iStock_000021392169Small

The Worrying Security State of CMS Platforms

Mar 17, 2014 By Sharon Solomon

The use of Content Management Systems (CMS) is on the rise. Over 20% of the top 10,000 websites today rely on CMS platforms, namely WordPress, Drupal and Joomla. But the quick setup and customizable functionality come at a price. Security issues are being exposed and exploited by cybercriminals.

Checkmarx’s Research Lab studied the vulnerabilities in WordPress plugins and the findings were not quite encouraging. 20% of the 50 most popular WordPress plugins used today were found to be vulnerable to web attacks.

The Security State of WordPress Top 50 Plugins study also revealed that 7 out of the 10 most popular e-commerce plugins contain loopholes. Around 80% of the vulnerabilities in third party code are located in plugins and extensions.

Plugin and website developers have only one real way to release secure products. This can be achieved by making sure that the software is produced in a secure Software Development Life Cycle (SDLC). The early examination of Source Code enables early fixing of vulnerabilities, which saves resources and reduces production costs and times.

Besides the commonly exploited SQLi and Cross Site Scripting (XSS) vulnerabilities, Distributed Denial of Service (DDoS) attacks are gaining steam. A favorite amongst hacktivists and commercial criminals, this technique involves flooding the server with requests from hacked computers (Bots) until it crashes and brings down the website.

The CMS/Plugin users and consumers also have their part to play in securing the cyberspace.

CISOs and Information Security executives must perform the basic security tasks religiously. The first step is to have a secure password (atleast 8 characters) for the CMS. The CMS should also be updated to its newest secure version and third-party plugins should be inspected closely. Also, stagnant plugins simply should be removed.

The following steps should also be implemented to secure websites:

  • Web Server Software – Routine updates should be made and security patches should be applied.
  • SSL and TLS – Easy-to-implement protocols that enable secure data transfer.
  • Limit Number of Failed Logins – This limits the hackers ability to crack usernames and passwords.
  • Run System Scans – Periodic scans should be performed to locate malware and identify irregularities.
  • Create Backups – Database backups should be created periodically for quick restoration of compromised data.

The current security status of CMS platforms is far from impressive.  Online content and data sharing needs to be made as safe as possible to prevent identity theft, commercial manipulation and other cybercrimes. This can be achieved by creating a secure SDLC and implementing the safety precautions mentioned above. Stay safe.

Source 1 | Source 2 | Source 3

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.