Table of Contents
A security overview of Content Management Systems
A security overview of Content Management Systems:. Any developer would probably agree Content Management Systems (CMS) make it easier for web development teams and marketing to work together. However CMS assets like blog.company.com are also web application based and could be targets of hacker attacks. Why’s that? Simply because they are based on commonly used technologies. It communicate with end users, bring in organic or paid reader traffic and build brand awareness.
A security overview of Content Management Systems:. Many companies spend resources on securing their main applications and neglect to also audit the security of the CMS platform because who would want to hack a blog? More often than not it is more about the technology than content itself. That’s interesting to hack, which is why CMS security needs attention as well.
Here is our overview including expert advice from our security team:
Deciding between closed- vs open-source CMS platforms:
Once you’ve decided to go with a CMS you’ll have to decide which vendor to go with and part of that is if it will be closed- or open-sourced. Cost and usability are key factors in the decision. But it’s also important to keep in mind the security maintenance expected to keep it up and running. Using an open-source program means that anyone can access the source code. There is freedom to make changes to the source code and customize it for your website needs. A lot of eyes on the code also means there are people out there interested in testing and breaking the code, especially in widely used platforms.
There are people out there testing the security of closed-source CMSes but it’s not at the same rate since they are only available with purchase. However, such platforms have internal security teams doing the testing and making fixes to keep up security. We receive vulnerability submissions for both closed- and open-sourced platforms from our Detectify Crowdsource community of 150+ handpicked white hat hackers.
Crowdsource module developer Kristian Bremberg reviews many of these submissions, and contrasts the two:
“Open source lets anyone look at the code, and therefore increases the chances of finding vulnerabilities. However, there’s no guarantee that the code will be reviewed by independent security researchers. Closed-source software is often owned by a company which spends money on internal code review and security testing.”
Open Source CMS
Anyone can view the source code and modify to their needs for you
Developers can contribute features in form of plugins and themes
Often low-cost or free
No one is owning the platform itself nor its security
Support avaliable from other users & in online forums
Self intiation of vulnerability checks in code
Target for malicious hackers to find vulnerabilites
Closed Source CMS
Source is not accessible by users but provider handles the backend for you
Unique solution for business needs and little options for plugin and themes
Vendor may have its own security testing of products
Central support from vendor
Security patch releases to fix vulnerabilites
Not as commonly hacked but still can exploite
How to secure your CMS or blog site:
There’s a lot you can do to make sure security risks are alleviated. When it comes to maintaining a CMS tool. We previously shared best practices on securing the Magento CMS application. These same practices can be applied to any other CMS option too. Exploitation can do through the hosting service, blog themes, plugins or extensions or user management. It seems like a no-brainer to use the mentioned best practices:
Clean up your plugins
Clean up your plugins In addition to the mentioned measures, it’s also imperative to ensure the plugins added to your CMS application are also secure to use. If you don’t use it, then uninstall it so it doesn’t become a security risk. Many plugins are hobby projects that are only update once in while which means they can become vulnerable without the owners notice, and for that reason we recommend running automated scans that cover plugins. We often receive submissions for CMS plugins and it is something we are continuously open to receive from our Detectify Crowdsource white hat hackers.
Scan your CMS platforms for common vulnerabilities
Scan your CMS platforms for common vulnerabilities It’s common for Content Management Systems to be host on a platform that’s different from the main web application. For example, blog.company.com may host on a CMS like WordPress which is not regularly monitor by a web development team and the code may not always review after updates or adding features. By using a tool like WPScan or Detectify to check a CMS for vulnerabilities, a findings report will show any vulnerabilities that may exist in the web application and with remediation tips. A code-savvy marketer could try to then fix the issue on their own or share it with a web developer or agency for the issue to be resolve.
Additional best practices:
- 2FA and requirements for complicated passwords
- Always use the latest version of the software
- Subscribe to product and security updates from the vendor via social media or mailing lists
Expert point of view: how secure are CMSes and plugins?
We asked our co-founder and top-ranked security researcher, Fredrik Nordberg Almroth, about CMS security and here is what he had to say:
Fredrik Nordberg Almroth, co-founder
“If I were to approach this [an open-source CMS], I would not start with the main application since this where most security resources are spent and where most people are looking. I would look for other points of entry where few people are monitoring yet highly used like blog themes and plugins. In fact, plugins are the biggest concern, and small but chainable vulnerabilities are mostly here.”
Fredrik Nordberg Almroth, co-founder
“exploiting such chained vulnerabilities can usually impact other assets and infrastructure not directly related to the affected CMS. An example could be a simple reflected XSS that can be used to steal login credentials, which may be used elsewhere on other systems to a cookie XSS that affects sibling subdomains. An other example could be a server-side request forgery (SSRF) attack, that could be leveraged to access internal databases, CI systems and other internal assets.”
Secure CMS and plugin
Although there is this risk whenever downloading a plugin or theme for open-source CMSes like WordPress and Joomla, Fredrik assures that in general open-source options are quite secure as long as you work proactively with security. There can rare cases like Drupalgeddon 2.0 (CVE-2018-7600), and since they have high severity impact. They are often short-live as patches are made as soon as possible to save the masses. CMSes that are SaaS-base are automatically update making it even easier for users.
However not everyone checks the compatibility and security of a plugin or bundled application. It popular ones downloaded at least 50,000 times. so you can imagine the damage one web vulnerability could have. Some infamous examples include the bundling of ImageMagick and CK Editor applications. Where a hacker was able to execute a RCE and XSS respectively. When it comes to closed-source CMSes, there are fewer people looking at these systems outside of the product security teams since one would need paid license access to get to the source code. However vulnerabilities could find by the vendor’s own security testing activities or bug bounty hunters before a malicious actor gets to it.
Overall CMSes secure to use, and from a security standpoint, open-source platforms have an edge. Because they have more eyes examining the code and updates including security patches are automatic. if they are web-base. If you have a CMS it’s most important to keep good user access security. Use updated versions of the software and do research on plugins before using them.
CMSes easy to use. But can also be an easy way into your main application if its security is not monitor. Adding these pages like blog.company.com to the security scanning routine is a simple step to take to eliminate the risks.