Most Secure CMS?

09/14/2013

cms-cloud.png

Tonight I was looking around online and decided to search up the “most secure CMS”.

I happened across many forum threads at various sites, which will remain nameless, where the most popular responses are “WordPress” and “Joomla”.

For the most part, these are only “popular choices” and far from “most secure”.
If you performed a base install of either CMS, sure you could possibly be secure, considering you applied proper permissions/ownership attributes, but who wants to deploy a CMS and forgo all the wonderful features and plugins they boast about?
The plugins and features, in addition to ease of use, are what attract users to install a CMS. Many of these people are small business owners, or hobbyists that don’t have the time to code their own websites, or don’t know how.

If a CMS application is deployed with vulnerable plugins or themes, it’s only a matter of time before an attacker discovers and exploits it.

If you are going to go with WordPress, please ensure you read the following:
http://codex.wordpress.org/Hardening_WordPress

If you are going to go with Joomla, please ensure you read the following:
http://docs.joomla.org/Security_Checklist/Joomla!_Setup

Following the steps in these guides can give you a little peace of mind. However, it will not stay your anxiety and frustration if you are deploying vulnerable plugins or themes.

I put together a couple of things to consider before downloading a new plugin or theme:

  • Are you obtaining it from a reputable source?
  • Launch a virus-scanner against it if you aren’t sure of it’s purity.
  • Do not implement nulled themes or plugins.
    These can often be filled with black-hat SEO, shell scripts, pharma redirects, etc.

    (nulled is the same as pirated – Obtaining and using a premium theme/script without paying for it
    from a source that is not the developer and may have been modified to be undetectable by the developer)
  • Consider a plugin that has been published longer than 6 months that has many subscribers before you consider one that was published yesterday and has 2 subscribers.
  • Update your themes and plugins OFTEN! Check at least once every 6 months if you can’t do it monthly.
  • Ensure any forms based pages provide defense against bots and spammers. Employ recaptcha.
  • Try to avoid using plugins that have obfuscated code. While many developers think think will prevent other developers from stealing their code, it doesn't.
    It just means it will take them a little longer - meanwhile hackers will be deploying obfuscated code in very incredibly creative ways.


WordPress Specific:

  • Consider obtaining Sucuri.net‘s WordPress plugin or at least another WordPress security plugin.
  • Scan for vulnerable timthumb.php versions.
    You could be deploying themes or plugins that have an outdated version of this script and not even know it.
  • There are multiple timthumb and vulnerability scanner plugins that can help with this.
    When you find older versions, replace it with the latest found here:


    Http://timthumb.googlecode.com/svn/trunk/timthumb.php

 

Joomla Specific:

 

WordPress really should make an appeal to their plugin developer community and get some type of Plugin approval process put in place.
Plugin developers should have some basic requirements that may or may not include something like:

  1. Deploy to a honeypot that is CMS specific for a period of time (call it a Beta-testing period)
  2. Run a web application vulnerability scan against a Staging site that has a known good/non-vulnerable copy of WordPress and the installed plugin using various scanners.
  3. Ask some community members that are proficient in coding securely to review the code.


Essentially, no CMS is 100% secure.

If you are a reseller or developer and you find your content hacked more often than you update it, then you probably should be investing a bit more time into securing your business.

  • Constant exploitation can cause you to lose customers, and promote bad publicity
  • Decent hosting companies that can deal with hacked sites, will eventually begin to charge you for the admin hours, or ask you to leave their network if it becomes a problem too often.


Gone are the days of large sites made from completely custom code – it’s simply not scalable and doesn’t grow with you unless you’ve ensured you have the cycles to put into it.
It’s best to deploy something in a way that’s repeatable and easily maintained, once you’ve gotten the security aspects down.
Templates, Themes, and Plugins are wonderful! Just make sure you perform your due diligence and keep your product updated!

Thank you for reading, and please don’t hesitate to comment if you have questions or need assistance!

 

Comments

Leave a Reply



(Your email will not be publicly displayed.)


Captcha Code

Click the image to see another captcha.