Each week there’s a new hacking story in the news. It’s become commonplace to hear of the latest high-profile hack that has resulted in accounts of a big website being compromised, data being stolen and services being shut down due to a security flaw. If you run a content management system (CMS) with security that is not up to scratch, you are leaving your website and business wide open!
It’s easy to imagine attackers will go after the large, multi national companies, but in reality, they go after websites and businesses of all sizes. This can be for quite a range of reasons, not simply financial gain, for instance some hacks are designed to obtain more links back to to improve their search engine presence with spam. So in our post today, we will look at the types of security threats facing modern CMS and what you can do to combat them.
If, like many, you run WordPress, Drupal, Umbraco or other content management systems then in most cases you’ll be using some kind of standard login address such as www.mysite.com/wp-admin (WordPress login) or www.mysite.com/umbraco (Umbraco login).
Having a default login address means your website is more vulnerable to attacks because, using more sophisticated attack methods, hackers are able to target specific content management systems using the default login address to attempt brute force attacks, dictionary attack and other forms of hacking.
Despite being very inefficient, brute force attacks are still very popular because people typically still use very weak passwords and usernames to log into their website.Brute force attacks simply involve ‘guessing’ the username and password, usually by feeding lists of thousands, millions or in even more extreme cases, billions of combinations in very short spaces of time.
Dictionary attacks are another popular method of hacking that are slightly more directed. While brute force attacks use random methods to generate usernames and password combination, dictionary attacks use specific sets of words chosen by the hacker or derived from a downloaded database. A complex password containing ten or more characters that use combinations of alphabet characters, numbers and symbols is considered to be a secure password today.
For a website with many users, it can become difficult to monitor and ensure that all users have followed these best practice password guidelines and all use a secure password to ensure optimum security. One simple way you can improve security is by simply using rewrite rules to change the default login Url address - making it more difficult for an attacker.
A URL rewrite can be allow us to change the standard login URL to something more secure. However, it’s not always easy or possible to change the login path for a CMS.
Umbraco for example uses the mysite.com/umbraco path for other functions required by the user dashboard itself. Changing the Umbraco login path can be tricky and will require professional knowhow to ensure Umbraco continues to function after this change.
WordPress on the other hand welcomes this process, with a few plugins available that will not only change the login path, but also minify script and perform other tasks that will enable you to hide the fact that you’re using WordPress, making your site more secure.
Hide My WP is a plugin used to hide much of the WordPress identifiable script, this means that hackers won’t be able to tell if you’re using WordPress or not. The plugin can also be used to disguise your login page, meaning that attackers looking for the default WordPress login paths such as /wp-admin or /wp-login won’t be able to locate your login page and may not be able to attempt other attacks such as the brute force login attacks mentioned earlier.
Similarly Drupal users can download the Login Disable module. This module will prevent users from logging in to your Drupal sites unless they know a secret key to add to the end of the login pages URL.
There are a number of other steps you might take, most CMS allow plugins, extensions or packages. These are typically written by other people than the core development team of the CMS itself, and typically won't be as secure. We always recommend a security audit of any plugins you run to ensure nothing is included which may compremise the security of your website. Most good CMS systems, including both WordPress and Umbraco include a 'lock out' mechanism after a specified number of failed login attempts.
IP restrictions are a safe and reliable way to secure your website. By allowing access to the login address for Umbraco (/umbraco) and WordPress (wp-admin.php / wp-login.php) from only specific IP addresses, you can completely limit access to the CMS. This has good and bad points though: while it is a good way to restrict access, it means the valid user of the site must be on a static IP address. Most internet connections will typically give you a dynamic IP address and while a static IP is usually provided by your network provider, it will likely require a monthly fee. Typically, this can cause issues when employees work from home (for example) or from other locations - which may not allow easy access to the website.
For WordPress and Apache/Nginx servers, this can be easily achieved through the use of .htaccess files. Alternatively, using IIS you can achieve the same updating the web.config (or using the IIS Server configuration interface)
SSL certificates protect users by preventing man in the middle attacks when users visit your website. In short, a valid SSL guarantees you (the end user) are communicating directly with the server, and that nobody is snooping, intercepting or modifying the communications. The risk here, is someone may ‘sit’ between you and the server, ‘logging’ the login details you use to access the site so they might login later.
SSL certificates need to be purchased from your domain provider, registrar or hosting company. Some sites such as Umbraco sites will require additional server configuration changes to ensure the site uses the SSL and HTTPs once available.