In-depth

Opt out of plugging in for a more secure CMS

Davey Winder explains why CMS plug-ins are not worth the security risk

The web, as we know it today, relies heavily on content management systems (CMS) to operate.

It's a CMS that allows a blog, news publication or shopping site to be managed centrally, collaboratively and consistently, which is why it's such a shame that CMS systems suck elephants through a straw when it comes to security. Actually, let me qualify that statement: CMS plugins suck.

So much so, I know web developers at the larger end of the business who visibly shudder when a client asks for a plugin to be installed.

It's not just the home-brew business sites, participating in the perilous 'free plugin' adventure I am talking about here. Commercial plugins, which you might expect to be a different container of aquatic creature are also vulnerable.

I was talking to someone the other day who had been using a 'premium' plugin called the 'revolution slider' in this case. Now here's the thing, the plugin vulnerability was quickly patched by the developers for anyone who was buying it through them. However, older versions were still out there and rolled into theme packages and those are less likely to have been patched.

As a result, one business found itself on the wrong end of an exploit. The attacker downloaded the wp-config.php file and gained access to database credentials using this Local File Inclusion (LFI) attack mode. The outcome was a hijacked mail server, pumping out hundreds of thousands of malicious emails, and a reputation requiring urgent rebuilding.

It comes as no surprise in that example that it was the WordPress CMS at the heart of things, including the insecurity issues.

WordPress is popular for a reason, well many reasons, and they all revolve around it being very functional indeed.

Security outfit Imperva reckon that 74,652,825 sites depend on Wordpress, including the likes of CNN, eBay and The New York Times. Half of those are using the free hosting supplied by WordPress.com, just to add a little more fear to the pot.

Of the top 100 blogs listed by Technorati, 48 per cent use WordPress. Unfortunately, as revealed in the annual 'Web Application Attack Report' from the same security vendor, sites running WordPress turn out to have been attacked 24.1 per cent more often than sites running on all the other CMS platforms combined and they get hit by Cross Site Scripting (XSS) attacks 60 per cent more frequently.

Here's the thing, and the message I'm trying to get across: the CMS itself is not a liability, and WordPress is not a liability. Plugins, on the other hand really can be, more often than not.

Saying be careful is a bit twee, but I'll say it anyway. When it comes to choosing plugins, my rule of thumb would be to apply the same level of security due diligence as you did when choosing which CMS platform to use in the first place.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Sopra Steria confirms it was hit by new Ryuk ransomware variant
Security

Sopra Steria confirms it was hit by new Ryuk ransomware variant

26 Oct 2020
Google fixes zero-day flaw in Chrome and Chrome OS
bugs

Google fixes zero-day flaw in Chrome and Chrome OS

23 Oct 2020
Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020

Most Popular

Microsoft CEO warns of video call fatigue
video conferencing

Microsoft CEO warns of video call fatigue

7 Oct 2020
How Liberty navigated a site relaunch during a pandemic
Sponsored

How Liberty navigated a site relaunch during a pandemic

8 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020