The Australian Cyber Security Centre (ACSC) has released new guidelines to assist organizations in securing Content Management Systems (CMS). The guidelines include good mitigation advice in areas of patching, account management, hardening and monitoring to name a few.
External-facing CMS systems installed on web servers are frequently targeted by bad actors. Once CMS server vulnerabilities are exploited, the actors can then compromise the server and launch targeted attacks on other internal systems.
CMS system attacks can also result in a bad actor:
- Gaining access to authenticated and privileged areas of a web application.
- Uploading malware to the web server to facilitate remote access (e.g., RATs or web shells).
- Injecting malicious content into legitimate webpages.
To that end, the ACSC developed these new guidelines ‘Securing Content Management Systems’ to help administrators and developers in securing websites or apps using CMS.
The ACSC outlined several effective mitigations to reduce the risk of CMS system compromises as outlined below.
Managed CMS servics
Instead of hosting CMS systems yourself, organizations can use a managed CMS hosting service.
Managed services can take on the extra burden of keeping CMS systems fully patched and software up to date.
Patch your systems
If you choose not to use a managed service, you have to make sure your CMS systems are fully patched.
In addition to the server operating system, don’t forget about the full “CMS stack” as well. For example, you will also need to update all your third party applications, custom site-specific code.
Organizations should also run vulnerability assessments or scans to detect vulnerabilities on their CMS systems.
Tool examples include WPScan for WordPress and the Security Review module for Drupal.
Account and password management
Administrators of CMS systems should change default usernames and passwords used for privileged access. Also use strong passwords or phrases. In addition, make sure passwords/phrases stored in CMS system are hashed with salt using strong cryptographic algorithms (such as SHA-256).
In addition, organizations should always restrict access to the CMS administrator console to only approved internal IP addresses (also known as “whitelisting” IPs).
CMS system hardening
Administrators should only install trusted and fully supported third-party plugins. In addition, they should also disable or remove unneeded plugins. Detailed debug messages or pages should also be removed.
Also, remove any version information that could be displayed by default.
Monitoring and change management
Organizations should implement good change management and monitoring controls for CMS installations.
For example, use change management process to approve new versions of webpage content or system changes. In addition, organizations should leverage source code control to manage custom code.
Finally, file integrity monitoring can also be used to help detect unauthorized changes to webpages or critical system files.