Many websites today are built using a content management system (CMS). A CMS allows the person responsible for the content of a website the ability to manage and change that content without having to know HTML code. Ntiva generally recommends one of three different open sources systems depending on the requirements and purpose of the website being created: Joomla, Drupal, and WordPress. There are hundreds of benefits to these systems, and if you don’t have one, I would highly recommend getting one. Despite my recommendation, I have seen over and over again how a CMS can cause problems.
Think of your CMS like a piece software. Just like the software on your computer, phone, or tablet, the creators are constantly making improvements and the system needs to be updated. One of the more frequent reasons for these updates is security. Every time a security hole is found in a CMS, someone rewrites portions of the code in order to fix the hole and prevent hackers from attacking your website. In addition, the developers of the CMS will publish the patch and the reason for the patch on the internet so that everyone knows that the patch is there and why it is there. Though this is helpful to those maintaining a CMS it is also an announcement to malicious individuals on how to attack websites that are not patched properly. In other words, if you have a CMS that doesn’t receive regular maintenance, it is likely to have a number of security holes and there is a list of instructions on how to hack into your website and edit it however they see fit.
This weekend I assisted with cleaning up a website that had some script injected into it. The script would cause search engines to be redirected to a different website. The website they were being redirected to was a site for purchasing Viagra online. Now, it was not redirecting users; just search engines. The effect was that when someone searched for this website in Google, the results displayed a description and a cached version of a Viagra website completely ruining their search engine optimization (SEO), and advertising for a company and product that had nothing to do with the services they provided.
This company was using Joomla 1.5.23. Remember earlier, we recommend Joomla as a CMS to our clients. This attack was the not the fault of Joomla. Joomla’s current version is 2.5.8. The 1.5 branch is no longer supported at all and the final version of 1.5 was 1.5.26. So not only was the website outdated in regards to the CMS of choice, but it was also outdated in regards to the version it was in. The attacker didn’t have to work very hard to get their script in place. A Google search would have provided all the access information the attacker would have needed.
I should also mention that this is not the only type of attack that your CMS could be susceptible to. I have seen attacks that include popup windows on websites to advertise for products, redirect users to download viruses and malware, and even attacks that completely deface the website.
If you use a CMS to maintain your website, it is very important to also maintain the core of the CMS to prevent an attack like these. Updating the core is relatively painless and takes less than 30 minutes to do.
In addition to the CMS core, any extension used in conjunction with the CMS needs to be updated regularly as well. Just like the CMS core, any vulnerability found in the extensions can often be exploited in the same way. The vulnerability is published and widely accessible.
A CMS is a great way to lower the cost of developing, modifying, and enhance your website, and I always recommend that if you have a website it should be using a CMS. It is equally important to maintain it properly with regular updates. I often recommend to my clients that they have my team at Ntiva scheduled to go through the update process for the CMS core and all extensions once a month. Though this does not guarantee that your website cannot be hacked, it greatly reduces the chances.