Basic Steps to Protect Against Common CMS Vulnerabilities

“With great power comes responsibility” – With free content management systems, you can control and maintain your own website. However, you are also responsible for keeping it safe.

Free open CMS platforms like WordPress, Joomla, and Drupal give businesses freedom and flexibility to cultivate and update their own websites for free, but the doors are also open to hacking and malware. In a single year, over 170,000 WordPress sites were hacked. A recent study carried out by WordPress showed that free software could detect vulnerabilities in 73 percent of its downloads.

Here are some ways to protect your websites on these platforms safe:

  1. Keep website plugins, extensions, and core files updated. Your CMS will offer updates which should not be ignored, even if you are happy with your current site. Aside from introducing new features, updates often include protection from known bugs.  The bugs prevented by updates can have serious implications from blocking users to accessing plug ins to opening your website to hackers.
  2. Use unique user names and passwords and two-step authentication to prevent hackers from easily taking control of your site or accessing your data. Ensure that your employees also take these steps.
  3. Install a web application firewall (WAF). Don’t let security be an afterthought when you are starting your own site. WAFs are available as plug-ins or are cloud-based. WAFs monitor all users of your site using a library of security rules and checks.
  4. Protect against brute force attacks. Malicious actors may try to breach your website with repeated login attempts. Make sure that every user account for your website has a unique name and strong password. We commonly observe attackers attempting to log in with the username “admin” or “administrator.” Using unique usernames is an easy way to make life more difficult for hackers. And for advanced brute force protection, including blacklists for repeat offenders, install a security tool like the one mentioned below.
  5. Add RECAPTCHA to your contact forms. Google’s reCAPTCHA requires users to prove they are, in fact, real human beings in order to submit contact form information on your website. This reduces the amount of spam you would otherwise receive and offers another layer of protection to your site.
  6. Secure your website using SSL. An SSL certificate will use encryption to make data sent to and from your website private. Chrome browser users will notice a green padlock on websites (like this one) that are using encryption; conversely, Chrome indicates that websites without SSL certificates are not secure. So having SSL not only protects your website users, it also gives them peace of mind: this is especially critical if you’re selling products or collecting sensitive information online. Website hosting platforms like DreamHost and 1and1 make it easy for website administrators to acquire these certificates.
  7. Use a comprehensive security plugin. Lastly, you can implement all of the above mentioned protections in one step by using a security plugin, like iThemes Security. This plugin combines 30 different protective features in one, and our company uses it on all of our clients’ WordPress installations..

Make site security a priority when you start using a CMS platform. Sites developed on CMS are particularly vulnerable, but there are many ways to prevent hacks and bugs if you stay proactive.


Need help building a website or protecting your existing one? MyMobileLyfe can help! Contact us today.