Open source security doesn’t have to be rocket science. That said, cleaning up the mess after a breach or a hack or another vulnerability is exploited can be more expensive than sending someone to the moon. Ok, that might be a stretch, but the costs can be astronomical no matter which way you look at it.
Since it’s officially National Cyber Security Awareness Month (NCSAM), now is a good time to discuss the steps companies can take to secure and protect their open source initiatives and projects.
Open source systems are used globally across a number of projects. This popularity also earns open source systems extra attention from hackers, which in turn, causes developers to jack up the security of these systems. That doesn’t make them perfect. In fact, the extensions and add-ons that supplement core code to allow for additional features can make for a sticky security situation.
The silver lining is that many open source organizations (Joomla!, WordPress, Drupal, etc.) are constantly releasing updates to patch, fix, and guard against security vulnerabilities. The rub? Developers must stay on top of these updates or risk a breach.
So how do you stay on top of open source security? Let’s look at the three most popular open source CMSs and explore general security for each.
Understanding Open Source CMS
Joomla, accounting for 6.9% of all websites whose CMS we know, provides greater content and structure flexibility than WordPress, but remains just as intuitive. It’s sweet spot as a CMS is as a community platform, offering strong social networking features that make it ideal for ecommerce and social networking sites.
Joomla’s core is highly secure, but as with any CMS, the weakness lies in system components that haven’t been properly configured.
WordPress is the most popular open source CMS, accounting for about 28% of the internet. It’s a top choice for blog websites since it’s flexible and friendly for non-developers and can be used to create fairly complex sites. This popularity also draws it into the sites of hackers.
The CMS offers WordPress VIP - a paid services offering enhanced security by a dedicated group that executes in-depth code reviews to find vulnerabilities. This group also provides best practices to help developers avoid undue maintenance costs or other major issues.
Where things get shady is with plug-ins and extensions, which account for 56% of known vulnerabilities in WordPress. These entry points are hard to monitor and require frequent updates to protect against bad actors.
Drupal is a developer-friendly CMS that tends to require more expertise to manage. It offers powerful taxonomy, making it ideal for companies that need to be able to organize complex content with tags and categories. This scalability makes it preferential for government sites, which is also a nod to its level of security. That said, it can often be overkill for developers or users who may not need complex data organization.
Securing Open Source CMS
The core step any business owner or developer can make to ensure their site is most secure is to remain up-to-date with the latest updates and security patches. This includes updating any plug-ins, extensions or other components that have released newer versions.
There are some preliminary considerations that go into effectively updating your open source CMS.
You should be sure to have a regular backup schedule. Having regularly scheduled backups ensures that you won’t lose any data during an update. Some CMSs offer memberships that streamline this entire process - from running backups and audits to updating - by automating the process. This paid maintenance option is highly desirable, especially for agencies who may be managing multiple sites. Most updates automatically happen without 24 hours of the newest release.
Also consider backing up your site to a secure off-site location regularly. If your site goes offline or you need to switch hosting providers on the fly, you need to be able to quickly recover your website. It’s a general best practice, especially for businesses like e-commerce sites that rely on the website as a core function of the business.
If you aren’t paying for maintenance updates, you’ll have to keep up with them on your own. It can be helpful to set google alerts or use social sites like Twitter to follow extension and plug-in developers for news on new releases and updates.
Some sites offer the ability to subscribe to safety notices. These CMSs publish safety instructions to their website for new releases or other security-related information. Subscribing keeps you informed of new information relevant to you site’s security.
Restrict Access to Admin Portal
Another step you can take is to see if your administrator portal is accessible to the public. For Joomla, browse to www.mysite.com/administrator to see if it’s accessible. For WordPress, go to www.mysite.com/wp-login.php to check.
Most systems offer a way to restrict access to this page. For Joomla, you can use a secret word. Users must append the secret word to the admin URL to even access the admin login screen. Blocking the login page is an extra barrier to nefarious characters fishing for an easy target to compromise. An additional option is to download Admin Tools Core (or Pro), which automates maintenance, protection, and optimization of your Joomla! site.
A holistic approach to security is the best approach. The bright spot in open source projects is that you essentially have a global team reporting issues and security risks, which can then be addressed quickly and efficiently. This level of transparency that is often cast as a downside actually facilitates a proactive and effective approach to security for the entire open source community.
I have a friend who is the founding partner of a law firm. Business is booming and he decides it’s time to invest in a new website. He’s had a partnership with a marketing group that caters to legal professionals, and they pitched him some ideas on a new site. He took the bait and proceeded down the rabbit hole up until they send over a preview of the site. Having employed the help of an SEO agency for years, he sent the preview to them for a quick review.
The response he received was, well, not what he expected.
