Why CMS Platforms Are Common Hacking Targets

What do WordPress, Joomla, and Drupal all have in common? First, they are the most popular Content Management Systems (CMS) in use today. According to statistics from Web Technology Surveys, these three platforms combine to support over 75% of all CMS-powered websites currently online.

They also share another less encouraging similarity: they are among the most common hacking targets on the Internet.

A WP White Security study found that a staggering 73% of all WordPress installations had known vulnerabilities that could easily be detected using automated tools.

Cyber criminals have long discovered these security holes, with over 170,000 WordPress sites being hacked last year.

Why are CMS platforms so vulnerable?

When you consider the different issues in play it becomes obvious why hackers deem CMSes to be appealing targets. It is easy for some to assume that since WordPress, Joomla, and Drupal are such recognizable names, they must be providing some form of protection.

However, the opposite is true. Fact is, CMSes are vulnerable by nature because they are built on open source frameworks. Such shared development environments offer several benefits but they also have their share of flaws, many of which arise form a lack of accountability.

With no price tag, and with no one to take direct responsibility for potential problems, it’s no surprise when the final product has some security issues. Since the top CMSes are so popular, these security vulnerabilities are actively sought after — both by security researchers and members of the hacker community.

Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more efficient way for them to execute automated mass-scale attacks.

Adding to the issue are website operators who use weak passwords, leaving their admin accounts vulnerable to automated brute force attacks.

In past we’ve showed how such weak passwords were used to inject the website with malware, turning them into DDoS zombies.

Obviously, with administrative access hackers can also deal other kinds of damage: anything from defacing the site (for fun) to using it for malware distribution, which eventually gets it blacklisted in Google and in other search engines.

Sites blacklisted by Google on a weekly basis. (Google’s Safe Browsing Initiative)

Finally, there is also the issue of various CMS plugins and themes, which are also exposed to attacks. Each of these is created by a different developer and may introduce an additional set of vulnerabilities.

A recent study found that over 20% of the fifty most popular WordPress plugins were vulnerable to hacking, while a staggering eight million susceptible plugins had been downloaded from WordPress alone.

Considering that most users have at least 3-4 plugins running on their CMS platform, it’s apparent how they can further expose their sites to new security risks.

What users can do to protect themselves from CMS vulnerabilities

There are a number of things users can do to protect themselves:

Create a regular schedule to update or patch their CMS, and all installed plugins and themes. This will ensure that all components are up-to-date. CMS platforms usually display a dashboard message whenever a new update is available; users should quickly install it even if it’s outside their update schedule.
Regularly backup the CMS and its underlying database. This should be performed weekly at a minimum.
Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used (e.g., WordPress).
Delete default admin usernames (e.g., ‘admin’) and use strong passwords (at least eight characters long, with a combination of upper and lower case, as well as both letters and numerical characters).
Use a plugin for strong authentication, or two-factor authentication (2FA) for an additional layer of protection.

Protection from a Web Application Firewall

Users can also opt for a Web Application Firewall (WAF), which automatically protects against all CMS vulnerabilities.

A WAF is an enterprise-grade website security product available as an appliance, server plugin or (as with Incapsula) in a cloud-based “security as a service” model. WAF’s job is to monitor user inputs, using a massive library of security rules to identify and block known attack methods.

The crowdsourcing aspect of the Incapsul cloud-based service is a unique twist on our proprietary WAF formula.

By scrutinizing massive amounts of attack data, collected from all websites on service, the Incapsula security team is able to gain additional insights into the overall traffic landscape. This information is then used to identify new security threats and generate rapid-response security rules, for the advantage of the entire client base.

The ‘strength in numbers’ approach taken by Incapsula enables it to instantly respond to zero-day threats and new variants of known vulnerabilities. Abundance invaluable security data also allows Incapsula to use non-signature based security policies, like the ones that identify abnormal behavior and suspicious IPs.

Moreover, to deal with weak and stolen passwords, Incapsula service also includes a 2FA option, ensuring that admin areas within protected websites remain secure.

Lastly, for website who onboard Incapsula while already breached, the service offers a shell detection and removal solution. With it you can remove the hacker-installed malware and start anew with a “clean slate”.

Prior to cloud-based WAFs, businesses looking to implement such a robust security system needed to as much as $20K – $30K for an entry-level solution. Today, Incapsula PCI-certified WAFs offer the same level of protection for as little as $60/month.

For more on CMS security register for our upcoming webinar: WordPress Security Simplified- Six Easy Steps for a More Secure Website.