Minimising risks and improving CMS security
The most common causes of CMS compromises are due to security oversights. Some of the most effective mitigations are listed below.
As an alternative to hosting and maintaining a CMS on your own infrastructure, consider using a managed CMS hosting service. Managed CMS hosting services maintain web infrastructure and content management applications offering support and facilitating timely patching.
Government customers can use GovCMS , which is a hosting service for Drupal-based websites.
For data that is not considered publicly releasable, use an outsourced service that has been assessed using the Australian Government Information Security Manual (ISM). For more information, refer to the Certified Cloud Services List .
A common cause of a cyber intrusion is running an out-dated web server and CMS. This makes exploitation of a CMS trivial in some instances. This risk can be minimised by having an established process to test and deploy patches for the CMS, as well as patching the host operating system and third party applications, including themes, frameworks and libraries used by the CMS.
A CMS runs on a package of software known as a web stack. Additionally, organisations may employ third-party applications or custom site-specific code. All of these components (as shown below) need to be patched, as one vulnerable component could compromise the security of the other layers.
Vulnerability assessment of CMS installations
Security controls that aid in assessing CMS installations for security vulnerabilities include:
- using tools to scan CMS installations for security vulnerabilities, for example, CMS-specific tools such as WPScan for WordPress and the Security Review module for Drupal
- conducting vulnerability assessments of custom code or modules that are used for CMS deployment.
Poor management of legitimate access can lead to the compromise of a CMS. This risk can be minimised by:
- changing default usernames and passwords, including for all related services
- using strong passphrases
- ensuring passphrases are stored by the CMS as salted hashes rather than cleartext
- restricting access to the administrator interface for the CMS from approved or internal IP addresses.
Hardening CMS installations
Security controls that aid in hardening CMS installations include:
- using trusted and supported third-party plugins for the CMS
- disabling unnecessary functionality and plugins
- disabling or removing detailed debug or error messages in CMS webpages; webpages that may disclose sensitive debug information, for example phpinfo() pages, should also be removed
- removing version information that may be displayed by default on CMS webpages, for example, in the page footer or in the meta tags on each webpage; note, it is still possible to fingerprint the type and version of a CMS using automated tools such as BlindElephant 
- following vendor advice on best practices for securing CMS installations.
Monitoring CMS installations
Security controls that aid in the detection of unauthorised modification of content hosted on the CMS include:
- using change management to manage deployment of new versions of webpage content
- using source control to manage development of custom code
- using file integrity monitoring to manage and detect unauthorised changes to webpages.
Monitoring services that track compromised websites, such as https://www.zone-h.org and http://www.xssed.com, can be used to check if a website has been defaced. These websites are limited though in that they rely on user reporting, and hence generally only list public website defacements. It is highly unlikely that in the event that a CMS is compromised, and used as command and control infrastructure, it will be listed on these types of websites.