Nearly a year back, VerticalScope, a Canadian forum hosting company that runs over a thousand forums and websites like Boat.com, AutoGuide.com, Mothering.com and Motorcycle.com reported a security breach on their service. This enabled the attackers to steal the records of more than 45 million users. A post-mortem of the breach revealed that the attackers had made use of two outdated pieces of third party software that the VerticalScope websites were built upon. This included a software vulnerability in vBulletin message board software that has been around since 2007 and another unpatched bug in WordPress.
Cloud security has continued to be a hot topic of debate over the years. While the growth and adoption of cloud based products and services has been steady, attacks as these are the reason why users continue to be skeptical about cloud security. This is not the first time hackers penetrated the security wall through vulnerabilities in the CMS though. Back in 2013, Drupal, another popular CMS service experienced a data breach that was made possible through a known vulnerability inside third party software installed on the Drupal.org server. This begets the question – are content management systems among the most vulnerable elements when it comes to cloud security?
Wide userbase
CMS platforms are mostly the underlying technology over which businesses build websites that cater to their business needs. WordPress, for instance, was first introduced as a blogging platform. But over time, this CMS has become so agile and sophisticated that businesses have built numerous complex and dynamic websites over this platform. Not surprisingly then, these CMS services enjoy a wide userbase. WordPress alone is known to power more than 28% of all websites in the world today. Others like Drupal and Joomla constitute 5% of all websites.
From a hackers’ perspective, this presents a terrific opportunity. Investing in finding a vulnerability on WordPress or Drupal is likely to be more profitable than targeting native websites and source codes. Also, given that many of these tools are open sourced, looking into the source code for vulnerabilities is relatively easy.
Third party plugins
The popularity of a CMS tool depends on the kind of tweaks and customization it offers to users. This is made possible with the help of third party plugins and extensions that users can integrate to their websites in just a matter of clicks. According to one estimate, there are more than 50,000 plugins available on WordPress today. While this gives the CMS a great competitive advantage over alternatives like Joomla or Drupa, it is also true that this puts the security of a website in the hands of thousands of amateur developers who may have not secured their plugins as well as they ought to. This gives hackers a multitude of entry-points to penetrate a system. Always, be sure of the kind of extensions you install and how secure they are. Joomla, for instance, publishes its own list of vulnerable extensions that you must avoid in order to ensure better security.
Version updates
A significant number of CMS attacks happen on outdated versions. With open source tools, it is possible for hackers to literally compare the source code of the newer version with the older version to identify the security issue that has been patched, and then target websites that still run on the older version. This presents a grave threat to website security. Not surprisingly, CMS providers including those like WordPress today automatically update websites running their software to the newest version. However, if you have disabled CRON or other scripts on your server that could prevent WordPress from auto-updating your scripts, then you could be putting the security of your own website at risk.