Keep Away Hackers From Your CMS

May 22, 2014 Alan Pullman

Developing website security is akin to a Yin-Yang relationship. The more hackers attempt to gain access, the stronger security becomes. The greater the security, the harder the criminal element tries to gain access. It’s an ongoing process where one entity constantly tries to surpass the other.

Why CMS Hacking?

While it’s tempting to relegate CMS(Content Management System) as “also-rans” in the world of security breaches, there is real risk when content management platforms are hacked. High-profile breaches such as Target and Home Depot garnered attention due to the Backoff malware, and rightly — many retailers use point-of-sale systems that aren’t properly secured. As noted by Web Technology Surveys, however, 75 percent of websites using a CMS are powered by popular platforms such as WordPress, Joomla and Drupal, all of which are built on open-source code, are free to use and are largely maintained by a passionate community of users. In other words, this is a huge market for cybercriminals — and since almost every bit of code they need to break down CMS walls is publicly available, it’s no surprise that they are popular targets.

In the mix of all this hacking, where does your site stand to benefit? It’s difficult to know for sure, but you can do your best to make your website as hack-proof as possible. Because of the nature of most popular content management systems, hackers often get the upper hand by analyzing the code for loopholes and compromises. However, organizations that develop open source systems such as WordPress, Joomla and Drupal are constantly working to plug those holes. Here are key ways to reduce threats to your CMS sites.

Front-End Login

Many attacks on CMS sites are caused through the front-end login. By default, most systems will place this login method on the homepage. While it may be useful for your users, it’s also a target for hackers and bots. Think of it like having a door to your house. Instead of the door being out in the open for someone to burst through, removing the door altogether doesn’t give a hacker the opportunity to go through it.

Most CMS tools give you the ability to remove this login with a simple click of a check box. For example, both WordPress and Joomla provide that feature and you can remove the login screen from the system’s tools. Two clicks of the mouse later and your website no longer has a login section on the front page.

What if you have authors who need the login screen for your website? It’s much safer and easier to allow them to log into the system from the back-end admin screen than from the front page. Systems like WordPress are excellent at making sure that your users don’t have access to administrative tools if they don’t need them.

Locking the Admin Login Page

Some content management systems will have plugins available that help protect the admin login page. For example, you can install a plugin that will lockout the admin page if someone repeatedly tries the wrong password from a specific IP address. It removes the hacker from being able to access the page while still giving you access as you will be on a completely different Internet access point. This makes it far more difficult for a hacker to launch a brute force attack as he or she would have to continuously change IP addresses after so many attempts. Search for plugins using “login lockdown” as your criteria for any CMS you use.

Don’t Use Default Admin

The default username of “admin” is one of the most common in the world of electronics both online and off. When you install a new system, create a completely unique ID for administrative control. Some owners will go so far as to remove the default “admin” name entirely after creating a new username in order to eliminate the risks from an attack.

Hiding the WP-Includes Folder

Did you know that the “/wp-includes” folder is accessible to the public in many cases of WordPress installations? This shows everything from plugins to the actual version of your WordPress CMS. It may also show loopholes that hackers can use to attack your site. An easy way to remove this from being easily accessed is by adding a blank “index.html” file to your “/wp-includes” folder. This causes browsers to load up the index automatically while hiding the files and folders that are within that directory. Simply create a new page in Notepad, save it as “index.html” and upload it into the “/wp-includes” folder.

Plugins, Themes and Other Add-ons

Plugins, modules and components are all part of the CMS experience. These are small additions to your site that can offer a variety of tools for both management and visitor appeal. Programmed themes and templates are used to change the overall appearance of a CMS site. However, these additions may also include malicious coding that can give a hacker a backdoor into your website.

While organizations that govern over various management systems do their best to weed out these bad add-ons and promote website security, sometimes you’ll come across an add-on that is corrupt. It’s always best to research the developer of an add-on before installing. The last thing you want to do is help someone hack your site by adding a tool that looks safe.

Comment Spamming Protection

Systems that use comments for social engagement are often the target of spam bots and hack attempts. While you can remove the ability to leave a comment, it may be more feasible to find a legitimate plugin that exercises security. For example, using plugins such as “LiveFyre” or “Disqus” on WordPress creates an added layer of spam protection because those who leave comments need to make registered accounts. Even more advanced forms of captcha can be helpful in reducing bot access. This eliminates a large portion of the hits you’ll get by those looking to spam your website.

Routine Scan of Your File System

It’s always a good idea to run routine scans of your file system in any CMS application. Although your hosting provider may have their own security software, there’s nothing wrong with utilizing your own as an added layer of security. This could help eliminate backdoor threats left behind by malware, which reduces the risk of being hacked. Some content management systems will have plugins available that will keep your website safe from such attacks.

Keep Your Site Updated

Unless you’re using an older CMS that no longer has continued support, you should always keep your system updated. WordPress and Joomla have this option automatically built in and will advise you that an update is available for install. These updates are vital for website security and will contribute to preventing hacks. Developers will often release fixes and code repairs to eliminate discovered threat risks.

Even small websites that experience twenty visitors per month can be targeted by hackers and used for nefarious purposes. Don’t assume that your site isn’t important enough to protect. It could be used to send spam, conduct fraud and identity theft and much more. Take every measure you can to make sure your site is kept safe from the criminal element.