Most Secure CMS?

09/14/2013

 

cms-cloud.png

Tonight I was looking around online and decided to search up the “most secure CMS”.

I happened across many forum threads at various sites, which will remain nameless, where the most popular responses are “WordPress” and “Joomla”.

For the most part, these are only “popular choices” and far from “most secure”.
If you performed a base install of either CMS, sure you could possibly be secure, considering you applied proper permissions/ownership attributes, but who wants to deploy a CMS and forgo all the wonderful features and plugins they boast about?
The plugins and features, in addition to ease of use, are what attract users to install a CMS. Many of these people are small business owners, or hobbyists that don’t have the time to code their own websites, or don’t know how.

If a CMS application is deployed with vulnerable plugins or themes, it’s only a matter of time before an attacker discovers and exploits it.

If you are going to go with WordPress, please ensure you read the following:
http://codex.wordpress.org/Hardening_WordPress

If you are going to go with Joomla, please ensure you read the following:
http://docs.joomla.org/Security_Checklist/Joomla!_Setup

Following the steps in these guides can give you a little peace of mind. However, it will not stay your anxiety and frustration if you are deploying vulnerable plugins or themes.

I put together a couple of things to consider before downloading a new plugin or theme:

 

  • Are you obtaining it from a reputable source?
  • Launch a virus-scanner against it if you aren't sure of it's purity.
  • Do not implement nulled themes or plugins.
    These can often be filled with black-hat SEO, shell scripts, pharma redirects, etc.
    (nulled is the same as pirated – Obtaining and using a premium theme/script without paying for it
    from a source that is not the developer and may have been modified to be undetectable by the developer)

  • Consider a plugin that has been published longer than 6 months before considering one that was released yesterday.
  • Update your themes and plugins OFTEN! Check at minimum once a month for updates.
  • Ensure any forms based pages provide defense against bots and spammers. Employ recaptcha.
  • Try to avoid using plugins that have obfuscated code.
    Many developers attempt to obfuscate their code in an effort to prevent others from stealing it.
    It just means stealing the code will take a little longer - meanwhile hackers will be deploying
    obfuscated code in very incredibly creative ways. Even hiding it right inside pages of legitimate obfuscated code.

 


WordPress Specific:

  • Consider using Sucuri.net's WordPress plugin, or similar plugins.
[Sucuri.Net]
  • Update vulnerable timthumb.php scripts.
  • These can be hidden in themes and other plugins.
[Current Timthumb Script]
  • Use Akismet with BWP Recaptcha for better spam protection.
[Akismet] & [BWP-Recaptcha]

 

Joomla Specific:

  • Consider using security plugins created for Joomla!                           
[Joomla Security Plugins]
  • jHackGuard has been around for a while and is free!
[jHackGuard]

 

Suggestions for CMS Communities:

WordPress really should make an appeal to their plugin developer community and get some type of Plugin approval process put in place.
Plugin developers should have some basic requirements that may or may not include something like:

      1. Deploy to a honeypot that is CMS specific for a period of time (call it a Beta-testing period)
      2. Run a web application vulnerability scan against a Staging site that has a known good/non-vulnerable copy of WordPress and the installed plugin using various scanners.
      3. Ask some community members that are proficient in coding securely to review the code.


Essentially, no CMS is 100% secure.

 

If you are a reseller or developer and you find your content hacked more often than you update it, then you probably should be investing a bit more time into securing your business.

      • Constant exploitation can cause you to lose customers, and promote bad publicity
      • Decent hosting companies that can deal with hacked sites, will eventually begin to charge you for the admin hours, or ask you to leave their network if it continues to be a problem too often.

 

Scalability:


Gone are the days of large sites made from completely custom code – it’s simply not scalable and doesn’t grow with you unless you’ve ensured you have the people and cycles to put into it.
It’s best to deploy something in a way that’s repeatable and easily maintained, once you’ve gotten the security aspects down.
Templates, Themes, and Plugins are wonderful! Just make sure you perform your due diligence and keep your product updated!

Thank you for reading, and please don’t hesitate to comment if you have questions or need assistance!