Has your website been developed using a CMS? WordPress, Drupal, SPIP, and many more, provide great help for building ergonomic and performing websites. But do these websites face risks of cyber attacks? What are the risks? Here are some clues about this topic.

Are CMS more secure than “from scratch” developments?

At first sight, they tend to be more secure. If you are using one of the most popular CMS across the world, you are using a robust and technically up-to-date solution. This will not necessary be the case with websites that have been developed “from scratch” by freelance developers or web agencies: all will depend on the security skills of the development team.

CMS security - illustration

However, the most popular CMS are more frequently attacked. Hackers who want to perform new exploits can massively attack them. For instance, WordPress is the most attacked CMS. There are new flaws frequently discovered and then fixed, this is why it is absolutely necessary to install new updates as soon as possible once they have been released.

The risks about updates on CMS

One of the major risks concerning CMS is about updates. They must been installed very often and promptly because CMS evolve on a regular basis.

There are updates available for your CMS’s new versions but also for each of your plug-ins’ new versions. Considering the number of plug-ins available for the major open-source CMS, you must be very careful about the evolutions of all the plug-ins that you are using.

Moreover, you should be careful when choosing your plug-ins: if you choose to use a plug-in that is not up-to-date, you will expose your website to cyber-risks. The most popular plug-ins are often updated. This is why it is generally recommended to use famous plug-ins rather than “homemade” plug-ins that have been developed for specific needs that can be quite different from yours.

The risks about customized developments on CMS

The other major risk concerning CMS is about custom developments.

Many websites that have been developed with a CMS do not only rely on configuration but also on tailor made developments that can be made by either an inner development team or an external provider.

If your website does contain custom developments, then it is exposed to similar risks than websites developed “from scratch”. The questions you need to ask are also similar:

  • What level of security skills does my development team have?
  • Have we performed penetration tests?
  • How can we fix the flaws that might be in our code and then prevent any incident?

The risks that your website is facing depend on its size and functionalities: data theft (especially for websites allowing the creation of user accounts) but also service interruptions or illegal content hosting (for less complex corporate websites).

The best solution is to detect security flaws in order to fix them, with the help of a skilled pentester.

To conclude, websites developed with a CMS also require vigilance with some specific areas of focus in order to ensure their security.
It is important to implement a strategy for the update, backup and monitoring of your website. Preparing yourself will allow you to respond to incidents with more confidence and efficiency.