The real cost of that "free" CMS

In this day and age, we are constantly reminded about the importance cyber-security. With the popularity of the internet, and the availability of technology, it has become increasingly easier for hackers to gain access to business websites.

What is a CMS?

A CMS, or Content Management System, is software which runs on a web server and helps manage and serve content. In the early days of the internet, every single page had to be generated by hand.

With the rise of internet usage and the introduction of blogging, programmers stepped in to make the process of adding content to websites quick and easy. CMS systems automatically link new entries and pages on your website, and make it really easy to go in and make modifications to web content. The invention of the first web-based CMS made adding content a breeze!

Security and the Free CMS

Your website content is important to your company. It helps sell your company to potential customers, and may actually help you make online sales to your community and beyond. We have seen, time and time again, how a hacked website can affect even the most reputable businesses.

So how do hackers gain access to your website?

They may have gained access to an email account and discovered a user’s password has been recycled on other websites.

Pro Tip

Pro Tip

Use a password manager like LastPass, and be sure to have a different password for every single website you’re a member of.

Sometimes, hackers use an SQL injection to gain access to your website, which is using a command for your website in the address bar and forcing the site to do something. Vulnerabilities like this are discovered all the time in free content management systems.

Sometimes, we are asked by a client why we don’t use a certain free content management system like many other web design houses do. We often leave it at “It’s a security risk,” and that’s fine for most clients. On occasion, we get asked to elaborate.

But, my website is on a free CMS!

I would like to preface this by saying that it is possible to lock down your [free generic CMS], and as long as you are proactive with your security measures, and you’re making frequent backups of your site. You may not experience any issues at all. But it just takes one common vulnerability on a well-known system, and suddenly your website is selling male enhancement drugs, or faced with a cheeky “this website has been hackZ0red by FluffyMittenz” type message.

The issue with freely available CMS systems is that a vulnerability is often quickly realized and exploited by hackers. Why are these sites so attractive to hackers? Because the free nature of these CMS's makes them so ubiquitous on the web.

In these free systems, you are also bound to the way they function, and security often takes a back seat. The companies that make these CMS's do have people who work on patching security loopholes, but by the time they are discovered and fixed, it's often too late for some websites. 

Hackers will look for tell-tale signs that your website is running a specific CMS, through meta data, or how links are formatted, or by visiting a generic “/admin” address on your site, and then attempt to use vulnerabilities or brute-force attacks to hack into your system.

There are security plugins that can help you further lock down your [free generic CMS] website by making changes to the way your CMS handles logins and address requests. It can also set up bans and lockouts on users with too many failed login attempts, or permanently ban IP addresses of individuals who use a wrong username. They can also use blacklists to keep known IP addresses from visiting your site.

But there are issues with this.

While IP blacklists can provide some piece of mind, most internet users are assigned a dynamic IP address by their internet service provider, which means a blacklisted IP address would temporarily ban a hacker, but would also ban anyone else from one internet service IP address from even accessing your website.

Many hacking attempts on these sites can also be made by unknowing computers being infected by viruses, which use your computer to hack other computers and websites, sending the data they receive back to a hacker’s computer.

Just because your site hasn't been hacked, doesn't mean that hackers aren't trying.

Entoo currently only hosts two websites running free CMS platforms. When we acquired these sites, they were coming from other providers who used free CMS systems. We secured the sites, put them up on their own virtual private server, and relaunched them. (Each Entoo client is set up on their own virtual private server for performance, deployment and security reasons.)

While checking the log of one of these websites, we were alarmed with what we found:

In the span of 20 days, the website had 1783 failed login attempts, and over 600 permanent IP bans from repeated login failures. Most were trying to access an account called ‘Admin’ – which we permanently disable when we secure a [generic free CMS] website, anyway. But several had been able to acquire the actual admin login name, and others were able to acquire the client’s user login. The other website had the same issue.

A look at the locked IP addresses revealed login attempts from places like Taiwan, Russia, Tunisia, Brazil, Thailand, Romania, Italy, China, Chechnya, Argentina, Bulgaria, and even places even closer to home, like Michigan, Texas, New York, and Ohio. These were obviously individuals who had no reason to be accessing these systems, other than for nefarious reasons.

We arrived at an alarming conclusion: free CMS platforms are a magnet for hackers and brute-force attacks. (We knew this before, but we were surprised to learn how much traffic was being used to attempt to hack into low-profile local websites with fewer than 1000 visits per month.)

Our security precautions had held, but the statistics made us modify the way we handle our security.

Here’s the takeaway:

Entoo uses premium content management systems which allow us to design and host website data in any way we’d like. Free CMS’s are limited to the way data is handled. With the premium CMS we include with our website design services, we can hide login locations, mask usernames, secure CMS program and configuration files outside of a publicly accessible folder, and secure the CMS in a way that is far more secure than any free CMS on the market.

While no system is 100% guaranteed safe from hackers, these systems are designed to be fortified against common SQL injection attacks.

In addition, our primary content management system has built-in Cross-Site Request Forgery Attack protection, enforced SSL for control panel requests, and more!

Entoo now also insures that all hosted websites include HTTPS protocols, security monitoring with automatic daily audits, daily backups, weekly server updates (and instant security patches) on our servers, and best security practices, all for the safety of our client’s web content. 

Commerce is handled through our system, while payments are made through secure third-party vendors, such as Stripe or PayPal – personal client information is never stored on your website, and is only accessible through transaction ID’s on the payment gateway website. This adds an additional layer of protection to our clients, and your customers, in the event of a data breach. Websites requiring HIPAA-sensitive data are also processed and stored through third-party solutions with all protections in place as required by federal law.

In the coming weeks, Entoo will roll out new features to all our existing clients to help further strengthen the security of all the sites which we host. We are also working on new security features, such as 2FA, or two factor authentication, and so much more.

Is your website on one of those free content management systems? Give us a call to see what we can do for you!