Welcome to Overthrow Digital's blog where we share our thoughts and ramblings on anything and everything to do with the world of digital communications.
05
May
2015
Written by:
Joshua Blavins

Open Source CMS Security

Like any form of mass used technology, security is key. In this weeks blog we'll be taking you through open source Content Management Systems and the need to keep informed with the latest security updates.

An open source Content Management System (CMS) is a CMS that is openly available to the public and usually being worked on by a large amount of people, such as Wordpress or Joomla. Having an open source CMS like Wordpress or Joomla can save you development time over a bespoke CMS created by a developer but you have to keep on top of security and updates. Open source CMS’s are great in that certain functionality is already included or can be added by simply installing a plugin.

A question we get asked a lot is why when a site has been built does the client need to keep updating the CMS and plugins. Considering how many sites exist with an open source CMS such as Wordpress it is easy to see why these become a target for hackers. If one vulnerability is discovered it can be exploited multiple times, however, if you have a fully bespoke site there is only yours that is susceptible so the law of diminishing returns says look at the one with a large amount of users.

The good news is these open source platforms are maintained by a community of developers, so when a vulnerability is discovered there are solutions available quickly. For example, there was recent vulnerability in the way the add_query_arg() and remove_query_arg() functions were being employed across multiple WordPress plugins. The various developers and the WordPress security team along with Sucuri Security were able to organise the public disclosure of this release and updates for the plugins quickly became available.

Like an antivirus on a computer, these updates are responsive so need to be applied as they are discovered so the key is to keep updating the CMS as updates become available. However, with custom templates or changes to the default templates that are availabe on open source CMS's these can cause issues. Best practice is to apply any security updates on development urls or take backups prior to applying them. We always recommend you have a backup regime in place and any hosting we offer has this built in as standard as well as uptime monitoring.

There are a number of things that can be done to reduce vulnerability, all of which are easy to set in the CMS. These are listed below:

  • Limit login attempts to your site.

  • Move the login url. For example if a Wordpress website is on www.somesitename.com then its default login will be www.somesitename.com/wp-admin. Why not move it to something completely different so people do not know where it is www.somesitename.com/something.

  • Rename the main admin user so it is not admin.

  • Have strong passwords and change them on a 90 day cycle. We always recommend using passwords that include upper case letters, lower case letters, numbers and special characters such as _, *, or $.

  • Rename the wp folders.

  • Employ captchas – these don’t need to be unreadable text that everyone hates but can be simple maths questions or drag and drop puzzels.

  • Employ a honeypot on all forms (this is a form that sits outside of the display of your website and if a robot fills in any data on it the login attempt is blocked).

As with anything form or technology, especially one that is accessed by a large amount of users, there will always be security risks, however these simple procedures will reduce the risk to your website considerably.

If you have any questions or concerns on open source CMS security get in touch with us here

Overthrow Digital 7 Albert Mews Albert Road London N4 3RD