The Security Conscious CMS Buyer's Guide

Your new house is complete. You’ve spent painstaking hours with an architect and builder to create your dream house. The cost was high, but it was worth it. However, you find that the kitchen doesn’t quite feel right once you stand in it. You want to change a few things. Unfortunately, that’ll require another project and another payout to the architect and builder.

Content management systems (CMS) offer an easier way to manage your website. Imagine if your kitchen was a separate component and could easily be replaced with another. A CMS gives you control of your website and easily allows you to build and change content on your site at will.

However, many exist and it could be difficult to know what to look for when purchasing one, especially for those who are security conscious.

We decided to build this CMS buyer’s guide just for you security conscious buyers out there. We’ll take a look at why CMS security is important, what key features you should look for when shopping around, and some key questions you should ask before beginning your search.

CMS Security is Important

Having a CMS introduces a new layer to traditional web application security. You’re now introducing a piece of code outside of your control into your environment. When there’s a security bug in that software, there’s now a security bug in your website.

WordPress has a long list of security vulnerabilities. Drupal has had two “Drupalgeddons,” and that’s only two of the many CMSs you can choose from. Is having a CMS a bad idea fraught with online dangers?

No. Having a CMS doesn’t automatically mean you’re vulnerable to the bad guys. It is possible to run a secure CMS installation. You just need to know what to look for when shopping for a CMS and what you need to do to prepare.

What CMS Security Looks Like

 Every CMS differs in architecture and security features. Let’s boil all of these features down and cover the features you should look for when shopping for a secure CMS.

Protect the admin page

A key component of any CMS is an administrator panel where you can control the various aspects of your website. Administrators can create user accounts for those who write and edit content, upload images, and other basic functions.

Administrator accounts are extremely powerful and can be misused if compromised by an attacker. Make sure your CMS has the ability to protect your administrator account, and be on the lookout for default settings that may leave you vulnerable. Defaults can be dangerous because they are widely known by attackers.

For example, Umbraco uses the /Umbraco path as the default URL to access the administrator dashboard. An exposed /Umbraco path could leave your admin page vulnerable to brute force attacks. Umbraco allows you to rename the Umbraco folder to help prevent this.

When looking for a CMS, try to find one with configurable password policies, giving you the ability to enforce strong passwords for users. Look for the ability to add two-factor authentication to administrator accounts for extra protection.

Protect the Data

A content management system’s data is the lifeblood of your website. The database holds content, images, files, as well as user accounts of your employees. Any CMS must have robust tools available to protect your data.

Data can be protected from intruders by encrypting it within the database. If the data is encrypted, then an attacker will get nothing but gibberish if they somehow breach the database. On top of encryption at rest, encrypting the data in transit using HTTPS is also essential. Redirect any HTTP requests to use HTTPS instead.

The security of data is not always about it being stolen. Your databases may become corrupted and unusable. WIthout your database intact, your website simply will not work. Ensure the CMS you choose has options for secure database backups. If the worst happens, regular backups will allow you to minimize downtime.

The database isn’t the only place data is stored. Files stored on your servers store sensitive and important information. For example, an attacker could try to change a configuration file or the main code file of a plugin. If an attacker changes a file and uses it to run malicious code, it could open a backdoor into your site and allow the attacker to bypass the administrator login. Look for a CMS capable of file change detection, so you can be notified if any files are changed. This can be native functionality, or could be provided by installing a plugin for the CMS.

Secure Architecture Options

The security of your site has much to do with the architecture as the software using it. Your site architecture refers to the physical and network configuration of the different pieces of the site. This allows you keep some pieces out of the reach of attackers.

If a secure architecture is important, look for a CMS that features flexibility and scalability as a core component. An example is Sitecore CMS, which gives you the ability to install the administrative pieces on a separate server from the content presentation software. By placing the content creation and administration server behind a firewall and only exposing the content presentation server to the Internet, you create a barrier between attackers and your CMS.

Flexible architecture options give you the control you need to protect your CMS without complicated code being added to it.

How Difficult Is the CMS to Secure?

Resources are often constrained, and only so much money is available to spend on your CMS. This reality should factor into your decision to buy a CMS. The more effort required to secure the CMS, the more resources you need and the more money it’ll cost to get things up and running.

