Securing the Open Source CMS Doesn’t Take a Dissertation

Securing the Open Source CMS Doesn’t Take a Dissertation
Chris Wiegman, Web Developer, St. Edward’s University

We are talking about protecting the brand not just the data.

Open source does not mean amateur. Yet open source CMS systems are not designed to keep critical dates secure. Yet there are numerous add ons etc to help meet those needs.

Not staying up to date on the software can cause problems but this is true in proprietary systems too. Also often secure configuration examples are easy to find.

3 rules to make your site secure:

  1. Just because you can, doesn’t mean you should. The CMS is a solution for data presentation, not necessarily data processing. What is a site and what is an application? Know the difference as you look at open source CMS.
  2. Trust vendors to do what they do well, hosting, streaming, etc…
  3. Have the word “no” built into your project guidelines (ie, payroll info should not be content in a public CMS.)


5 Rules for security:

  1. Don’t use add ons you don’t need.
  2. Don’t use server tools you don’t need.
  3. Eliminate unused or underused features.
  4. Don’t change the core code.
  5. Be persistent in understanding the ecosystem at large and your own system as well.

Tools to get the security job done:

SSH/SFTP replaces FTP for file transfer ops and credentials and data are encrypted.

SSL – if your page takes data in, protect your users by encrypting the transmissions.

NAVICAT replaces phpmyadmin, keeps Dbase management off of the web servers , easily perform backups.

WordPress Plugins (see image…)

Manage is a great tool for creating dashboard for multiple deployments of WP. $$$

BuiltWith Technology Lookup

Online Link Checker with Blacklist Lookup | Dr. Link Check

Pingdom Tools

Qualys SSL Labs – Projects / SSL Server Test

Sucuri SiteCheck – Free Website Malware Scanner

Security checklist:

Check to make sure your content is not sensitive

Remove extra server packages if self hosting

Update core, modules, themes, etc…

Monitor comments, traffic, etc…

Protect your customers and brand, not just a site.

Use the open source community.

Call in experts when need be.

Keep up with trends.