Keeping your CMS Safe and secure

Website security is one of the most important aspects of running an online presence. A hacked website can lead to countless hours of debugging and repair, loss of income, to loss of credibility and lawsuits. With over 30,000 new small business website hacks a day and numerous corporation breaches, not a day goes by without a compromised site showing up in the news. Over the past decade, hackers have targeted the top three open-source Content Management Systems: WordPressJoomla, and Drupal, due to their popularity and open-source code. As these CMSs evolved, they have become more secure, and today most of the common vulnerabilities and loopholes have been patched. 

What are the most common security threats to CMSs?

The leading open-source CMSs WordPress and Joomla tend to be used by less technical DIY users, making excellent targets for hackers and their bots. The top threats facing these users are:

  • Data manipulation: SQL injections and changing parameters or settings is a popular hack. Hackers use malicious SQL statements inserted into an entry field for execution.
  • Accessing data: Utilizing SQL injections or Cross-Site Scripting (XSS) attacks to compromise user data. A hacker uses a web application to send malicious code, generally in the form of a browser side script or with malicious SQL statements.
  • Code Injection: This attack can affect the whole server running a website. Code Injections can result in lost or corrupted data, lack of accountability, or denial of access.

Security threats are ever-present to open-source website builders, and users must be ever vigilant in protecting their sites and assets. Here are some suggestions on keeping your CMS safe and secure.

Keep your CMS up to date:

The number one way to keep your CMS secure is to keep the source code version up to date. WordPress, Joomla, and Drupal are continually releasing updates. Many of these updates have included new security patches.  Hackers have historically targeted older and out-of-date versions of these CMS based on their newly updated security patches.

Version Usage Resources:

WordPress: https://wordpress.org/about/stats/

Joomla: https://developer.joomla.org/about/stats.html

Drupal: https://www.drupal.org/project/usage/drupal

As seen in the charts above, around 80% of WordPress and Joomla users are using an older version of the platform. WordPress has been the leader over the past decade with auto-updates and a fantastic backward compatibility record. 

Update Your CMS Admin Password:

Are you using a common password for your website? Have you updated your administrator password in the past month? If you answered “No” to either of those questions – before you read another word, please go and update your password! 

In the past decade, over 38 billion passwords were breached. Last year security researcher Troy Hunt discovered the most extensive collection of breached data in history, comprising more than 770 million email addresses and passwords posted to a popular hacking forum. The chance that a hacker has one or more of your logins is growing every day. Using a strong password and a password storage vault like 1Password is an easy way to keep track, update, and manage all your passwords with ease.  Here are a few resources for creating a strong password:

(Image Source: https://xkcd.com/936/)

Protect your website with an SSL Certificate:

An SSL Certificate provides encryption of information sent across the internet, protecting your users from hackers and identity theft. SSL certificates have become a PCI standard for e-commerce sites accepting sensitive credit card and personal data. In 2018 Google began ranking sites without an SSL lower in the search results. Today there is no reason not to have an SSL Certificate, as most hosting companies provide a free or low-cost SSL option. Wondering which SSL option is best for your website? We addressed this question in a previous blog post: Which SSL is right for me.

Install security plugins:

No matter how secure the CMS, you still need to add additional security measures to your site. Server configurations can provide excellent security, but not everyone has the access or ability to secure a server properly. Using a plugin/extension is the easiest way to make sure the server is configured correctly and adds an extra level of security to your CMS. Some of the methods of protection include:

  • .htaccess settings:  Having a properly secure .htaccess file is necessary to have a secure website.
  • Firewall Protection:  Adding a Firewall Plug/Extension can assist you in blocking brute force and DDoS attacks, restricting IP addresses, blocking countries by IP address, and more.
  • File Scanning & Protection:  File scanning checks core files for integrity and identifies and repairs modified files and possible malware added to the core of the CMS. 
  • File and folder permissions:  Making sure your files and folders have the right settings is an important security issue.  

Here is a shortlist of available plugin/extensions that can help to secure a website:

WordPress

Joomla

Drupal

Plugins Can Also Cause Security Issues:

Everyone loves features, but keeping your CMS install as simple as possible, except for security or backup focused plugins, gives fewer chances for security issues. According to an Imperva report, 98% of WordPress vulnerabilities are due to plugins, with the most popular being Cross-site Scripting and SQL Injections. During the writing of this blog, over a million WordPress sites were detected by Wordfence as vulnerable from the popular Elementor Pro and Ultimate Add-ons for Elementor. The vulnerability in Elementro Pro allowed registered users to upload files for Remote Code Execution.

It is crucial to keep all of your plugins updated and keep a watchful eye out for security risks. But what makes a plugin vulnerable? There are a few possible scenarios with third-party plugins:

  1. The plugin was poorly coded.
  2. The developer does not maintain the plugin.
  3. The plugin is a scam.

The first two scenarios can easily be checked by reading reviews, checking the publish date, and update logs. Most plugin directories and marketplaces have a verification system in place to check for scams, but best practice is to check for exploits before installing the plugin. 

The internet is full of pirated/nulled software and fake resource sites. It is vital to download your theme or plugin from the official website or developer. Downloading themes and plugins from torrents or other free resources can result in backdoor security threats, malware, and compromised user data that puts your site at risk from day one. 

Secure and Protect Your CMS Files with Backups: 

The best way to protect your website and data is daily / weekly / monthly backups. The ability to restore your site after a breach in minutes vs. hours or weeks is crucial to your business and security. 

There are several backup methods currently available, such as cPanels own backup system, and website/CMS backups. Simple single hosted websites can usually get by with a simple website backup plugin such as Akeeba Backup. Still, more massive multisite servers should rely on server backups such as Jetbackup for cPanel.

What should I backup?

  • Website Files (For the integrity of the code)
  • Database (For the data)

Where should I store my backups?

  • Server Side: You should always store a copy of backups outside of your root folder 
  • Download:  You should keep at least one to two backups on your computer

How often should I make backups?

A full backup contains all your files and your database. You should make a complete backup at least once a month. Depending on how often you add content, your userbase, and data storage, backups might be needed more frequently.  Here are a few example backup scenarios:

  • Bloggers (Database: Every week or two / Files: Monthly)
  • Small Business Website (Database: Every week or two / Files: Monthly)
  • Large E-Commerce Site (Database: Daily & Files: Bi-Weekly using a CRON Job)

Website Monitoring:

To understand security threats and issues, constant monitoring of your website is the best approach. Today, multiple online services are available to monitor your website 24/7 and can help with security. Google Search Console alerts and server error logs through cPanel are a great place to start.

Conclusion:

Security should be your number one priority, and thanks to Open Source Contributors and plugin developers, it is easier than ever to secure your CMS website. Keep in mind new threats will arise all the time, but keeping your CMS up to date, your passwords unique, and keeping current backups will make sure you are ready for what comes next. 

For more information on securing your server, please refer to our documentation: https://docs.cpanel.net/knowledge-base/security/tips-to-make-your-server-more-secure/.

For more information on hardening your WordPress security: https://wordpress.org/support/article/hardening-wordpress/

WP Toolkit for cPanel keeps your WordPress sites up to date and secure from the first installation. For more information on the features and benefits of WP Toolkit: https://cpanel.net/wp-toolkit/

For more information on Joomla Security:https://developer.joomla.org/security.html

For more information on Drupal Security: https://www.drupal.org/node/2823484

As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You’ll find us on Discord, the cPanel forums, and Reddit.