The Cheeky Monkey Media Blog
A few words from the apes, monkeys, and various primates that make up the Cheeky Monkey Super Squad.
CMS Security Recommendations for Drupal and WordPress
November 29, 2013 / Treena BjarnasonDid you have a great Thanksgiving monkeys? I know I ate way too much turkey banana casserole! What about you?
Anyway, I am here to talk to you about content management security. Great topic, huh?
Recently Germany’s Federal Office for Information Security tested the security analysis on the main Web content management systems like Joomla, Drupal, and of course, WordPress. They decided that CMS should not be run in its typical configuration. What, specifically does this mean?
As you know, all kinds of businesses use CMS products to organize and update website content. The point is to let the average person with no IT degree control their website. However, many websites are compromised through glitches in vulnerable CMSes.
This study found that the CMSes that they reviewed (Drupal, Joomla, Plone, TYPO3, and WordPress) had a decent security level, but these products should not be used without modifying their default settings. Why? Because websites running from one of these CMSes with default settings are bait for hackers.
The study said that a CMS should not be installed in its “standard” way, but should be “securely configured and continuously monitored and maintained.” The CMS should also be upgraded whenever possible.
In addition, the study showed that more issues happened in CMS plug-ins that in the typical CMS code. According to the report “About 76% of all identified vulnerabilities located in extensions or add-on modules can be installed on top of the core package. In Drupal, for example, only 5% of all bugs were found in the actual CMS, while 95% were in the plug-ins. Most plug-ins are not written by developers with a security background, so common coding errors are often repeated.”
What’s the bottom line, you ask? IT managers should set aside some time each day, let’s say 15 minutes to check for available patches and make backups. If they do this, then they will be proactive in preventing hackers and tak