Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
2. WEBSITE ATTACK STATISTICS
WWW.CYBERGATES.ORG
Attacks around the Worldwide
Nearly 2 Billion active websites (NetCraft reports)
Nearly 1 Million hacked websites / year (Zone-H reports)
Over 4K hacked websites since 2011
Top attacks
Jan 2011 (379)
Jul 2012 (364)
Feb 2013 (275)
Feb 2014 (359)
Apr 2015 (129)
Dec 2016 (188)
Attacks in Armenia
3. CMS MARKET SHARES
WWW.CYBERGATES.ORG
WordPress: 60.0%
Joomla: 5.8%
Drupal: 3.8%
Squarespace: 2.5%
Shopify: 2.4%
Magento: 2.0%
Wix: 1.7%
Blogger: 1.7%
Other: 20.1%
Source: https://w3techs.com/technologies/overview/content_management/all
Nearly 30% of all websites run on WordPress (WebsiteSetup reports)
WordPress controls nearly 60% of the CMS market (w3techs reports)
Over 40K WordPress websites in Alexa Top 1 Million are vulnerable (WPwhitesecurity reports)
CMS vulnerability statistics
4. TARGET WEBSITES OF MASS ATTACKS
WWW.CYBERGATES.ORG
Top 5 categories
Websites that use same CMS (WordPress, Joomla, etc.)
Websites built by the same developer(s)
Websites that use same technology, library or certain
component
Websites served by the same Hosting Provider
Websites of agencies/companies working in the same
industry
5. TARGET WEBSITES OF TARGETED
ATTACKS
WWW.CYBERGATES.ORG
Top 5 categories
Online banks and financial institutions
Cloud services (dropbox, Gmail, iCloud, etc.)
Government agencies, hospitals
Hosting and Internet Service Providers (ISP)
Popular CMS solutions or small outdated websites
that are easy to hack
7. IS MY CMS SECURE?
WWW.CYBERGATES.ORG
Frequently asked questions
Is your CMS team taking cyber security seriously?
Avg. time to resolve vulnerabilities?
Who has developed the CMS component(s) you use?
Why CMS security matters?
New vulnerabilities and issues emerge all the time
Popular CMS solutions are an attractive target for hackers
CMS updates often reveal vulnerabilities in previous
versions in the changelog, exposing websites that are not
automatically updated
The more you add to your CMS installation, the higher the
risk of your site becoming vulnerable.
9. INCIDENT AND VULNERABILITY FACTS
WWW.CYBERGATES.ORG
The average number of serious
vulnerabilities per website is 56
Serious vulnerabilities are resolved in an
average of 193 days from first notification
43% of cyber attacks target small
businesses
30% of SMEs lack an incident response plan
68% of funds lost as a result of a cyber attack
where declared unrecoverable
60% of small businesses close their doors
within 6 months after a serious cyber attack.
10. DRUPAL VULNERABILITIES
WWW.CYBERGATES.ORG
“Ukrainian Energy Ministry site downed in
Drupal ransomware attack at the end of April
2018.”
“Drupalgeddon2 is a highly critical remote code
execution bug affecting most Drupal sites
which was disclosed at the end of March 2018.”
“Two months later, over 115,000 Drupal sites
still vulnerable to Drupalgeddon 2.”
11. JOOMLA! VULNERABILITIES
WWW.CYBERGATES.ORG
“Attackers can leverage the Joomla security hole
to compromise servers and use them for
hosting malware and other malicious activities.
They can also sell access to the targeted
servers on the underground market, allowing
others to abuse them for distributed denial-of-
service (DDoS) attacks.”
“On January, 2016, Symantec has detected up
to 20,000 daily attempts to exploit a recently
patched Joomla vulnerability that can be
leveraged for remote code execution.”
15. HOW TO SECURE YOUR CMS?
WWW.CYBERGATES.ORG
Common rules
Choose your CMS with both functionality and security in mind
Update with urgency
Use a strong password (admin dashboard access, database
users, etc.)
Have a firewall in place (detect or prevent suspicious requests)
Keep track of the changes to your site and their source code
Give the user permissions (and their levels of access) a lot of
thought
Limit the type of files to non-executables and monitor them
closely
Backup your CMS (daily backups of your files and databases)
Uninstall plugins you do not use or trust.
16. IS YOUR BUSINESS IN
COMPLIANCE?
WWW.CYBERGATES.ORG
PROJECT URL
https://websecurity.pro
https://onlineservices.cybergates.org/en/websecurity