The use of Content Management Systems (CMS) is on the rise. Over 20% of the top 10,000 websites today rely on CMS platforms, namely WordPress, Drupal and Joomla. But the quick setup and customizable functionality come at a price. Security issues are being exposed and exploited by cybercriminals.
Checkmarx’s Research Lab studied the vulnerabilities in WordPress plugins and the findings were not quite encouraging. 20% of the 50 most popular WordPress plugins used today were found to be vulnerable to web attacks.
The Security State of WordPress Top 50 Plugins study also revealed that 7 out of the 10 most popular e-commerce plugins contain loopholes. Around 80% of the vulnerabilities in third party code are located in plugins and extensions.
Plugin and website developers have only one real way to release secure products. This can be achieved by making sure that the software is produced in a secure Software Development Life Cycle (SDLC). The early examination of Source Code enables early fixing of vulnerabilities, which saves resources and reduces production costs and times.
Besides the commonly exploited SQLi and Cross Site Scripting (XSS) vulnerabilities, Distributed Denial of Service (DDoS) attacks are gaining steam. A favorite amongst hacktivists and commercial criminals, this technique involves flooding the server with requests from hacked computers (Bots) until it crashes and brings down the website.
The CMS/Plugin users and consumers also have their part to play in securing the cyberspace.
CISOs and Information Security executives must perform the basic security tasks religiously. The first step is to have a secure password (atleast 8 characters) for the CMS. The CMS should also be updated to its newest secure version and third-party plugins should be inspected closely. Also, stagnant plugins simply should be removed.
The following steps should also be implemented to secure websites:
- Web Server Software – Routine updates should be made and security patches should be applied.
- SSL and TLS – Easy-to-implement protocols that enable secure data transfer.
- Limit Number of Failed Logins – This limits the hackers ability to crack usernames and passwords.
- Run System Scans – Periodic scans should be performed to locate malware and identify irregularities.
- Create Backups – Database backups should be created periodically for quick restoration of compromised data.
The current security status of CMS platforms is far from impressive. Online content and data sharing needs to be made as safe as possible to prevent identity theft, commercial manipulation and other cybercrimes. This can be achieved by creating a secure SDLC and implementing the safety precautions mentioned above. Stay safe.