, manage, and secure organizational web and enterprise content. The CMS offers multiple attack opportunities for targeting commercial or public sector data. How can IT, administrators, creative personnel, and developers ensure CMS security?
Between January and September 2019 there were over 7.9 billion data records were hacked — a 33% increase from the same time a year ago. Although hackers are the obvious culprits oftentimes it is a minor human error or lack of basic security hygiene resulting in a data breach.
Types of Content Management Systems
There are 3 types of CMS software: open source, proprietary, and Software-as-a-Service CMS.
Open Source CMS can be installed/managed on a web server. Numerous customizations are available to address the different business needs, such as plugins for websites, optimize content for search engines, or customize your design themes and layouts
Proprietary CMS software is built and managed by a company. Using such CMS generally involves:
● getting a license to use the software paying monthly or annual charges
● additional costs for customization and upgrades, as well as for training and technical /user support.
SaaS CMS solutions usually include web content management software, web hosting, and technical support with a supplier. These are virtual solutions hosted in the cloud and based on a subscription model, usually on a per-user or per-site basis. The pricing usually includes:
● amount of data transfer
● storage for your content and data
Threat to Content Management Systems
● Data manipulation: SQL injections and changing parameters/settings is a popular hack.
● Accessing data: Using SQL injections or Cross-Site Scripting (XSS) attacks to compromise user data. A hacker uses a web application to send malicious code, usually a browser-side script or malicious SQL statements.
● Code Injection: Code Injections can result in loss of data or corrupted data, lack of accountability, or denial of access.
● Spam: Web crawlers scan the Internet for legit email addresses and send spam accordingly. Attackers send spam through the application’s server, turning it into a spam relay server.
● Broken Authentication is the incorrect implementation for authentication while functions such as logging off, session expiry, secret questions, password reset, etc. If the authentication mechanisms have not been properly implemented, it is possible to take advantage of this weakness in order to gain more rights over the application.
Some examples of poor implementation of authentication process are: different return error for a failed authentication, improper process for providing a forgotten password, no existing protection against an excessive number of attempts, reminders along with authentication questions
● Sensitive Data Exposure distorts the integrity and confidentiality of data. Many web applications fail to protect sensitive data in a proper way, with the appropriate encryption. For transferring secure data, web applications can use the secure version of HTTP protocol – HTTPS (Hypertext Transfer Protocol Secure) protocol which uses SSL (Secure Sockets Layer) for the protection of messages transmitted via the network.
Breach Prevention in Content Management System
● Strong Passwords: The passwords used by both users and administrators of the CSM need to follow best practices. As with all passwords, they should be hard to guess but easy to remember, so relatively lengthy passphrases based on a random collection of words work best. Or you can use passwords randomly generated by a good password manager.
● Multi-Factor Authentication: Multi-factor authentication, when available, provides much better protection for accounts than passwords/phrases.
● Assign Access Roles: You should also take advantage of the ability to assign roles and/or permissions. WordPress allows you to set different roles for different users, such as Contributor (can draft posts but not publish), Author (can publish his/her own posts), Editor (can publish or edit their own and others’ posts), and administrator (can change settings and has complete control of the site). Limit the number of persons who have administrative access.
● Layered Security: Opt for a Web Application Firewall (WAF), which adds an extra layer of security to your CMS website to stay protected from attacks.
● Check your plug-ins: Although these are often premium, there are quality free themes and plugins as well. Quality in this case means they have a good track record which you can assess by studying their reviews and number of downloads. The more reviews available, the more accurate your assessment. Never use pirated plugins or themes.
● SSL Certificate: Install SSL on your web server which establishes a secure connection between your server and the client.
● Have Backup: This allows you to reset your compromised website back to its previous state. Do this after you have identified and corrected the security weakness that caused your site to get hacked
Content management can be a challenge in today’s information-intensive working environments, and CMS can help you to get a handle on the creation, publication, and organization of all that content – but don’t forget the need for security to protect your information, and (if you’re self-hosting) your servers and network, as well.