The use of a content management system such as WordPress, Joomla or Drupal may make it easy for an organization to run its website, but the CMS itself continues to be a popular target for cybercriminals. Similar to other web applications, CMSs are prone to SQL injection (SQLi), Remote/Local File Inclusion (RFI/LFI) and Cross-Site Scripting (XSS) attacks. Because CMSs are not developed by the end user and usually come preinstalled on third-party hosted web servers, they are often out of date and the end user is often unaware of what—if any—security controls are in place. . This is unfortunate, because the open-source nature of CMSs and related plug-ins increases the risk of users downloading and installing community-developed plug-ins that have vulnerabilities.
The good news is that taking proactive steps such as the five outlined below, along with remaining vigilant, can significantly reduce the risk of your website being exploited through a CMS vulnerability.
Update immediately and often. Verify the version of the CMS you are running and make sure it is up to date. Do this regularly and join the mailing list for the CMS you are using to get automatic notifications when a new update is available.
Take inventory. Many hosting providers automatically enable plug-ins that are not commonly used, so make sure to inventory the ones on your CMS. Disable the plug-ins that are not needed. And make sure to regularly update all the plug-ins that you do use.
Do your homework. Check to see if the CMS or the plug-in you are using has a known unpatched vulnerability. The Open Sourced Vulnerability Database at osvdb.org/ and the NIST National Vulnerability Database at nvd.nist.gov/ are excellent resources. If you discover that an enabled plug-in has an unpatched vulnerability, consider disabling it until the patch becomes available.
Look everywhere. Perform regular vulnerability assessments on your website too. This will not only identify any security issues in the CMS and associated plug-ins, but also any vulnerabilities that may exist on the website itself. The frequency of the scans varies depending on how often the website is updated; a general rule of thumb is to conduct them on a quarterly basis.
Set up a firewall. Install a web application firewall (WAF), which will help identify malicious visitors and keep them out. Many open-source WAF solutions are available online for free and prevent most of the common SQLi, RFI/LFI and XSS vulnerabilities.