Keeping Up with CMS Security

CMS’s Like WordPress Require Constant Attention to Security

CMS based systems are simply not build-and-forget-about-it platforms, but rather require regular attention especially from a security perspective.

I can’t tell you how many times I have had clients and potential clients state that they do not need a regular maintenance plan. The justification being that they can update all content themselves and that is why they paid for a content management system (CMS).

It is true that a properly setup CMS can allow an administrator to maintain the content of a website without the need to hire a developer. However this ease of use is made possible by relatively complex systems. And though your site might not be a direct target, these systems are constantly under attack and your site is always under threat.

Security is Only as Good As the Last Known Threat

Security is only as good as what we know to protect against and as new ‘holes’ and exploits are found CMS software must be patched.

The Two Easiest Things to Do For Website Security

1. Keep your CMS updated

Systems like WordPress make updates incredibly easy. In fact a lot of the time it can be as easy as clicking a button within the site administration area. Before any update is applied:

  1. Make sure you have a current back up of the site.
  2. Do your research to ensure that the update wont affect the function of any other portion of your site.
  3. Ensure that your server meets the requirements of the software change.

It is advisable that you have a developer help with updates in case any incompatibilities are found before or after the update.

It is also advisable to keep your system up to date on a regular basis. Waiting and applying multiple updates and patches at once greatly increases the risk that incompatibilities will be found and a much higher level of effort will have to be given to bring the system up to date.

2. Get a Web Application Firewall (WAF)

When this post was originally written, firewall services were almost non existent and you often had to pay thousands of dollars a year for an actual hardware based firewall to sit in front of a web server. Today there are many services that offer a real-time firewall for as low as $20/month. The services I like and have experience working with are:

All Websites We Host Utilize a Firewall (no exceptions)

FatLab will not take responsibility for a site without one of these services protecting it, the risk is simply too great! All of our hosting clients utilize a real-time firewall. I also like these services because they are not software based (like a WordPress plugin). Software based firewalls often block malicious requests after they have already hit the server. Even if the threat is protected against, this can still lead to DDoS attacks by overwhelming the server.

Website security has gotten easier since I originally wrote this post but no less important, in fact, just the opposite.