CMS or “Content Management Systems” became vey common for a few years. Popular CMS are WordPress, Drupal or Joomla. You can rent some space at a hosting provider for a few bucks or even find free hosting platforms. You can deploy them in a few minutes on your own server. Then, you just have to focus on the content: No need to learn CSS/HTML!
For me, modern CMS have a common point with cars: Their owners like to customize them. The “car tuning” is very popular and is the modification of the performance or appearance of a vehicle. Millions of people like to modify their cars, there is a huge business driven by the car tuning.
We can make a rough comparison between cars and CMS. Your CMS can also be tuned. Most CMS offer a way to extend the features or the look’n’feel via plugins (or add-ons or extensions – whatever you name them). Some examples of commons plugins:
- Link with social networks
- Forms & polls managements
- Reservation systems
- Statistics and reporting
I won’t discuss about the look-n-feel of a websites. Some plugins can completely revamp a website, taste and colours are not always the same. But let’s focus on security. Car engine performances can be modified by adding or reprogramming chips. It’s easy and cheap to gain some horsepower but this could have a huge security impact. Want an example? Brakes or suspensions are designed to stop and maintain on the road a car with a set of known specifications (weight, power) but if you change one parameter, this could have a big impact on you and your security passengers. A Ferrari and a Renault Megane don’t have the same brakes. It’s exactly the same with CMS plugins: they can alter your CMS security.
If most CMS source code is regularly audited and well maintained. It’s not the same for their plugins. By definition, a plugin is a piece of code that adds a specific feature to an existing application. Keep in mind: by using plugins, you change the way the original software will behave. And not all plugins are developed by skilled developers or with security in mind. Today, most vulnerabilities reported in CMS environment are due to … plugins! Here are some tips to increase your CMS security.
- Only install plugins that your really need.
- Some plugins can be configured. Always review the default settings and adapt them to your environment and security requirements
- If you decide to not use a plugin, disable and un-install it completely.
- Do NOT rely on a plugin popularity. It’s not because it is used by many webmasters that it is safe! By contrast, it will maybe be a nice target to compromize more sites.
- Like any pice of software, update them
- Take a deep breath and jump into the code to have a quick code review (any backdoor installed?)
Also, keep in mind that installed plugins can be listed by scanners and crawlers. WordPress has an hardening guide with good recommendations.