woman peeking from behind a door
Don't be naive or hide in fear, but be proactive about web CMS security. PHOTO: Rene Asmussen

Unless you’ve been under a rock for the past six months, you’ve seen unending media coverage related to cybersecurity.

It seems like there are a constant stream of revelations about outside actors infiltrating political organizations, private corporations and individuals.

Just last month it was reported that former New York City Mayor Rudy Giuliani — the man Donald Trump has appointed as his cybersecurity advisor — had security issues of his own. His consulting firm's website was based on a four-year-old version of Joomla and vulnerable in more than forty different ways.

This got me thinking about just how bad the issue of web CMS security is. So, as an experiment, from a list of 500 cybersecurity companies, we did some research.

The results were shocking. Of 500 companies, 298 had some level of security concerns with their own corporate websites — from an out-of-date CMS or lack of a proper software firewall to something as severe as malware attacks.

About half of the companies were incapable of securing their own website despite being in the cybersecurity business.

Of the 298 sites that we found, about 95 percent were running the WordPress platform, which has garnered a reputation as one of the most difficult platforms to secure.

Just searching for “WordPress Vulnerability” yields over one million results. And, according to the WPScan Vulnerability Database, there are almost 6,000 known vulnerabilities with WordPress, whether it is to the core software itself, the publicly available plug-ins or the themes so many companies utilize for their corporate websites.

Headless Is Exciting But Security Is Essential

Every year there are new hot topics that circulate around the CMS industry. The debates of headless (or decoupled) architecture versus integrated systems or the choice between open or closed-source solutions are past examples.

This year, there is still much talk about headless architecture with the focus being on the emerging Content-as-a-Service model.

However, despite all the excitement about this new concept, we must focus on more pressing areas of concern. As an industry, we must dedicate ourselves to focus with more concentration on the topic of cybersecurity.

Risk vs. Reward

We can begin with rearranging our priorities, and properly evaluating risk versus reward.

If the considerations when choosing a new CMS platform are flexibility, scalability, ease of use and then security, we must focus on security being the primary factor and not an afterthought.

If we cannot be convinced that a system under consideration is safe and secure, then it shouldn’t make it through the first cut during vendor selection.

Evaluate Risks

To get a sense of just how low security is on our list of concerns, think back to the example I presented earlier.

WordPress powers somewhere in the area of 27 percent of the internet. It is 58 percent of known CMS installations.

Yet, despite all the known vulnerabilities and a reputation for being difficult to secure, it is still gaining popularity.

How can it be that our entire industry is dominated by what is notoriously known as one of the least secure platforms available?

The answer is simple. Security isn’t a priority.

How to Tighten Security

There simply isn’t any other explanation. This is the attitude that we have to collectively work to reprogram, and we better do it fast. So, what steps can we take in the short term to enhance our security footprint?

  • First, secure what you have today. If you are one of those almost 300 insecure companies I mentioned below, or if you have a CMS installation that doesn’t pass muster with the variety of scanners available today, secure your platform. Some simple things can be done relatively easily, with the help of a qualified system administrator or developer.
  • Secondly, determine your future needs. The CMS landscape is changing constantly. Existing web CMS systems are architected to be integrated systems, with the front-end and back-end existing in the same framework. Consider a move to a headless or decoupled system, for example. These systems can publish content to third party systems such as Amazon S3, which can serve up websites in a secure and scalable manner.
  • Finally, evaluate if you can benefit from floating under the radar. There has been an uptick in enterprises choosing custom CMS solutions, which can be hyper-secured. If your business has complex logic, conducts complicated transactions or if you have highly proprietary content management workflows, custom CMS solutions may enable you to develop an asset for your organization that can last many years to come, yet remain under the radar of most security threats.

Remember — security is important for everyone — even if they don’t know it.

A hacked website becomes a public relations nightmare. It becomes ammunition for your competitors to use against you.

Consider securing your web presence as important as any insurance policy you buy — it’s an essential ingredient to protecting your livelihood and reputation.