How to Keep Your CMS Safe and Secure

Targeted cyber-attacks. Old, unpatched software. A lack of remote working policies. Lack of data protection when offboarding employees. No multi-factor authentication. There’s a growing list of reasons why the threat of serious cybersecurity breaches for businesses is on the rise.

One point of entry for bad actors could be a weak content management system (CMS). Most businesses have a CMS either for the backend of their corporate website, online store or perhaps an internal CMS for documents and other (often sensitive) files shared by employees, partners and suppliers.

Whether your business is using a CMS for external or internal use, securing it is essential. The UK Government’s Cyber Security Breaches Survey 2022 revealed that 39% of UK businesses identified a cyber-attack in the last twelve months, while our own survey has revealed that 32% of some of the world’s largest businesses specifically encounter a CMS security breach every single week. Our findings have also revealed that 46% had a CMS security issue affect their content.

Yet, many businesses continue to operate aged, legacy architecture that is hard to maintain and exposes them to cyber-threats. While most CMS platforms, whether traditional or newer “headless,” have some level of built-in security that authenticates the users who are allowed to view, add, remove or change content. That basic security is not always enough to prevent your website from being breached, especially when cyber-attacks are becoming increasingly sophisticated.

So, what can businesses do to ensure their CMS is as safe and secure as possible? To begin with, there are five essential steps that every business should follow:

  1. Make sure that the CMS platform’s access control and encryption features are turned on and configured correctly. This is true for CMS systems and almost all internet-connected services. Broken access control and identification and authentication failures are among the OWASP top ten web application security risks.
  2. Provide employees and content contributors with only as much ability to access or change the content as they actually require. In most organizations, very few people need the ability to add, delete or change content or to modify other users’ access privileges.
  3. When employees leave, turn off their CMS access immediately and have procedures in place to handle offboarding properly.
  4. Design the system so that the servers containing the content cannot be accessed except via the CMS platforms to separate your assets and limit the damage that can be caused.
  5. If your business is hosting the CMS on its own, you must promptly apply fixes and patches provided by your technology vendor. (If you use a cloud-based headless CMS, the vendor handles this automatically.)

While the above are critical steps, they are straightforward procedures to follow. There are a few more advanced processes that will help boost your system’s security.

Firstly, if you choose a cloud-based CMS, the provider must adhere to the strongest computer security and privacy levels. An easy way to check that the platform is up-to-date is to look for a certification such as ISO 27001.

Secondly, if your developers design the architecture so that the CMS backend is not directly linked to the front end of the website, keeping the site safe becomes a lot easier. By separating your assets, you make sure that in case of a breach, not both are compromised and recovery is hopefully faster.

Thirdly, ensure that the CMS is protected by best practice measures, whether self-hosted or as a service. This includes a web application firewall that can dynamically react to threats. Regular automated and manual penetration tests are a good way to find otherwise undetected vulnerabilities. Since all traffic on the internet goes through easily to monitor connections, all in and outgoing traffic must be encrypted. Today the encryption should at least be TLS v1.2 as older versions are depreciated and pose security risks.

Cybersecurity is not a tick-box exercise. Instead, it is an investment that needs to be reviewed and updated on an ongoing basis. One of the starting points should be your CMS, as it can open the door to bad operators if not appropriately secured.

What’s Hot on Infosecurity Magazine?