Most modern content management systems are easily installed through an installer or script. Many web hosts also provide systems like Fantastico so you can click a couple of buttons to automatically install a CMS.
That’s good, right? Well, yes…and no.
As a way to quickly get a basic website online and publish content, installers are a great help. After reading a few web pages of text, clicking a few buttons, and typing some basic information into a dozen or so text boxes, your new website will become accessible to the world. There is no easier way to create and deliver web-based content using a leading content management system than by using an installer to get going.
One CMS I use for some websites is Joomla!. Out of the box, Joomla is powerful and pretty secure. Some significant security researchers and major corporations use Joomla to manage and display their web-based content. They wouldn’t do this if they couldn’t keep their web content safe from unauthorized alterations.
We’re not picking on Joomla. The same factors apply to most other content management systems.
Does that mean all Joomla websites are secure? No. Just read some of the current posts on the Joomla security forum to see that not all Joomla websites are secure.
Attack vectors constantly change
First, we know attack vectors change constantly. I read log files, and while most of the attacks against servers I manage are well-known, every week some new styles are logged. Usually, these are just variations on a known vector. Occasionally, I get to see a new attack, one targeted toward a vulnerability just discovered or not well known.
Your CMS codebase changes
Second, the codebase of your CMS changes as vulnerabilities are found and patched. That doesn’t mean your particular implementation of a CMS automatically changes. Patches must be applied to your installed codebase in order to keep your core system secure.
So what’s my point? The folks trying to break into your site are constantly banging away on the front and back doors to your website. If you simply create a CMS-based site and then turn a blind eye to the underlying system, your system will likely eventually be compromised. When you leave your codebase static, you create opportunities for bad folks to exploit newly found vulnerabilities.
How do you avoid this kind of situation without investing lots of money? There are options, but all take a bit of care.
Don’t use a CMS
A CMS is ideal when you have content that grows or changes frequently. If your content is relatively unchanging, consider not using a CMS. You can post HTML-coded pages and avoid some of the exposure created by a misconfigured or poorly maintained CMS.
It’s not hard to create simple HTML-coded pages. For most folks, however, using a WYSIWYG editor makes it much easier. Microsoft’s Expression suite of products can create powerful web pages on your desktop computer, and then you upload the finished pages to your public website. Similarly, Adobe’s Contribute software allows you to make changes to your web pages from your desktop.
Properly configure and maintain your CMS
Directory and file ownership, access controls, permissions, and similar settings can keep the bad folks from compromising your website. If you are unfamiliar with the things listed in the previous sentence, we recommend hiring a professional to review your website settings. On Linux and Unix-like systems, htaccess files can be constructed to block many attacks.
We also recommend managing your CMS over SSL-encrypted sessions. To confirm you are surfing over an encrypted session, look for the HTTPS in the web address and for the padlock in your browser’s task bar, just like you would when purchasing things online.
You should also subscribe to whatever security forum provided for your particular content management system. When vulnerabilities are announced that apply to your CMS configuration, backup your site and data, then patch your system.
A properly configured and maintained CMS can be just as safe as posting plain HTML pages.
Use a hosted CMS
A previous article titled “Five minutes to create your online presence” would seem to be in conflict with the theme of today’s article. Actually, that article is a solution to the difficulty of installing and managing your own CMS. Vendors who host a single codebase for many independent websites tend to keep up with patching their code. That
means a hosted blog or wiki may give you a way to have your website without worrying about maintaining the underlying code.
However, if you install and use themes, modules, extensions, or other add-ons not created by the CMS developers, you may need to keep up with patches for those non-core products.
Be wary of contributed modules
Joomla has a very active community of folks creating a wide variety of small programs that extend the functionality of the core Joomla system. Drupal, WordPress, and other systems have similar communities. When you install and use one of these third-party extensions or modules, you may also be creating vulnerabilities. Not all programmers are as security aware or capable as the developers of the major content management systems. For folks using these third-party add-ons, we recommend frequent monitoring of each add-on’s home page, forum, or notices so you can stay on top of new code releases.
One of our services is monitoring the system and configuration you are using, and optionally installing patches when new code becomes available. To do this, we create a profile of your installed code and third-party add-ons, then add those vendor and developer sites to our list of regular visits. When code changes are published, we check them against your profile. This change monitoring and management service can give you great peace of mind, preserve your reputation, and help assure uninterrupted information flow to your customers and members.