The security risks of Content Management Systems

Even if you’re not familiar with the term CMS, you’re certainly familiar with what they make possible. An abbreviation for Content Management System, CMSs represent an increasingly large part of the internet. 

According to some estimates, 43.6 percent of all websites today use a CMS. By far the most popular of these is WordPress, which holds 61.9 percent of the CMS market. Other popular and fast-growing CMSs include the likes of Joomla and Wix — to name just a few.

Whether you’ve used these tools yourself, if you’ve visited a website this year there’s a high likelihood that a Content Management System played a big part in its creation and operation. Securing them with the right tool, such as a Web Application Firewall, is therefore of the utmost importance.

CMSs solve a big problem

In the early days of the internet, websites had to be hand-coded by website builders. Today, CMSs represent easy, far more accessible tools for allowing users to create and manage digital content. In the case of websites, a tool like WordPress lets users select templates and then create, manage, publish and modify content with just a few clicks — no coding required. 

CMSs can support multiple users working together, admin panels that support multiple languages, and even allow extra functionality (ranging from comments sections to e-commerce features) through additional plugins. While the exact feature set will likely vary depending on the CMS you choose, CMSs typically have two chief components: a front-end user interface that lets the user make changes to their website, and a content delivery application that compiles this content and then updates the website.

CMSs have made it easier for millions of people to set up and operate websites. But they’re not without their potential problems. Wherever there are tools relied on by large numbers of people, there are bad actors and cyber criminals who will try and find ways to exploit the situation for their own advantage. CMSs can have security risks, and websites built on those CMSs inherit their vulnerabilities.

Magento’s digital skimming attack

A recent example of a CMS vulnerability involved Magento, an open source eCommerce platform that lets users who want to sell products online control the look and functionality of online stores, along with incorporating a shopping cart system, search engine optimization tools, and more. 

In September 2020, thousands of eCommerce stores created using Magento 1 — the first version of its Magento tool — were subject to a “digital skimming” attack. This attack sought to steal the bank card information of customers as they paid online. It was based on a zero-day exploit (a vulnerability that had not previously been disclosed by security researchers) discovered by a Russian hacker using the online handle z3r0day. For a fee of $5,000, z3r0day provided a video online showing would-be attackers how they could inject a skimming code into an eCommerce website so that it would automatically run whenever customers visit the hijacked payments page.

Magento owner Adobe said that it could not easily patch the vulnerability because it no longer supported Magento 1. Adobe released Magento 2 in November 2015, signalling the beginning of the end for Magento 1, although it continued to support it for several more years. However, while Adobe may have now moved on from Magento 1, many users continue to rely on its outdated predecessor. Customers using these eCommerce stores do not necessarily know that they are using a tool that is no longer supported — and, as this story illustrates, may contain dangerous vulnerabilities.

Protecting against vulnerabilities

Protecting against these kinds of vulnerabilities is something anyone who relies on a CMS should be cognizant of. Security breaches can be devastating for companies.

With more websites than ever using CMSes to publish and manage their online content, this is not a problem that’s going away. Hackers know that discovering a vulnerability in a widely used CMS gives them the ability to immediately compromise thousands (or even millions) of sites that use it. Think of it like cloning not just an individual door key, but, rather, a master key that unlocks every door in an entire building.

There are proactive steps users can take themselves. Using add-ons and plugins from reputable sources is one good idea. So too is making sure that you are updated to the latest version of a particular CMS tool, ensuring that you are protected by the latest bug-fixes and fully supported by developers.

Going above and beyond

However, sometimes — and increasingly often — it’s important to go one step further. Fortunately, the tools exist to help more comprehensively protect websites from exploitation. A Web Application Firewall (WAF) can detect and block attempted infections and malicious content. Such tools may help secure both active and legacy applications, along with third-party apps, APIs and micro-services, and more. The resulting WAF means that you’ll be better protected against vulnerabilities, even in cases where zero-day exploitations arise that have not been discovered and patched by their developers.

The risk of CMS vulnerabilities cannot be overstated. Whether it’s for your own ease of mind, the safety and security of your customers or, likely, a combination of both, investing in the right protective measures is among the smartest and most responsible cybersecurity moves you can make.

Please follow & like us!