Recently, Finnish security researcher Joukou Pynnonen revealed a security flaw in Yoast’s WordPress SEO plugin which allowed hackers to take over the administrator account of any CMS on which the plugin was installed. One of the most popular SEO tools on the web; Yoast’s plugin has been downloaded nearly seven million times – meaning there’s a staggering number of WordPress sites impacted by the vulnerability. Unfortunately, this story is nothing new.
It seems like every week, there’s some new crisis that content management systems have to deal with. There always seems to be some new vulnerability, new attack vector, or exploit that allows hackers to seize control of a site (or simply access a ton of sensitive information). More often than not, these security flaws are plugin-based; the result of poor coding or an oversight on the part of the developer.
If you think these vulnerabilities are popping up more and more frequently, you’re not imagining things. They are, and you shouldn’t be surprised. Content management systems run nearly 40% of the world’s websites, so it’s only natural that they’d become frequent targets – and that’s without even accounting for the fact that, thanks to their relatively open architecture, they’ve more points of attack than any other platform on the web.
That isn’t to say they’re inherently insecure, mind you. WordPress core, for example, is one of the most secure website creation tools in the world – provided, of course, you take the necessary precautions. That’s what we’re here to talk about today – what are those precautions?
In light of the fact that content management systems are being targeted with increasing – and alarming – frequency, how can you keep yourself safe?
- Only Download Plugins From Reputable Developers: This one is huge – and probably one of the most valuable pieces of advice you’ll ever hear. Remember CryptoPHP? That was one of the worst pieces of malware to hit WordPress in years…but in order to become infected with it, you had to have downloaded a compromised plugin. I’d wager most of the sites that suffered from the vulnerability were using pirated addons or themes.
- Pay Attention To The News: Preparedness is incredibly important – which is why you need to keep an ear to the ground as far as security is concerned. My advice is to set up a few Google alerts related to your CMS, and check them every day. That way, you’ll know ASAP when one of your plugins is vulnerable – and you can take whatever steps necessary to protect your site.
- Patch Regularly: This should be obvious, but it needs to be said all the same – keep your site up to date. Whenever there’s a new security patch or hotfix released, install it.
- Create Regular Backups: Sometimes, your site’s going to end up getting hit no matter what you do. Having some sort of scheduled backup system means that you can restore any data lost as a result of a compromise.
- Make Sure Your Account Security Is Up To Snuff: One of the biggest vulnerabilities in your WordPress installation could well be your account. Having a username like ‘admin’ or a password like ‘default’ is basically asking for your site to get hacked – especially with brute force attacks on the rise. In addition to strengthening your passwords, you might consider using two-factor authentication along with some form of encryption.
There’s a reason we seem to hear about a new CMS vulnerability or attack vector every single week. Content Management systems are on the fast-track to becoming one of the most frequently-targeted mediums for cyber-criminals. It’s never been more important that you keep your stuff secure – no matter what platform you happen to be running.
If you aren’t regularly patching out vulnerabilities, taking proactive steps to manage your security, and keeping your passwords and accounts strong, then you’ve only yourself to blame if your installation ends up getting compromised.