More than half of all websites are built on some sort of open-source content management system, according to data from W3Techs. It makes sense. CMS sites are highly accessible to businesses of all sizes — from multinational enterprises to small mom-and-pop shops. They also offer multiple advantages. For one thing, you don’t have to be a website developer to build, maintain, and cultivate a powerful web presence. The tools are right there for you, with thousands of design and feature-rich plug-ins available to users at all times.
The drawback, however, is that open source means security threats like malware can more easily compromise your site because hackers can see your code. SiteLock conducted proprietary research to gain a better understanding of the three largest open-source platforms: WordPress, Joomla, and Drupal. As a result, we were able to draw clear conclusions about CMS vulnerabilities.
Drupal vs. Joomla vs. WordPress Security
For companies that don’t specialize in building websites using traditional HTML language, using a CMS just makes sense. CMS platforms like WordPress, Drupal, and Joomla are designed to make building and managing a website quick and easy — especially for users who aren’t tech-savvy — with ready-to-use core files, themes, and plug-ins. Plus, they save companies from having to hire an in-house developer.
Unfortunately, these CMS platforms also present serious security concerns.
In our proprietary study of CMS-based websites, we found that WordPress was 1.6 times more likely to be infected with malware than sites that weren’t open source. So is Drupal more secure than WordPress? In short, no. Our research discovered that Drupal is just as likely to be infected by malware as WordPress. And Joomla fared even worse: Joomla-powered sites were 2.2 times more likely to be infected.
This is alarming, especially considering that WordPress accounts for 32% of the top 1 million sites, according to data compiled by BuiltWith. To put this in perspective, Drupal comes in second at around 3%, and Joomla comes in at just below 2%. While these sites do come with a few built-in security measures, an added layer of security is needed to fully protect your WordPress website from cyberattacks.
CMS Vulnerabilities: Addressing a Growing Concern
Whether your website is built on a CMS platform or not, it’s vital to keep up with regular website security and maintenance. You must ensure that your website and its visitors are safe from cybercriminals, malware, ransomware, and other bad actors, and that takes more than building your website, adding some plug-ins, and forgetting about it.
To keep their websites up-to-date, CMS systems offer multiple customizable features through open-source applications and plug-ins — all of which have to be routinely updated. Even built-in security plug-ins need updating, and failure to do so can leave a site increasingly more vulnerable to attack.
As clients work on their sites from various locations and leave their admin tabs open on their browsers, they become prime targets for brute-force attacks and password sniffers. If those tabs are left open on public Wi-Fi networks, the risk of attack is exponentially higher. Once a hacker gains control of your website, the results could be detrimental, including damage to the site’s design, code, and user experience — ultimately hurting your company’s bottom line.
Because many CMS users generally aren’t website technicians, they don’t always recognize their exposure until their sites have become compromised. For example, when freelance photographer, Amanda Naor, built her custom WordPress website, it performed exactly as expected for the first three years. When her site was attacked, it was more than a surprise.
Amanda was locked out of her website during the first attack, and after resetting her access, she didn’t know how to remove the leftover malware files. The second attack completely distorted the site — and her work. Fortunately, Amanda contacted SiteLock, and we were able to scan and automatically remove most of the malware. A follow-up manual cleaning removed a few more sophisticated files, and her site was restored with custom SiteLock security to keep it safe from future attacks.
Best Practices for CMS Security
You shouldn’t wait until your CMS-powered site is attacked to learn about security best practices. In fact, that’s one of the worst things you can do. Here’s how to protect your WordPress site from hackers:
1. Use a CMS vulnerability scanner. You’re unlikely to spot vulnerabilities on your website by manually reading through its code. Instead, use a CMS vulnerability scanner that checks every line in your CMS site’s files for potential vulnerabilities and malware. For optimal results, choose a solution that also offers automatic patching and security updates. You can keep the plug-ins and features on your site safe and up-to-date with minimal manual effort.
2. Regularly review your site’s plug-ins. Plug-ins on a CMS platform span a wide range of uses — from improving functionality to enhancing the site’s overall aesthetic. Every month, spend time reviewing each plug-in your site uses to check for pending updates and deactivate the ones you no longer use. If you deactivate a plug-in, be sure to remove it entirely, including the plug-in files, so that outdated files don’t become an avenue of attack.
3. Be more active in the CMS community. Fellow users and system experts in the open-source community can offer you a wealth of information on website security — so why not engage? Join a forum and soak in advice about troubleshooting and optimizing plug-ins. Learn how to make website maintenance a routine part of your workflow. As you learn more, you’ll become more adept at checking for other risks.
CMS platforms have given companies of all sizes a way to stay on equal online footing. Yet they’ve also made website security a much more pressing concern. For more information on how to keep your CMS site properly protected, speak with one of our experts today and learn about SiteLock’s suite of business website security solutions.
Monique Becenti is a product and channel marketing specialist at SiteLock, a cloud-based website security provider currently protecting more than 12 million websites globally. Monique is passionate about improving the customer experience for all. SiteLock’s combination of dedicated research and developmental efforts, aggressive product road maps, and access to a massive global data set make the company a leading innovator in web security.