Any developer would probably agree Content Management Systems (CMS) make it easier for web development teams and marketing to work together. However CMS assets like blog.company.com are also web application based and could be targets of hacker attacks. Why’s that? Simply because they are based on commonly used technologies, communicate with end users, bring in organic or paid reader traffic and build brand awareness.
Many companies spend resources on securing their main applications and neglect to also audit the security of the CMS platform because who would want to hack a blog? More often than not it is more about the technology than content itself that’s interesting to hack, which is why CMS security needs attention as well. Here is our overview including expert advice from our security team:
Deciding between closed- vs open-source CMS platforms:
Once you’ve decided to go with a CMS you’ll have to decide which vendor to go with and part of that is if it will be closed- or open-sourced. Cost and usability are key factors in the decision, but it’s also important to keep in mind the security maintenance expected to keep it up and running. Using an open-source program means that anyone can access the source code and there is freedom to make changes to the source code and customize it for your website needs. A lot of eyes on the code also means there are people out there interested in testing and breaking the code, especially in widely used platforms.
There are people out there testing the security of closed-source CMSes but it’s not at the same rate since they are only available with purchase; however, such platforms have internal security teams doing the testing and making fixes to keep up security. We receive vulnerability submissions for both closed- and open-sourced platforms from our Detectify Crowdsource community of 150+ handpicked white hat hackers.
Crowdsource module developer Kristian Bremberg reviews many of these submissions, and contrasts the two:
“Open source lets anyone look at the code, and therefore increases the chances of finding vulnerabilities. However, there’s no guarantee that the code will be reviewed by independent security researchers. Closed-source software is often owned by a company which spends money on internal code review and security testing.”
How to secure your CMS or blog site:
There’s a lot you can do to make sure security risks are alleviated when it comes to maintaining a CMS tool. We previously shared best practices on securing the Magento CMS application, and these same practices can be applied to any other CMS option too. Exploitation can be done through the hosting service, blog themes, plugins or extensions or user management, and it seems like a no-brainer to use the mentioned best practices:
Clean up your plugins In addition to the mentioned measures, it’s also imperative to ensure the plugins added to your CMS application are also secure to use. If you don’t use it, then uninstall it so it doesn’t become a security risk. Many plugins are hobby projects that are only updated once in while which means they can become vulnerable without the owners notice, and for that reason we recommend running automated scans that cover plugins. We often receive submissions for CMS plugins and it is something we are continuously open to receive from our Detectify Crowdsource white hat hackers.
Scan your CMS platforms for common vulnerabilities It’s common for Content Management Systems to be hosted on a platform that’s different from the main web application. For example, blog.company.com may be hosted on a CMS like WordPress which is not regularly monitored by a web development team and the code may not always be reviewed after updates or adding features. By using a tool like WPScan or Detectify to check a CMS for vulnerabilities, a findings report will show any vulnerabilities that may exist in the web application and with remediation tips. A code-savvy marketer could try to then fix the issue on their own or share it with a web developer or agency for the issue to be resolved.
Additional best practices:
- 2FA and requirements for complicated passwords
- Always use the latest version of the software
- Subscribe to product and security updates from the vendor via social media or mailing lists
Expert point of view: how secure are CMSes and plugins?
We asked our co-founder and top-ranked security researcher, Fredrik Nordberg Almroth, about CMS security and here is what he had to say:
“If I were to approach this [an open-source CMS], I would not start with the main application since this where most security resources are spent and where most people are looking. I would look for other points of entry where few people are monitoring yet highly used like blog themes and plugins. In fact, plugins are the biggest concern, and small but chainable vulnerabilities are mostly here.”
Image: Detectify co-founder and top-ranked ethical hacker, Fredrik Nordberg Almroth, has legally hacked many tech giants including Google and Dropbox.
Fredrik Nordberg Almroth says:
“exploiting such chained vulnerabilities can usually impact other assets and infrastructure not directly related to the affected CMS. An example could be a simple reflected XSS that can be used to steal login credentials, which may be used elsewhere on other systems to a cookie XSS that affects sibling subdomains. An other example could be a server-side request forgery (SSRF) attack, that could be leveraged to access internal databases, CI systems and other internal assets.”
Although there is this risk whenever downloading a plugin or theme for open-source CMSes like WordPress and Joomla, Fredrik assures that in general open-source options are quite secure as long as you work proactively with security. There can be rare cases like Drupalgeddon 2.0 (CVE-2018-7600), and since they have high severity impact, they are often short-lived as patches are made as soon as possible to save the masses. CMSes that are SaaS-based are automatically updated making it even easier for users.
However not everyone checks the compatibility and security of a plugin or bundled application, and popular ones are downloaded at least 50,000 times so you can imagine the damage one web vulnerability could have. Some infamous examples include the bundling of ImageMagick and CK Editor applications, where a hacker was able to execute a RCE and XSS respectively. When it comes to closed-source CMSes, there are fewer people looking at these systems outside of the product security teams since one would need paid license access to get to the source code. However vulnerabilities could be found by the vendor’s own security testing activities or bug bounty hunters before a malicious actor gets to it.
Overall CMSes are secure to use, and from a security standpoint, open-source platforms have an edge because they have more eyes examining the code and updates including security patches are automatic if they are web-based. If you have a CMS it’s most important to keep good user access security, use updated versions of the software and do research on plugins before using them.
CMSes are easy to use but can also be an easy way into your main application if its security is not monitored. Adding these pages like blog.company.com to the security scanning routine is a simple step to take to eliminate the risks.
Detectify is a SaaS-based web application scanner powered by ethical hackers. Our tool tests for 1500+ commonly found vulnerabilities including tests for WordPress, Joomla, Drupal, Liferay, Serendipity and other CMS and plugins/extensions. Have you checked the security of your CMS web applications? Try our tool for free and start securing your CMS today.