by | 10 Oct 2015

CMS, a prime target for hackers

This year was a banner year for content management system (CMS) hacking. CMS are powerfull, easy to cutomize and let you build a website in less than an hour for a low price. However, CMS are vulnerable by nature because they are built on open source frameworks. It is a huge market for cybercriminals, since almost every bit of code they need to break down CMS walls is publicly available, it’s no surprise that they are popular targets.

Where do the CMS vulnerabilities come from?

The popularity of CMS such as WordPress, Joomla and Drupal might suggest for security. Yet the fact that they are open source (thus with a free access code) makes  vulnerabilities detection easier for hackers. It’s no surprising to observe some security issues. Hackers are actively searching for vulnerabilities, which can turn into a virtual gold mine for hackers, creating a much more efficient way for them to execute automated mass-scale attacks.

By choosing weak passwords, site administrators are exposed to further attacks. Hackers can easily inject a malware, turning them into a DDoS zombies. With an admin access, they can also deface a site, or use it for malwares distribution. As a result, the targeted website could be blacklisted from Google and other search engines. Website ‘s vulnerabilities can have a negative impact on Search Engine Optimization (SEO).

Plugins and themes are an another source of vulnerabilities for CMS. Often developed by third parties, they add an additional layer of vulnerabilities. 20% of the fifty most popular WordPress plugins were vulnerable to hacking and you certainly are using of these.

How to effectively protect your CMS?

Here are some tips to help you dealing with security issues into your favorite CMS:

  • Delete your defaut admin account to avoid targeted attacks (Brufe force attack for example) and replace it with an account named differently,
  • Increase the complexity of your usernames and passwords (combining lowercase, uppercase, numbers and special characters), have a unique password for each platform,
  • Use a plugin for advanced authentication, or two-factor authentication,
  • Change the prefix of your database: by default wp_ for WordPress, which is kept by 99% of users and often targeted by hackers,
  • Regularly backup your CMS, you can easily find a solution to do this automatically for you, with a function to export and import data,
  • Apply security patches and update regularly your CMS, plugins or addons, and themes.

Advanced security solution to protect your CMS

On this last point, OZON offers an operational response to all companies that searching for vulnerability assessment. OZON is a cloud platform that integrate several innovative security technologies working in synergy. OZON detects vulnerabilities and malwares, protects against cyber-attacks and identifies fraudulent transactions. All these functions are performed in real time. OZON secures your website against top5 CMS attacks:

  1. SQL injection to access unauthorized data such as customer data housed directly into your CMS
  2. Cross-site scripting attacks (XSS) by running malicious scripts in the browser, including the forms present in many CMS (registration forms and search bars)
  3. DDoS attacks that aim to make a website unavailable / CMS, and that will hurt your business, brand awareness and online visibility,
  4. Use of components with known vulnerabilities such as plugins and themes,
  5. Poor security configuration giving way to numerous vulnerabilities, which will delight hackers.

To convince you, OZON lets you assess your site risk level for free.