Content management systems run a meaningful share of the public web. WordPress alone powers something close to forty percent of all websites, and the picture is similar across other platforms with their own large installed bases. That ubiquity is the reason CMS platforms are favourite targets for threat actors. The technology is well understood, the misconfigurations are well documented and the supply of vulnerable installations is essentially endless.

Plugins Are Where Most Compromises Begin

The core platforms are reasonably well maintained. The third party plugins, frequently written by hobbyists in their spare time, are usually where the trouble starts. A single vulnerable plugin can hand an attacker file upload capability, remote code execution or full admin access. The fact that the same plugin ecosystem also produces the contact forms, gallery widgets and SEO tools that most sites rely on means there is no realistic option to avoid plugins entirely. A capable best pen testing company will inventory your plugin estate before testing anything else.

Admin Accounts Are An Underrated Risk

Every CMS comes with a powerful administrative interface, often accessible at a predictable URL. Brute force attacks against those interfaces never stop. Many organisations have inherited installations where the original admin account is still called admin, the password has not changed since the site was built and the login page sits at the default path. None of this is exotic. All of it appears in compromised sites every week.

Expert Commentary

William Fieldhouse, Director of Aardwolf Security Ltd

The CMS compromises that make the press tend to start with something boring. A plugin that was never updated. An admin password that was reused on a forgotten forum that got breached three years ago. A staging site at a guessable subdomain with weaker credentials than production. The interesting work is in finding these before someone else does.

Staging Sites Are A Common Blind Spot

Plugin updates carry the same risks as plugin installs. A well behaved plugin can become hostile after an ownership change, a vulnerable update or a compromised maintainer account. Treat plugin updates as code changes. Apply them in staging first. Monitor production for unusual behaviour following the update. Keep a clear list of which plugins you have installed, who maintains them and how you would respond to a confirmed compromise in any of them. Plugin estate management is unglamorous and easy to neglect. The teams that do it well treat the plugin list as a security asset, review it quarterly and remove anything that no longer has a clear business owner who can describe what it does and why it is needed.

Themes And File Uploads

Themes carry the same risks as plugins, with the added complication that they often handle file uploads, media galleries and user generated content. Each of these is a potential foothold. Treat themes as code, review them like code and consider regular vulnerability scan services across the public facing surface to catch the symptoms of compromise quickly. Watchful monitoring rarely substitutes for testing, but it is far better than waiting for a customer to phone in.

If your CMS has been running for more than two years without a serious review, the case for a fresh look writes itself. CMS security is more about housekeeping than heroics. The teams that keep their houses in order rarely feature in the post-incident reports that follow major compromises. Web application security is a discipline that rewards patient investment. The teams that treat it as ongoing work consistently outperform the ones that treat it as a project with an end date.

You May Also Like

More From Author

+ There are no comments

Add yours