Jetpack, a popular plug-in for self-hosted WordPress.org sites, provides users with many of the capabilities of a cloud-hosted WordPress.com site. Instead of downloading multiple plug-ins and widgets for social media posting, e-mail subscriptions, site stats, secure contact forms and other features, Jetpack gives WordPress.org developers an all-in-one package of features. It’s one of the most universally used WordPress plug-ins, which also means a Jetpack vulnerability could place many websites at risk.
Jetpack’s problem doesn’t mean that WordPress isn’t a good and relatively secure content management system (CMS). However, the weakness was two years old before security experts uncovered the flaw. Whether you’re earning a graduate degree in cyber security or simply trying to choose the best CMS for your business website, you should understand the security postures of today’s most popular CMSs.
Like Windows XP operating system of 10 years ago, WordPress is vulnerable because it’s incredibly popular. WordPressdoes a good job of developing and pushing patches to users. It displays a dashboard banner anytime it issues a patch, alerting users to immediately download the latest updates. Another advantage of WordPress is that, unlike Joomla and Drupal, it was created with everyday users in mind. Installing security patches doesn’t require any technical know-how.
However,Wordpress is most vulnerable to a brute force attack. Because typing yourdomain.com/wp-admin takes anyone directly to the admin page, attackers can focus on using brute force to crack the password. Thanksfully, one WordPress plug-in called Limit Login Attempts can ban an IP address for a few hours after a certain number of login attempts. Also, adding another admin user and then deleting the “admin” username and password can make logging in more difficult for hackers.
Joomla is an open-source CMS that’s geared more toward programmers than to everyday users. Maintenance activities, like installing patches, require the assistance of a programmer at least part of the time. However, the Joomla community does a good job of issuing patches quickly and staying on top of security issues.
Unused extensions can provide a gateway for attacks, so users should delete any unused extensions. They should also conduct a search engine query before downloading new extensions to make sure that other users haven’t discovered vulnerabilities. Also, Joomla websites shouldn’t be set up to upload without any restrictions. If a Joomla website gets hacked, it’s best to let a professional fix damaged files and remove any files that the attacker might have added.
Drupal has come a long way from its start in Dries Buytaert’s dorm room. It’s now one of the largest open source projects in the world. Drupal’s internal security team, along with its community of project maintainers, works to remedy security problems. Also, all new contributors undergo a security review.
Like fixing Joomla problems, fixing Drupal vulnerabilities requires knowledge of programming. Drupal relies on its 700,000-plus users to report vulnerabilities in Drupal modules and code. Most vulnerabilities aren’t in the user community-vetted, publicly posted code. They’re in the custom modules or custom themes, which don’t undergo as much initial scrutiny. For non-developers, the best course is to download updates as soon as possible and to stay educated on Drupal developments in community forums.
Universal Security Precautions
On any CMS, these steps can eliminate many security problems:
• Frequent backup. If a hacker vandalizes a site, the user needs a recent, uncompromised backup copy on-hand.
• Good passwords. When possible, use a two-factor authentication tool, such as Google Authenticator.
• Safe hosting. Any CMS-based website is only as safe as the server upon which it’s hosted. Find out if the server is shared, and make sure it’s encrypted.
• Safe networks. Typing in a CMS password on a non-secure network is the same as writing the password on a placard and showing it to everyone on the network.
• Good third-party relationships. Only outsource payment functions or e-commerce functions to a vendor with a proven reputation for security.
• Occasional help. Considering the potential costs of a security breach and considering that many breaches start weeks or months before they’re detected, get occasional help from a third-party security professional or Web developer.
The right CMS for any job depends greatly on the user’s programming sophistication. The top CMSs do a good job of pushing security patches, but it’s up to the user to keep the website up-to-date.