If you run a website, ecommerce site, or marketing department you likely know what a Content Management Systems (CMS) is. CMSs are applications that help manage content by allowing multiple users to create, edit and publish web content. Love/hate or indifferent about it, they are the Operating Systems for your website, and just like the operating system on your laptop or phone, they need constant care, like patching, security updates, and upgrades. I want to talk specifically about the security part today.
In 2018, more than 18 million CMS users suffered security breaches. 73.2% of the sites managed with the most commonly used CMS, WordPress, contain easily exploitable vulnerabilities. 98% of those vulnerabilities are due to third party plugins.
Just like everything else in life there are tradeoffs. In this case the tradeoff is between what a CMS allows you the user to do, and the security holes that those privileges leave open. Holes in CMS security can come from a number of places, from bad implementation, to browser executed code and plugins.
Threats to security can come in the form of data manipulation, access of that data, or code injection that permanently change or delete data and take down an entire site. Remember, security for websites is not just about keeping personal information secure. Your reputation is also on the line. Often, attackers will use your site to host malware or viruses, slowing your site. Hackers may also deface your site for political reasons, or simply for kicks. Here are some common attacks against websites.
Message displayed during defacement of a UK National Health Services website in 2018. Source: BBC.
Choosing a new CMS (or assessing your existing site)
In order to keep your CMS secure, start by making sure you are choosing the correct CMS for your company and the types of content that your site will contain. Not every CMS works for every type of site.
By planning your site and taking time with the implementation of the CMS, you are saving time down the road by avoiding problems that would need to be fixed later on. If your site is already up and running and you feel like you may be behind on security, start with our risk assessment for websites.
When choosing a CMS, you’ll also want to consider a managed platform to support it. The leaders we typically consider are Pantheon or WP Engine for WordPress or Pantheon or Acquia for Drupal. On the Sitecore side, Sitecore Managed Cloud is a robust option. Take a few minutes and read our Security Conscious CMS Buyer’s Guide.
Your CMS is more than just the core code that comes with the system. Especially if it is an open source CMS (WordPress, Drupal). When choosing plugins or modules to add to a site, make sure they are properly maintained and updated by the developer. Also make sure to keep your CMS version up to date, as more security holes are fixed with each new version.
Lastly, build for the future: create a culture on your team or within your organization that takes security seriously. If you have developers on your team or if you use an outside company, make sure they have an SSDLC (Secure Software Development Lifecycle). More about creating an SSDLC here.
Learn How to Create a CMS Security Program
If you’d like a quick crash course on how to put all of this in action, attend our upcoming webinar on CMS Security. Both from a business and technical perspective, the Engine Room team will cover:
- The risks of a Content Management System
- Security packages - examples of plugins and modules to keep your CMS secure
- Managed platforms to the rescue - Pantheon, WP Engine, Acquia, Sitecore Cloud
- Continuous Improvement - how to ensure you stay secure through training, education and culture