Why Safety is King

Sandra Kathe's picture
Blogpost by: Sandra Kathe

Every software you work with – including your content management system – regularly receives updates. What many users forget: apart from new features concerning looks and technology they mostly make the system’s security stronger.

New features, modern looks, easier handling: with each update content management systems – especially the ones based on open source technology – receive countless new elements based on the ideas of a creative community. A community consisting of people who generally also use their system of choice in their daily life and are thus even more motivated to make their tool stronger and more versatile with every new version. For this reason, it is mostly feature-related news that gets emphasized when a new release is being announced. At the same time though, another important factor remains in the shadows.

In fact, apart from all new design ideas and features there is hardly any release that does not also include security improvements or even fix security-related issues that often do not get noticed by the persons running system-based websites until the issue actually concerns their own project. At this point many problems would not have even shown if the update from last month had been installed.  

How risks arise

No matter how large or important the amount of data stored on a website might be, any site may get into the focus of a hacker attack that for many different reasons aims to extract personal customer data or infect the site with malware. In order to do so there are various ways, since the reality of everyday hacker attacks has changed massively over the years. Attackers do not anymore correspond to the image of single persons planning attacks on a single particularly promising website. Instead today’s hacker attacks are mostly based on automatisms that may harm more or less any site, whether it is attractive for hackers or not.

A factor that supports this strategy is the fact that most websites in nearly all existing business sectors are nowadays based on content management systems instead of own individual web development. On the one hand, these systems have improved in terms of security and thus grown into a strong alternative for developers, companies and even most security-sensitive public institutions, such as hospitals or local authorities. On the other hand, it is this development that has made CMS even more attractive for hacker attacks. The reason: a system that is the basis of thousands of sites gives a hacker not only the possibility to inflict harm on one single project but on many at the same time.  With this development, the value of security and updates has grown for all CMS development teams.

General rule that can also be applied to proprietary software: systems that are run by many millions of live sites are more likely to be attacked than systems that only attract smaller and more specific target groups. At the same time it is important to know that this is also considered by the CMS development communities who work full time in order to locate and fix security issues and make updates available as soon as possible. This way, countless zero day exploits have been prevented. Whether or not the webmasters use this development, however, is still in their own hands.

Intensiv farbige Blüte mit löchrigen Blütenblättern, teilweise abgestorbenem Gewebe
Damage often reveals too late. Photo: MiraculixHB/Wikimedia, CC 0

Damage? What damage?

If you are not willing to invest time and money for updates you stake the risk of an attack which may later result in an even higher expenditure for you and your company. Additionally, there is the possibility of legal consequences if your site spreads so-called “drive-by viruses” without your knowledge. These can affect users just because they have visited your website. While the actual damage will affect somebody else’s computer, there’s a strong chance you will be held responsible. And of course you will be forced to secure your system right away and whatever it takes.

Without any doubt, the most important danger for you in case of an exploit will be the loss of reputation. After an attack there is a strong possibility that your name will be connected from then on with the consequences of an exploit. Otherwise your website might be provided with a malware-warning in search engines or even removed from their indices - or your provider might take the site offline after conspicuities have been found.

Since of course you are serious about what is written in your privacy policy, namely that the security of personal data is important to you, you should better double-check if you have done everything that is technically possible in order to do so. A current modification in European law will make sure that there will be even stricter rules in the future.

For the sake of completeness: A long time ago hackers spent their time doing “defacement”, meaning that they modified the content that they found on their target websites. Back then everyone quickly realized if his website had been hacked. But the times of skull and crossbone pictures are practically over. Attacks today are much less evident, the consequences at the same time much more serious.

Updates: expenditure vs. profit

Depending on the system you use, updates may afford more or less time and work. This is often the main reason why webmasters might hesitate whether an update is really “worth the trouble”. What makes this thought even more common when open source software is concerned is the fact that many programs can be adapted individually. This means that updates might lead to the time consuming necessity to make individual adjustments before or after the installation.

