Measures to secure content management systems (CMS)

The number of websites has truly exploded over the past few years, not least because easy-to-use website creation tools are available that do not require any technical know-how and are increasingly affordable. Content management systems (CMS) can be used to design and launch a website with just a few clicks. There are now dozens of such CMS used by private individuals, authorities and companies alike.

The proliferation of these websites has also attracted the attention of cybercriminals. The more widely used the software, the higher the number of possible targets, and hence the greater the energy and expense invested by the criminals in their search for vulnerabilities. It is not just CMS that have potential vulnerabilities. No software is absolutely secure. Moreover, software developers release new functionalities all the time. With each additional line of code, the software gains more than just additional functions: as its complexity grows, so too does the risk that it contains a vulnerability somewhere.

Attacks on CMS can be reduced massively by prompt installation of security patches. In addition, several other measures can contribute to the security of CMS.

Prompt patch management

Software updates must be installed as soon as they are released. Many manufacturers now offer automatic updates. Where possible, you should activate this function, so that you do not need to think about installing available updates.

Two-factor authentication

In addition to normal authentication (username and password) for accessing the administration area, the NCSC recommends the use of two-factor authentication.
For example, you can use Google Authenticator to generate an additional one-time password (OTP) of this kind.

This involves installing a smartphone app which generates a new OTP every 60 seconds. For instance, Google Authenticator can be run on the web server (CMS) with a corresponding plug-in. This plug-in is already available for numerous content management system such as WordPress and Typo3.

Restricting administrator access to certain IP addresses

Such a restriction can be based on IP addresses, IP address ranges or the geolocation of an IP address. Corresponding extensions (plug-ins) already exist for a wide range of different content management systems.

Restricting administrator access using a .htaccess file under the Apache web server

This has the advantage of not only restricting IP addresses, but also allowing additional authentication (username and password) to be implemented (basic authentication).

Securing the webmaster's computer

Websites and CMS are often compromised by means of stolen FTP credentials. These are usually obtained by installing a Trojan on the webmaster's computer. The webmaster should therefore ensure that the computer being used is free of malware and protected by up-to-date virus protection. In addition, the FTP connection should be encrypted where possible (use of sFTP).

Web application firewall

Using a web application firewall (WAF), web-based attacks on websites can be blocked even before they reach the application. A number of different WAF solutions are available. The most well-known open source solution is ModSecurity.

Early detection of vulnerabilities

The aim is to identify potential vulnerabilities on the user's website before the criminals do. Here too, various solutions are available both free of charge and as paid services on the Internet.

Further Information

Last modification 03.12.2021

Top of page