“Not even sure where to start. For one, the site-wide footer link to their site with spam anchor text is bleeding SEO value from every page and sending it to them. A little surprised an organization of this caliber would even try that.”
The rest of that email continued to pick apart every piece of sloppy code and injection of new issues into the “nicely packaged” site.
The final point was stark: “Was there even a strategy phase as a part of this rebuild?”
The drama continued to unfold from there. As the conversation between the SEO team and the web agency continued, it became apparent that what the latter had offered was a pre-packed, one-size-fits-all solution that didn’t really have any room for true customization, lacked ability to scale, paralyzed growth, and came with more issues than solutions. From a dollars and cents perspective, it’s ingenious: set up a closed source, bundled-up website with a bow on top, and nickel and dime clients for every single little change that needs to be made. From an ethical and dollars and sense perspective, it’s a nightmare.
From any small-to-medium business owner’s perspective, it’s a warning to be heeded.
Proprietary, closed source solutions and the epidemic of “one size fits all”
The illustration above is not uncommon. In fact, the rate at which these proprietary, closed solutions are multiplying is astounding. You can’t swing a cat cable without hitting a new closed source solution catering to businesses looking for an easy fix. Wix, Weebly, SquareSpace and the like all offer “easy” solutions to build a website using “advanced technology.”
What they don’t advertise is the truth: this type of proprietary “solution” will cripple your ability to build a custom, robust website. What is really offered is permanent paralysis: an inability to manage your content outside of their closed systems, needless dependence on commodity hosting at premium prices, hindrance of flexibility and scalability, and more. All for the low, low price of $5-$25/month. Forever. Or at least until you get hit over the head with some common sense and opt-out of the limiting, dystopian world of closed source web hosting.
Let’s dissect these realities one at a time to get the true sense of what it all means.
Infrastructure & Hosting - With proprietary solutions, you have zero control over infrastructure. Many of the solutions claim to use backup servers and employ disaster recovery systems, but you’ll never know for sure. Also, if you add content on your end that doesn’t get successfully saved to their servers, it can’t be restored. Oops.
Content - You don’t own it, pure and simple. The content is hosted exclusively on their servers. Want to transfer your site content elsewhere? Too bad. The content created using their proprietary editors cannot be exported, embedded or transferred anywhere else. Once you opt-in to the closed source world, it appears you’re there to stay or you’re leaving with nothing.
Flexibility - In many cases, unlimited bandwidth or file storage is non-existent. So some SMBs may get sized out from the start. For those that don’t, there is an easy drag-and-drop functionality to help you build the site you want - fast! Except it’s never easy or fast to build a quality website, and while pre-built templates may offer some guidance, you’re really on your own when it comes to making your site presentable. My dog can probably create a drag and drop website; that doesn’t mean it’s going to look awesome when it’s done.
“But the apps!” you say. What apps? Most of the apps offered through these sites are glorified iframes. Sure, it’s easy, but it also skews your website analytics and present a whole slew of accessibility issues.
Then there’s the technical SEO. Sure, many of these pre-packaged solutions offer bare basics for SEO, but for businesses that really want to get competitive, the options are limited. Dig enough into what you can and can’t do with closed source platforms, and it becomes clear that any businesses where SEO is integral to the long-term marketing strategy should steer clear.
Pricing - Pricing for some of these closed solutions start as low at $4/month. Sounds awesome until you realize that you’ll be hosting random ads on your website with the lower price tiers. The total cost over the long-term of using a closed solution adds up to much more than you would spend on building and hosting a site elsewhere.
Open Source is the New Freedom of Speech
It’s clear there is a trade-off here. Businesses trade ease and convenience for control. Is the real cost worth it? Is opting-in to a closed platform limiting your website’s freedom of speech?
Open source offers a refreshing alternative to proprietary, closed solutions. It enables the creation of both dynamic and static sites without breaking the bank on software licensing and without relinquishing control of your infrastructure, content, and flexibility to a third party.
Unlike proprietary providers, open source increases agility and flexibility, allowing businesses to create custom websites and implement fixes and changes on their schedule and on their budget.
You might be wondering what happened to my lawyer friend. The good news is, he got out before it was too late. The bad news? He had to start from scratch. His initial investment with the legal marketing agency disappeared into thin air. At least he was spared the pain of finding out after it was too late and the site was etched in internet stone.
Cold, hard, closed source internet stone.
*In retrospect, this is not funny at all. No lawyers were harmed in the making of this story.
Open source hosting quickly continues to rise as one of the most popular hosting solutions available. Why? It enables the creation of both dynamic and static sites without breaking the bank on software licensing. There’s an angle for every business type - whether personal, small, medium, or large.
It also goes hand-in-hand with open source content management systems, which are quickly becoming the backbone of digital transformation and an essential tool for the enterprise.