Figure out what it will take to secure your CMS. Will you require a special set of plugins to lock things down? Are you required to change configuration files and many defaults to secure the CMS? Are your servers full of holes and open to attack regardless of which CMS you choose?

You’ll have to decide what you’re comfortable with. With guidance on exactly what to change, such as in our article on Sitecore CMS security features or how to secure Drupal, it could take only a couple hours or a day or two at most. Figuring it out on your own may take much longer.

10 Questions You Need to Ask Before You Buy a CMS

Sometimes all you need is a simple checklist of the biggest concerns when looking into a new technology. Here’s 10 questions you should ask about your environment and any prospective content management systems you may be looking into for your site.

1. How mature are your security policies?
   Security policies are usually not a fun topic to discuss, but it is important. Policies lay the foundation for all of your security decisions. Pay attention to the lessons you’ve learned when purchasing other products, distill them into the policies you want to follow, and then make sure any new CMS measures up.
   
   
2. Do you have security standards in place your CMS will have to follow?
   What standards have you defined for your environment. For example, if you only run Linux servers, then choosing a CMS that requires Windows doesn’t make much sense. Before you can make any decisions on which CMS to try out, you can eliminate many possibilities by seeing which systems match your standards.
   
   
3. How much is CMS security worth to you?
   Another decision you need to make is how much you’re willing to pay for CMS security. You may need to pay a consultant for help. You may need premium plugins or other add-ons for extra security. What are your willing to pay for?
   
   
4. Are any parts of your CMS going to be exposed to the public Internet?
   What is the purpose of your CMS? Will it host your blog or become an intranet site for your employees? The answers to these questions will drive your CMS security plan. A CMS exposed to the Internet would need more careful consideration and more stringent protections from day one than one only accessible via your corporate network.
   
   
5. How much automation is required by your CMS?
   Resources can be scarce, so you may require the security of your CMS to be more automatic. For example, some WordPress plugins add software firewalls to your site so attacks are detected and stopped. Others offer regular backup services so you always have a backup ready and waiting for you. These plugin architectures can be powerful tools to give you some piece of mind without a large expense of personnel or extra software.
   
   
6. Do you have any other applications that will interact with your CMS?
   How does your CMS interact with the rest of your systems? Many offer APIs you can use to publish content or perform other actions. This opens up many possibilities, but also increases the attack surface. Make sure any applications that interact with your CMS are also following security best practices.
   
   
7. How mature is your patch management process?
   Patch management is extremely important in an environment using vendor products. When a CMS vendor issues security updates, how quickly can you apply them? Make sure you have a clear patch management process in place before placing a CMS into your environment.
   
   
8. Where are your site’s users located?
   Understand where your users are to understand what security features are absolutely necessary. You may have administrators logging in from home, which means the admin login page will need to be accessible from the Internet or VPN. Features like strong password policies and two-factor authentication are must haves if employees are logging into the system from home.
   
   
9. Do you have incident response plans in place?
   An incident response plan outlines what actions are taken by whom in the even of a security incident. Take the time to analyze what could go wrong, perhaps by threat modeling your CMS environment. Create a plan and know what will happen if someone does compromise your CMS. Then run simulated attacks and test the plan’s effectiveness.
   
   
10. Is your environment hardened?
    A large part of CMS security is the environment it uses. Ensure that all servers have some malware protection installed on the servers. Patch your servers regularly. Use HTTPS for all connections. Restrict access to sensitive folders.

Security Is Always Part of the Equation

Many factors should be weighed when choosing a CMS, and security is an important one. Every company has different standards, policies, and existing infrastructure, and these should affect what security features are most important to you.

A CMS allows you to switch out your “kitchen” for another pretty easily. But switching an entire CMS is difficult once you use one for a while. Take the time to carefully analyze your needs first before jumping into a decision you may regret.

Review your current security standards and policies. Look for the features we laid out to make things easier, and ask the tough questions about the CMS and your own systems to get a better picture of which CMS will fit into your environment. Then your CMS will feel like your new home’s relaxing hot tub, not a cold shower.

Never forget you don’t have to make this big decision alone. Please get in touch with us if you need any help evaluating your environment so you can choose the right CMS for your needs.