One of the easiest ways to get content available on the Internet is to use a 3rd party content management system (CMS). These systems vary and are usually fairly simple to set up. There is no requirement for any technical knowledge and you can have content up and available within minutes in some cases. No need for that pesky HTML coding or web site management. One of the most common CMS platforms is WordPress (https://wordpress.com). Of course there are many other systems available, but it is common to hear about WordPress when it comes to security, highlighted recently in the article on threat post titled “More Than 1 Million WordPress Sites Open to SQL Injection Attacks“. As I was writing this post I did a quick search for Word Press in the news and this article titled “Bug in WordPress plugin can be exploited to take full control of website” from SC Magazine popped up from today.
To listen to the podcast on this topic you can go to http://developsec.libsyn.com/ep-23-3rd-party-cms-security-thoughts
The previous examples are just a few of the vulnerabilities that have been released related to WordPress. You may be wondering if WordPress is safe to use, and I believe that it is. When we dig a little deeper into many of the news headlines about WordPress security, they often are not vulnerabilities in the core WordPress functionality, but in the plugins that are available. Plugins are 3rd party code that can be added to WordPress to add functionality. An example plugin would be to create a custom signature or bio box below each article. There are also plugins for statistics, multi factor authentication and controlling comment spam.
As mentioned, while vulnerabilities have been identified in the core components, it appears to be far more common for vulnerabilities to be identified in these additional plugins. In most cases, the developers are quick to release a patch once the vulnerability has been identified. The bad news – Many of the patches are not auto-applied. Here are some things to think about if you are implementing a WordPress solution for your systems.
The more recent versions of WordPress support an automatic update feature. If you are using the hosted version of WordPress then the updates should be handled, but if you have decided to host your WordPress site on your own servers this is not the case. Check with your hosting provider to see if they have a mechanism for updating your WordPress installation automatically. Also make sure that you are running the latest version of WordPress and you have enabled the auto-update feature. This will ensure that you have the latest patches for the core system, limiting the exposure of your site.
Know Your Plugins
Plugins have vulnerabilities and may require security patches. The first bit of advice in regards to plugins is to only run the plugins that you absolutely need. The fewer plugins that you have installed means the attack surface is smaller than with a bunch of plugins running out there. Now that you have limited the plugins that are installed, keep an inventory of them. Once you know which ones are installed you can watch the news or different social media feeds to see if any of them are identified. I am not aware of a way for the plugins to auto-update, it is a manual process. If you see that a plugin has been identified as vulnerable make sure that the update (when released) is applied as soon as possible. It is recommended to test the patch out to ensure it will not break anything before hand. If the patch does break something, a determination will have to be made as to whether or not the plugin must be uninstalled or not.
Use Security Controls
Get to know your CMS and what controls exist to help increase your security. If multi factor authentication is available, enable it. If you don’t need some features, then disable them. Maybe your site doesn’t use comments on articles. If that is the case, then turn that feature off.
Remove Default Configurations
Once the site is installed, remove default files that may have been used during installation but are not needed for day to day activity. It is common to see the installers leave behind files that are no longer needed. Scan your system with a tool like WPScan (for WordPress) to see if there are any gaping security holes. Make sure you have set the username and password for the system. Many of these platforms have removed the “default” credentials, but it is your responsibility to make sure that default credentials don’t exist.
Many of the CMS platforms are similar and support many of the same features. The recommendations listed above work for all of these. The point is that you have to be aware of your platforms, what components they use, and how to update those components in a timely manner. The benefits of a CMS are huge when used properly, but can be devastating if attacked.