Let's talk about protecting CMS systems. The CMS may be written by you or another group of developers, or it may be well-known
and widely used, like WordPress or Bitrix.
CMS developers are constantly working on fixing vulnerabilities, so choosing a popular system with frequent
updates can be a safe bet. But it is important to keep in mind that when updating a CMS, it can not only close
vulnerabilities, but also expose new security holes.
Hacking a web application on a CMS is a popular target for hackers. Attackers hack sites to send spam, create
articles that redirect to their web applications, use them as a storage or file sharing site, and steal
personal data. So let's talk about ways to protect the CM5.
Update your CMS
The update includes work to fix vulnerabilities. Therefore, the main rule of protection is to constantly update
the CMS automatically or manually.
Other ways to improve security are also important, but with an outdated version of the system, they will not be as effective.
Update themes and plugins
The advice with updates also applies to CMS plugins and themes: they are installed in the server's file system,
and therefore they can inject their own javascript code into the site - this is the danger.
Be sure to keep plugins and themes up to date. Disable those that have not been used for a long time, or
update them - they may contain vulnerabilities known to hackers. Before upgrading, always back up
your site and database, and after upgrading, check their operation.
Less plugins
Each plugin can become a threat if it is poorly written or contains vulnerabilities. So limit the number of
active plugins and remove the ones you don't use. This will not only increase the level of protection, but also speed up the site.
Hide CMS data
A good way to protect yourself is to change the default admin login address. For example, in WordPress, the address looks like example.com/wp-admin . It can be changed to any other: example.com/narnia , example.com/door
example.com/platform34 . The main thing is to make the URL more unique, suitable for you. The standard example.com/admin example.com/administrator should not be used - there are ways to iterate over addresses, and such URLs are easy to find.
It is also worth hiding the CMS version data - they provide information about already known version vulnerabilities.
Use a reliable hosting company
Many successful attacks on CMS are due to insufficient security on the server side. So use
a reliable hosting provider that keeps your security up to date. When choosing hosting providers, read their blogs, ask support questions, look at ratings and reviews, and look for news about incidents related to a particular provider.
Improve your login details
Do not use the username admin and administrator are the standard names for the main administrator account. Hackers try to crack such names first - and often quite successfully.
If you already have an account named admin or administrator , create a new user with full administrator rights and a more secure username. Then log in as this user and delete the old
account.
Create a secure password
All previous security methods are meaningless if some user has password 123456 , password or qawsedrf If this is your case, change the password to a stronger one - you can use the Strong Password Generatc service for this And do not forget to change the password from time to time.
There are also CMS plugins to motivate website users to create a secure login password.
Create regular backups
When a site gets hacked, you will be in a much better position if you have a backup. It can be created using
various services and plugins. Also, you can look into the backup methods your
hosting provider uses. For example, many offer daily backups.
Limit the number of login attempts
Limit the number of login attempts - this will protect you from automatic password guessing. There are also various
plugins that track unsuccessful login attempts by IP and, if necessary, prohibit further enumeration of passwords
Choose your own table prefix
CMS use their own table prefixes. For example, WordPress defaults to the wp_ prefix. If you're just
getting ready to install a CMS, change the prefix to something that's hard to guess.
If the CMS is already installed, the prefix cannot be changed, otherwise you will lose access to the database.
Set the correct file permissions
Choose the correct file permissions on the server to avoid unauthorized downloading or modifying
files. Permissions can be changed using an FTP client such as FileZilla or a plugin with similar
functionality such as All in ONE WP Security & Firewall for WordPress. Permission values should be:
— for directories — 755 or 750,
— for files — 644 or 640,
— for a configuration file — 440 or 400.
— for files — 644 or 640,
— for a configuration file — 440 or 400.
Block access to the configuration file
For example, in WordPress this is the wp-config.php file
Outcome
There are many ways to secure a site. We recommend that you start by updating your CMS, plugins and themes to the latest version,
as well as checking the plugins for validity.
Leave a comment
Your email address will not be published. Required fields are marked *
