The number of open source content management systems (CMS) available today is quite impressive. Each one of them offers a unique way of handling data, but the bottom line is these frameworks provide the developer and administrator a solid foundation to work with.
With any open source project, there are always villains seeking to exploit vulnerabilities. Luckily, most of these projects have large communities of both developers and users that contribute to its success and security. With that said, the responsibility of security lies ultimately with you, the administrator.
First and foremost, lets start off by accepting that nothing on the web is 100% secure. If Target and Anthem can be hacked–and your Corvette too?!–no one is safe. So the first thing to do is to acknowledge that at some point a hacker will attempt to exploit your online website/application. Now that we’ve swallowed that dose of reality, we can exercise some precautions and plan for the worst. Let's get to the basics.
Save daily backups
Whether you are building your own website or working with a developer, daily backups are a must. With today's technologies, it is so simple to do so and just foolish not to. Remember that both your database and web root (aka website files) should be included in this backup. Once you have both, date them and archive them somewhere safe. You never know when you will need to revert. A developer can automate this process for you and any good web development company should be including this if they are hosting your website/application.
Create passwords you’ll never remember
It is likely that if you are using a CMS, you have an admin area you need to log into. The days of using a password of “password1234” are long gone and strong passwords are your friend. Ensure you enforce long passwords which include numbers and special characters. Although password management systems aren’t hackproof either, tools like LastPass or 1Password beef up your online security by generating and and storing complex passwords. Your developer can also introduce extra security features like Google's two-step authentication to enhance security too.
Kill the admin
Every CMS has a default super user which holds all the power. If this account is compromised, so are the rest. The default username for an administrator should not be “admin”. It's bad practice because it’s the first lesson in elementary hacking school. As we monitor login attempts here at ByteJam, more often than not, “admin” is the username a hacker tries first. Another popular one is the website name itself. So be unique when selecting a user name. If you are using a developer, ensure you express this to them in advance.
Don’t slack on updates
CMS updates are your friend. They are created either to give you shiny new features, address changes in the browser landscape or provide a fix for security holes. So this is a simple one: stay up-to-date.
Be careful what you plug in
A content management system is essentially just a shell that offers basic functionality to store content in a manageable way. Some are more elaborate than others, but none are going to offer you all the bells and whistles out the box. This is where plugins, packages and modules step in. These are usually built by community developers to easily expand the feature set. The lesson here is to do your research before installing them. Yes, looking at how users rate these tools is useful, but when we are sizing up a plugin here at ByteJam, we need to be thorough. We want to ensure that the developer is reputable and has a strong grasp for the system to which they are adding. We look at how often the code has been updated, how well documented their change log is, and find specific documentation to ensure they support the most current version of the platform. A simple step non-developers can take is to Google the plugin name along with words like "bugs" or "vulnerability." If a known issue exists, that will usually expose it. If you are working in WordPress, this website is a good place to start.
Then, once you’ve installed that plugin, let’s repeat, keep it up to date. Old plugins are a common source for hackers to exploit. Plugins are not always updated when your CMS is or vice versa. Updating one that is not compatible with the other will ultimately leave you with some broken functionality. A well written plugin will have documentation on what version it is on and what version of the CMS it is compatible with.
Choose your servers and hosting wisely
Who knows the actual number, but it seems that cloud hosting companies pop up overnight. Picking a hosting company is a topic we can go on and on about. Long story short, just like with the plugins, you should do your research. See what others are saying about their services and pay special attention to customer service.
Every framework has a set of server requirements to run. Every website/application most likely will have a set of specific hosting needs. These things will all need to be addressed and will reflect what type of hosting/server you use. Discuss these requirements with your IT team, your developer and a trustworthy hosting company.
So these are the basics, to maintain a secure CMS. It is possible to follow these steps to a t and still have to deal with a website that’s been hacked. At least you have locked your doors and windows, keeping your site safer than most so you can rest easy.