In practice more than half of today’s sites are built with a CMS. As explained in Part 3 of this series, these are platforms that allow users to build and manage a website without knowing how to code at all.
There are many CMS providers and by far the largest in terms of market share with over 60% is WordPress, followed by Joomla, Drupal, Shopify, Squarespace each with under 5% of the market and many others.
Combined, these applications essentially handle all the code, database queries, and infrastructure in the backend so you can focus on the frontend of your site. Additionally, any CMS requires plug-ins, which are added-on pieces of software that extend the functionalities of the native features of your chosen CMS. Similarly, there are several third-party plug-ins available for all CMS.
Every CMS and associated plug-in are, after all, code that is packaged as a system. The hackers are intelligent enough to find the loopholes or bugs in any software system. Thus, they regularly try to attack the CMS, its data, and in turn your business.
New threat issues and gaps can come up at any time. The CMS change logs generally show the gaps and vulnerabilities in the versions which are stated in the updates. They also expose the websites which do not update automatically. Adding additional third-party plug-ins to your CMS site increases the vulnerability factor even more.
Not all scanners can detect the underlying CMS and therefore you need to apply a vulnerability tool that can detect your specific CMS. You can scan the plug-ins, themes, and unprotected administration panels. The tools should assess for brute-forcing for password protection robustness given that every CMS has its own account log-in protocols. They should also undertake Full Path Disclosure (FPD) vulnerabilities and detect your CMS in all the directories within your web application.
Next week, we conclude our info-series on website & email security and bring you Part 5: How to spot Websites that are ‘not secure’ and ‘dangerous’.
We hope you enjoy reading our research, designed for professionals who are not IT experts but thirsty for knowledge about the everyday tools to operate a business – your email and website.