Imagine getting a call from a friend: “Google says your site may may harm my computer!” As an administrator of a content management system, whether you use Drupal, WordPress, or another CMS, keeping your website secure requires vigilance and a little common sense. If you start by following these simple practices, you will be well on your way to better security.
Principle of least privilege: don’t let your users do more than they need
When configuring user roles on your CMS, give your users only enough privileges to do what they need to do, and no more. This way, if a user’s account is compromised by an attacker, there is less chance the attacker can do something harmful. Don’t give every user the password to the root administrator account: instead, make sure each user has their own login, with roles and permissions appropriately assigned for what each user needs to do.
There should only be a handful of users will full administrative privileges: one or two users for small sites/organizations, or maybe a couple more if the organization is larger. For those whose primary purpose is to create and manage content, create a Content Editor role that only has permissions for creation, moderation, and management of content--absolutely no site configuration or user management permissions.
Keep up with security exploits and updates
It seems daunting, but with a little discipline, you can keep up with the latest exploits for your CMS and patch them before an attacker can take advantage. Just as your computer or smartphone receives periodic security updates, CMS software also has them, and it is important to apply them as soon as they are announced.
The major open source CMS communities have several avenues to keep up with security exploits and patches.
Drupal
- Drupal.org has regular security announcements for the active versions of Drupal core (currently 7.x and 8.3.x) and contributed modules/themes. RSS feeds are available, and you can also subscribe via email.
- If you’re still on Drupal 6, long term support providers such as MyDropWizard publish security announcements for that platform.
WordPress
- The WordPress Vulnerability Database lists vulnerabilities in WordPress core, plugins, and themes. You can also subscribe to receive real-time emails when a vulnerability is added to the database.
- The wordpress.org blog has a Security tag that you can follow for security announcements.
Security Helper Modules/Plugins
The major open source CMSs have modules or plugins that you can install to scan your site and identify potential security issues, including whether updates are needed.
Drupal
- The core Update module: enable this to find out when Drupal core and contributed modules have available updates, including security updates. This module is part of Drupal core, so you have no excuse. Enable it!
- The Security Review module
- The Paranoia module
WordPress
- Sucuri Scanner plugin
- Wordfence Security plugin
Create frequent, automatic backups
When you have backups, if your site does become compromised, you can restore from an uncompromised backup. Each backup should include a snapshot of your code, database, and uploaded files. Because a site can be infected for weeks or months before a problem is noticed, be sure to keep backups from at least the past 2 years, if not more. My personal strategy allows you to keep a long backup history without your backup files numbering into the hundreds or thousands:
- Keep daily backups for 14 days
- Keep weekly backups for 12 weeks
- Keep monthly backups indefinitely.
More resources
This article only scratches the surface of good security practices for your CMS. The open source CMS communities publish detailed security guidelines, which you should read. You can also keep up with general security news. The resources below should get you started.