Kleiner Junge gießt Setzlinge
A little care on a regular basis is little expenditure. Photo: ermell/Wikimedia CC BY-SA 4.0

This time, however, must in any case be invested if you want to be secure at all times! Even if new functions and other useful features may not seem relevant to you at first, the security breaches that might have been found and fixed in the meantime definitely are. Specifically after security updates have shown openly where the software had breaches in the first place, there is not much time until hacker communities also find out about problems in earlier versions. From this moment on, it often takes less than 12 hours until the first attacks arise.

This often causes problems for small and medium-sized companies who cannot afford an IT department where many experts work every day on the security of websites and eCommerce platforms. A reason that makes it even more important to trust security experts in the community before any breaches can cause damage.

In order to be informed about recent updates, users of most open source systems must only log into the system as an administrator. Many systems automatically show if there is a new software version available and describe new features and security updates. The installation can often be started with only a few clicks. However, it might be important to back up the system or make adjustments in order to make sure that the website as well as templates and plug-ins still work as smoothly as prior to the update. If you use a system that does not have this feature it is important to regularly check blogs and newsletters to be up-to-date.  

Conclusion: The key to security is in your hand

Over the last few years various security studies have shown that hackers and bots have gained profit from technological developments that simplified the identification and usage of exploits in order to cause damage: a tendency that affects proprietary as well as open software. This can only be prevented if webmasters take all measures to secure their website and take dangers seriously.

Dangers that are even more visible in the open source sector where thousands of developers work on the software code each day, and thus may cause errors and create security breaches. However, at the same time those errors can be detected by many hundreds of people and thus solved as quickly as they were created. This means that it is the webmaster’s job, to keep his CMS up-to-date and avert exploits. The bigger the role of security gets, the less interesting it becomes for hackers to aim for certain content management systems and their possible exploits.

3 Golden Rules for Your Secure Open Source CMS

One thing is for sure: The security of your website has to be taken care of. If you as an IT operator are not sure whether you can effectively secure your website you should get help by a security expert. Ask for a service or maintenance agreement.

No matter if you are working with a service provider or take care of your website yourself - make sure that you follow these three rules in order to make your CMS as safe as possible.

Rule 1: Always be up-to-date

When your system indicates that there is an update available, make sure that you install and use the new version as soon as possible.

Also try to be up-to-date. Follow the everyday news on your CMS, regularly read security tests published by IT related media, and thus make sure that you still feel safe and well-informed about your system, years after you have made the decision to use it.

Rule 2: Become an active part of the community

Active participation does not automatically mean that you constantly have to work on new system improvements and plugins. You can also participate by reporting bugs and ideas for improvement to the community and thereby make your system more successful. Even if you are not able to develop new features yourself.

Another way you can gain profit from joining the active community life, probably during meet-ups or festivals that are organized by all communities, is by building your own network of people who can help you out if you are ever confronted with problems that you cannot solve by yourself. Open source community members are generally open about helping and supporting one another and their conferences offer great opportunities for gaining more and more knowledge.

Rule 3: Secure your environment

What your website always needs is a matching and secure environment. Do only use plug-ins and themes that you can trust, so that you cannot cause security issues by adding wrong modules to an otherwise safe system.

What is also important is following security guidelines concerning your server, firewall, access control as well as encryption. Which brings us back to rule 1. The most important factor is to make sure that you are up-to-date on modern standards and their development. Also when it does not even seem to apply to your own CMS your knowledge might be extremely useful one day.

Currently unsafe program versions

As of September 2017, these CMS versions will not get any more security updates!

  • Contao: ≤ 4.3 (as well as < 3.5 LTS)
  • Drupal: ≤ 6.x (except D6 LTS)
  • Joomla!: ≤ 2.5
  • Plone: ≤ 3.x
  • TYPO3: ≤ 6.2 (as well as ≤ 4.5 ELTS)
  • Umbraco: ≤ 6.2.6
  • WordPress: ≤ 3.6

Please check right away, if your content management system affected. If so, please hire a professional service provider.


Blog relation: