Open source security doesn’t have to be rocket science. That said, cleaning up the mess after a breach or a hack or another vulnerability is exploited can be more expensive than sending someone to the moon. Ok, that might be a stretch, but the costs can be astronomical no matter which way you look at it.
Since it’s officially National Cyber Security Awareness Month (NCSAM), now is a good time to discuss the steps companies can take to secure and protect their open source initiatives and projects.
Open source systems are used globally across a number of projects. This popularity also earns open source systems extra attention from hackers, which in turn, causes developers to jack up the security of these systems. That doesn’t make them perfect. In fact, the extensions and add-ons that supplement core code to allow for additional features can make for a sticky security situation.
The silver lining is that many open source organizations (Joomla!, WordPress, Drupal, etc.) are constantly releasing updates to patch, fix, and guard against security vulnerabilities. The rub? Developers must stay on top of these updates or risk a breach.
So how do you stay on top of open source security? Let’s look at the three most popular open source CMSs and explore general security for each.
Understanding Open Source CMS
Joomla, accounting for 6.9% of all websites whose CMS we know, provides greater content and structure flexibility than WordPress, but remains just as intuitive. It’s sweet spot as a CMS is as a community platform, offering strong social networking features that make it ideal for ecommerce and social networking sites.
Joomla’s core is highly secure, but as with any CMS, the weakness lies in system components that haven’t been properly configured.
WordPress is the most popular open source CMS, accounting for about 28% of the internet. It’s a top choice for blog websites since it’s flexible and friendly for non-developers and can be used to create fairly complex sites. This popularity also draws it into the sites of hackers.
The CMS offers WordPress VIP - a paid services offering enhanced security by a dedicated group that executes in-depth code reviews to find vulnerabilities. This group also provides best practices to help developers avoid undue maintenance costs or other major issues.
Where things get shady is with plug-ins and extensions, which account for 56% of known vulnerabilities in WordPress. These entry points are hard to monitor and require frequent updates to protect against bad actors.
Drupal is a developer-friendly CMS that tends to require more expertise to manage. It offers powerful taxonomy, making it ideal for companies that need to be able to organize complex content with tags and categories. This scalability makes it preferential for government sites, which is also a nod to its level of security. That said, it can often be overkill for developers or users who may not need complex data organization.
Securing Open Source CMS
The core step any business owner or developer can make to ensure their site is most secure is to remain up-to-date with the latest updates and security patches. This includes updating any plug-ins, extensions or other components that have released newer versions.
There are some preliminary considerations that go into effectively updating your open source CMS.
You should be sure to have a regular backup schedule. Having regularly scheduled backups ensures that you won’t lose any data during an update. Some CMSs offer memberships that streamline this entire process - from running backups and audits to updating - by automating the process. This paid maintenance option is highly desirable, especially for agencies who may be managing multiple sites. Most updates automatically happen without 24 hours of the newest release.
Also consider backing up your site to a secure off-site location regularly. If your site goes offline or you need to switch hosting providers on the fly, you need to be able to quickly recover your website. It’s a general best practice, especially for businesses like e-commerce sites that rely on the website as a core function of the business.
If you aren’t paying for maintenance updates, you’ll have to keep up with them on your own. It can be helpful to set google alerts or use social sites like Twitter to follow extension and plug-in developers for news on new releases and updates.
Some sites offer the ability to subscribe to safety notices. These CMSs publish safety instructions to their website for new releases or other security-related information. Subscribing keeps you informed of new information relevant to you site’s security.
Restrict Access to Admin Portal
Another step you can take is to see if your administrator portal is accessible to the public. For Joomla, browse to www.mysite.com/administrator to see if it’s accessible. For WordPress, go to www.mysite.com/wp-login.php to check.
Most systems offer a way to restrict access to this page. For Joomla, you can use a secret word. Users must append the secret word to the admin URL to even access the admin login screen. Blocking the login page is an extra barrier to nefarious characters fishing for an easy target to compromise. An additional option is to download Admin Tools Core (or Pro), which automates maintenance, protection, and optimization of your Joomla! site.
A holistic approach to security is the best approach. The bright spot in open source projects is that you essentially have a global team reporting issues and security risks, which can then be addressed quickly and efficiently. This level of transparency that is often cast as a downside actually facilitates a proactive and effective approach to security for the entire open source community.