WordPress, Joomla, Drupal, Shopify and many more, offer real possibilities for creating sites that are both ergonomic and efficient. However, a negative image is still associated with CMS websites: they would be insecure and easy targets for malicious hackers.
What are the risks of cyberattacks on these sites? What specific elements of CMS are to be monitored?
If you are in charge of a CMS platform, this article will help you to identify the main risks and will provide you with points of vigilance to reinforce the level of security.
Are CMS More Secure than “From Scratch” Developments?
Contrary to what is generally believed, CMS sites are as secure as a site developed on demand. If you are using a CMS that is well known and widely used throughout the world, you are using a robust solution which evolves regularly. This will not necessarily be the case for a custom website developed by an agency or a freelancer, when maintenance is not foreseen.
However, CMS do present the risk of being more attacked. Indeed, they are the target of mass attacks by hackers seeking to exploit vulnerabilities linked to the CMS. The five main CMSs account for 46.8% of all websites: attackers are therefore more likely to come across vulnerable sites.
The typology of CMS platform users is also broader than for sites developed on demand, which means that there are users less familiar with good security practices, increasing the likelihood of successful attacks against CMS.
Risks of an Open Source CMS
From a security point of view, the main open source CMS have the advantage of having an open source code: security researchers have access to it and they test it, which makes it possible to identify security flaws. The flip side of the coin is that malicious hackers also have access to it, which might enable them to find vulnerabilities too and exploit them.
The large community around the main CMS has developed many plugins, which add functionalities, but also add risks related to the integration, configuration and maintenance of these plugins.
The security of the CMS and the plugins depends on the community, which for the main CMS is generally very active. However, it is necessary to be vigilant about the maintenance of the CMS. There is always the risk that the solution may be less popular, less maintained or even abandoned at some point.
Risks of a Proprietary CMS
As with any proprietary product, security will depend on the importance attached to it by the company and the security knowledge of the development team.
The advantage of proprietary CMS is that a team is directly responsible for its development and security. It is therefore likely that there will be a roadmap of planned updates, of features to be tested, of items to be corrected, etc.
However, there is one point of vigilance to be kept in mind: it is possible that the product may be abandoned to at some point by the editor and that there is no longer any maintenance carried out.
Whether it is an open source or proprietary CMS, your choice must be made according to the needs of your situation. The security of your site depends above all on how it is managed, configured and maintained, than whether it is based on an open source CMS or not.
Risks Related to CMS Updates
One of the main risks associated with CMS is updates. Updates must be made regularly, as CMS evolve rapidly.
In addition, new vulnerabilities are regularly found and then fixed, which is why it is necessary to install updates as soon as possible and to frequently check the available patches.
Updates apply not only to the versions of the CMS themselves, but also to the versions of the various plugins used. A large number of plugins are available for the main open source CMS.
There are two main principles to keep in mind when choosing your plugins:
- Favour plugins that are kept up to date (in order not to expose yourself to risks in case new vulnerabilities are discovered in a non-maintained plugin).
- Favour recognised and widely used plugins, rather than an “in-house” plugin designed for specific needs that are not yours.
It is recommended to keep a close eye on the evolution of each plugin used for your site.
Risks Related to Customised Developments on CMS
The other major risk concerning CMS is related to specific developments. Many CMS-based websites do not only relay on configuration, but also on tailor-made developments, either by an in-house development team or by a service provider.
If your site includes specific developments, then these present the same risks as for a site developed “from scratch”. The questions to be asked are similar:
- What are the skills of the developers on security issues?
- Have we carried out penetration tests?
- How can we fix potential flaws in our code in order to prevent incidents?
Risks that your website is facing vary according to its size and functionalities: data theft, particularly for sites allowing the creation of customer accounts, but also service interruptions or illegal content hosting…
The best solution then consists in identifying security flaws in order to correct them, by conducting a web pentest, which can focus only on the major risks at first.
In conclusion, sites developed from a CMS are secure, but require attention, with certain specificities to be taken into account to ensure their security.
It is essential to put in place an appropriate strategy for updating, hosting, backing up and monitoring its website. The configuration of the CMS and specific developments can then be reviewed by specialised CMS security consulting.