We live in a world where “script kiddies” is both a pejorative term, and the name of an actual threat. People of all hacking skill levels are trying to break in to other people’s sites for fun and profit. And they pull it off sometimes.
Hacked sites are a nightmare. I mean, if you’re lucky, they might just post on your blog and call you ugly. If you’re unlucky, they could steal enough information about your users to access their money and steal their identities. In either case, it looks bad for you. In the worst cases, a lot of people could be hurt by flaws in your system. The best solution is obviously to prevent incursions so you don’t have to clean them up. Unfortunately, that’s not always the easiest thing to do. There’s no such thing as a perfectly secure system, especially when that system is in any way connected to the Internet. Nevertheless, we must try.
What’s more, we have to try and secure sites that are, in large part, built by other people. I’m talking about every site that uses a CMS. I took a look at security advice for the four most popular CMS options out there, and rounded up the best guides I could find that have been published within the last year or so.
Note: Different CMSs are targeted towards different kinds of users, and have varying levels of community support. Thus, the security advice presented ranges from specific code examples, to some very basic stuff.
Some thirty percent of websites out there in the wild run on WordPress. Now the WordPress team is no slouch when it comes to patching out bugs, but the codebase is just so big, it helps to take extra steps. We’re lucky that the WordPress community is just so utterly huge. There’s advice out there for users of every skill level.
Bonus: 13 Security Tips For WooCommerce Stores—WooCommerce matters because its market share is starting to rival even industry giants like Magento. Now, there’s not a lot you can do to secure it beyond making sure that the parent WordPress installation is secure, but these tips will help.
Joomla is pretty much my constant reminder that my experience as a designer and my potential customers’ experiences as users will lead us each to different perspectives. For example: I think Joomla is a pain in the neck, and yet it remains the second most popular CMS out there. If our customers use it, it’s our job to secure it. There’s quite a bit of (read: mostly) general advice out there on the subject, but I did find a useful guide on dealing with Brute force attacks.
In the third spot on the list, Drupal is definitely the developer’s CMS. Most of the articles listed here will assume that you have at least some programming knowledge, as you need some programming knowledge to really make Drupal do much of anything. The CMS itself has a heavy focus on security, and a some of the info here comes from Drupal’s own documentation.
It’s no surprise that the fourth most popular CMS in the world is an eCommerce solution. The Internet is just that useful for selling things. It’s also no surprise that eCommerce sites are a big, juicy target for people who want lots of information about lots of people. As with Joomla, Magento customers usually aren’t developers themselves, so a lot of the information is pretty basic. If nothing else, you could share it with the people you make Magento sites for.
This is, as usual, just that start of what there is to learn about securing a site with any of these CMS options. Plus, there are so many others out there. I only focused on the top four because there are perhaps as many CMSs out there as there are web developers with too little to do.
That said, at least some of the more basic advice you’ll find here can apply to almost any CMS. Take what works, and Google what doesn’t. And…good luck.