You are here Home » Tech » Apps and Software » CMS Security: Not All Plugins Are Created Equal

CMS Security: Not All Plugins Are Created Equal


Whether you know it or not, if you’ve been online in the past several years you’ll be intimately acquainted with CMSs. Short for Content Management System, CMSs are platforms used for building and maintaining an ever-increasing number of websites and digital content. Offering easy drag-and-drop editing, multi-user collaborative environments, and most importantly, no complex coding, CMS tools like WordPress, Wix, Tumblr, and others are transforming the online creation process when it comes to web content.

CMSs commonly feature both a content management application (CMA) for front-end user interface and a content delivery application (CDA) for compiling content behind the scenes to update websites. While the exact feature set varies depending on the platform, the resulting websites promise to handle large amounts of traffic, offer impressive features (often as the result of plugins) and boast shiny, high-end designs that would once have required a professional web developer to create. Because of the ease of operation and the quality of the results, CMSs are today used by everything from online stores to top news sites to government agencies.

PS – You might want to learn about the Headless CMS Guide

But they’re not perfect. They can have vulnerabilities. Worse: like building a row of individual houses on the same stretch of dangerous ground, vulnerabilities within CMSs are inherited by those sites that are built on top of them. Given that CMSs are reportedly used by upward of 40 percent of websites on the internet, that’s a lot of sites.

The trouble with plugins

Undoubtedly the biggest issue facing CMSs, for those without tools like a Web Application Firewall, is plugins. Plugins are, as their name suggests, applications that simply plug into an existing CMS like WordPress. Like plugging a store-bought device in your home into a power socket, you get instant added functionality without having to worry about precisely how the new gadget works. WordPress plugins take the form of additional code files that can add anything from Search Engine Optimization (SEO) to commenting features to automated social media posting to website analytics tools. With tens of thousands of plugins available for WordPress alone, they are undoubtedly useful when it comes to easily expanding what your website can offer, both to its visitors and to its creators.

However, plugins can carry vulnerabilities, many of which have public exploits that are available to hackers and no answer in terms of official patches plugging the problem. For example, recent analysis by security professionals discovered 89 zero-day vulnerabilities in platforms including Joomla, WordPress, Opencart and Drupal, along with their associated plugins. That number sounds bad enough in isolation, but when extrapolated to the number of websites it potentially compromises the number increases to a massive 100,000 sites.

A bit like leaving the front door of your home open and trying to guess what kind of damage could result, there’s no one answer to the question of what exactly CMS vulnerabilities can lead to. In some instances, attackers could upload shell scripts and remotely execute code, using this to vandalize websites. In other cases, the results can be even nastier — whether it’s distributing malware, encrypting site data in so-called ransomware attacks, redirecting to phishing pages, extracting sensitive user data, or any one (or more) of a number of other activities.

Fighting back against the cyber attackers

The typical user of a CMS has at least three to four plugins running on their platform. The answer’s not to stop using plugins altogether since, as noted, they can add genuinely useful functionality to websites — although it’s not a bad idea to vet them before you decide to use them to do your due diligence as to their security. Instead, ensure that you regularly install security updates for plugins and themes. As vulnerabilities are discovered, any respectable developer will update their plugin to protect against it being exploited. (Thankfully, the top CMSs will alert you when a plugin update is available.)

You can also ensure that two-factor security (2FA) is employed wherever available to give you additional protection, along with using strong passwords and non-standard usernames. (So forget about username “admin” and password “password123!”)

The smartest decision you can make, however, is to employ a professional, enterprise-level security system for your CMS. A Web Application Firewall (WAF) sits on your network edge and carries out routine inspections of all incoming and outbound HTTP/S traffic to a web application. It also identifies attack patterns and filters out malicious traffic. This is especially useful when it comes to plugins because it can protect against possible zero-day attacks (meaning those that have not yet been brought to the attention of cybersecurity professionals who would then patch them) and vulnerabilities that have yet to be patched — or in cases where those patches have not been installed or updated.

CMSs make setting up a website easier. But running a website is still a full-time job, even before you start adding cybersecurity challenges on top of things like keeping your content updated. Fortunately, here in 2020, the tools exist to help you fight back against the possible cyber attackers, so you can focus less on security and more on the other aspects involved with running a successful business.

How to protect yourself online: 5 important security tips

How to protect yourself online: 5 important security tips

You may also like