Why CMS Platforms are Common Hacking Targets?
Popular website content management systems (CMS) such as WordPress, Joomla, Magento and Drupal powered close to 50% of the websites on the internet today. This statistic reflects the dependency of both the internet users and web developers on such CMS platforms; largely due to the ease in which these CMS allow users to manage their website content.
However, there is also a common negative trait shared among these website CMS – they are common hacking targets. As of 2017, data gathered from Sucuri shows that WordPress retained the unwanted title of the most hacked CMS platform (74% of the hacked websites), followed by Joomla (17%) and Magento (6%).
But what are the factors that make these CMS vulnerable to hacking attacks?
Open source framework – The open source nature of the CMS is a double edge sword. Being publicly accessible, multiple users can freely work on the source code together in a collaborative environment. Yet, the benefits in terms of shared development are often overshadowed by the vulnerability that arises from a lack of accountability. The popularity of the stated CMS meant that their ‘weakness’ is very much common knowledge, thus, making them easy targets to the hacker community.
Weak passwords – Many web administrators still use weak or predictable passwords. This is especially true when they fail to change the CMS login password after taking over the website from third party website developers. These developers built various websites for different clients and for convenience’s sake, they may reuse passwords that are general and easy to remember; this in turn make the websites vulnerable to hacking activities and automated brute force attacks.
Outdated plugins and CMS installations – Another major source of problems is outdated installations. Plugins developed by different developers may each introduce their own set of vulnerabilities that adds to the total. In certain cases, site administrators are also guilty of not running up-to-date CMS versions; which eventually presents opportunities for attackers to exploit.
Cleaning up a hacked website can be a chore and in many cases, it is extremely hard to remove the entire infection. Attackers may leave behind a backdoor, giving them the opportunity to regain access again if infected sites and servers are not properly cleaned.
What can users do to protect against hacking activities?
- Regularly backup your CMS website and its underlying database.
- Change your password frequently. Ensure your password is strong (at least 8 characters long, consists of both numerical and alphabetical characters with upper and lower cases).
- Enable 2-factor authentication for an additional layer of protection.
- Update your CMS and all installed plugins. If you are worried about the compatibility of the updated versions, test it in a staging environment or do a backup beforehand.
- Use a Web Application Firewall (WAF). This is probably one of the most effective solutions to protect against cyber attacks; and it is especially useful to companies providing products/services over the internet. Generally speaking, a WAF can help to monitor, filter or block potentially harmful traffic from your website (you may email us to explore more on the capabilities and benefits of WAF).
The vulnerabilities of website CMS towards hacking activities does not mean that these platforms are insecure, with smart management and the right solutions, both you and your website visitors can enjoy a better web experience.