Customer Lifecycle Amidst a Digital Revolution
We’re at a stage where companies and enterprises are reevaluating customer lifecycle marketing through the lens of digital transformation. That envelops every aspect of marketing, from content management to the technology behind it - including hosting. Your brand’s digital experience is tethered like a web across various media and channels - from your website and blogs to apps, social media, and more.
As consumer behavior continues to evolve, a brand’s digital experience must match each step. According to the Adobe 2016 Digital Trends Report, 76% of those surveyed thought “that Marketing had changed more in the past 2 years than in the previous 50.” That’s an eye-opening statistic.
It’s one that smart businesses will look to as a nod toward digital transformation as a competitive opportunity.
Why Open Source is Key to Remaining Competitive
A recent Future of Open Source survey by North Bridge and Black Duck highlights the fact that 90% of respondents say open source improves efficiency, interoperability, and innovation.
Also noted in the study: more than 65% said they leverage open source software (OSS) to speed application development and over 55% said they leverage OSS for product infrastructure.
Among the advantages of open source, ability to customize and fix ranks highly. Again, OSS comes out as a leader in remaining strategic and competitive
Open Source Hosting
Open source hosting is a key component to keeping pace with the digital transformation age as well as effectively managing open source projects. Major hosting providers like Bluehost and SiteGround offer open source web solutions to support businesses actively engaged in open source projects.
Developers dedicated to open source (whether it’s Joomla!, WordPress, or Drupal) value open source hosting for the agility, speed and scalability that helps open source projects soar. The number of developers actively engaged in open source projects is on the rise. Looking back to the Future of Open Source survey, 67% of companies surveyed reported actively encouraging developers to engage in and contribute to open source projects.
Open Source - The Next Frontier
It’s clear that open source isn’t going anywhere...except up. Among the top key insights from the survey, the most prominent is the fact that open source is the architecture of today. It is the foundation for almost all applications, operating systems, cloud computing, databases, big data, and more.
But open source isn’t perfect - and enterprises aren’t, either.
There is plenty of room for improvement, which is where the focus will need to be for businesses to continue to reap the benefits of open source. The survey notes only 1 in 3 companies have a full-time resource dedicated to open source projects. We will need to see more dedicated resources in the open source realm for it to really sustain growth and efficacy.
Companies also need improved ways to handle known open source vulnerabilities. Almost a third of companies from the survey reported having no process in place to identify, track, or remediate known open source vulnerabilities. Given the recent rash of breaches (looking at you, Equifax), we know how that story ends.
We need to serve
My name is Robert Jacobi; over the past 11 years you may have met me attending or presenting at a JoomlaDay, Joomla! World Conference, or J and Beyond. You may have met me advocating for Joomla! at Sunshine PHP, Web Summit, a local meetup, or other industry event. I may have had the honor of serving with you as a teammate on the former Production Leadership and Finance teams. Joomla is part of my personal and professional heart and I am thankful that a project so important to the internet has a community that is equally vital.
One of the questions I am often asked is "what is Open Source Matters (OSM)?" It is a legal and dry description, bureaucratic in nature. OSM on paper is meant to protect the legal interests of the Joomla! project, and manage the financial aspects of the project. But OSM is much less: OSM is a servant, a servant to legal requirements, and a servant to the departments that create, educate, and evangelize the project known as Joomla.
The role of president is to lead in serving. The president must be able to fulfill all legal requirements, be accountable, be transparent, and serve the community. I believe that the president must be able to communicate with the community, advocate for Joomla globally, and serve departments towards specific goals.
We need goals
Without end users, we have no community; without a community, we have no support for Joomla; without Joomla!, we have no need for contributors; without contributors, we do not exist. The overall organization and leadership structure have been overhauled for greater transparency and accountability, and now the OSM board must work together to take the next steps towards furthering these goals:
- Improve financial reporting and budgeting
- Set Departmental and OSM metrics (e.g. increase number of contributors by 5%)
- Identify and plan for intellectual property
- Increase transparency and collaboration
- Aim for Joomla growth in sites, JUGs, etc.
We must set goals to succeed and be accountable for their success. I believe that planning, setting defined goals, and a great team will improve Joomla for all stakeholders.
We need to build
We need to recognize the immense contributions of Joomla community members from the past, but our legacy is not our future. We must encourage, grow, and advocate for new contributors. Technology, users, requirements, and people change. Understanding and managing tomorrow is the challenge and opportunity the OSM board has today.
I believe that we will not always agree, I believe that we come from different points of view, I believe that we have different needs: I believe that at the end of the day we must listen, be patient, acknowledge each other and strive for technology that solves problems today and tomorrow, as well as a community that supports listening, different points of view, addressing a variety of needs, and welcomes each other.
I am honored to be a part of Joomla and through service I believe Joomla has a bright and growing future.