In the last 6 months, I have noticed that there is an exponential increase in hacking activities specially targeted to CMS based websites i.e. Wordpress and Joomla. Both these platforms offer business owners a comfortable base to built application within no time. Additionally, CMS offers some really cool plug-ins that can be easily integrated to your website. Because of its usability, popularity and known weaknesses hackers make it as an easy target.
Here’s some statistics on attack motivation and distribution as on August 2012 (source: Hackmageddon)
Here’s some statistics on attack motivation and distribution as on August 2012 (source: Hackmageddon)
Where is the problem?
CMS vendors (Wordpress and Joomla) regularly release new versions when it finds that there is a need to upgrade or new feature to offer or any security vulnerability is detected. This is really good and it shows reactive nature of vendors. This introduces a problem too. Business owners do not generally prefer to upgrade their platform version as it introduces a lot of risk to their business. When a website is hacked, it loses user base, trust and sometimes even they are out of business.
Wordpress and Joomla have lot many version specific exploitable vulnerabilities that can be easily exploited by script-kiddie by a simple google search. This really highlights the need to upgrade your CMS platform as new release comes out in the market.
Attackers have an easy way to detect what platform you are using. Below is the technique to detect:
Wordpress:
- Browse to http://www.site.com/readme.html - This will return wordpress installation page revealing wordpress version number.
Joomla:
- Browse to http://www.site.com/administrator - This will return Joomla Administrator page.
What next?
Every business is critical and everyone wants their business to be profitable and secure. To achieve the level of satisfaction, I recommend at least follow below basic best practices for your website.
Based on my CMS security assessment experience, I will list out the best practice that you must follow to strengthen security of your website:
- Try to have up-to-date CMS version
- Disable Directory Listing on your website – This is the first thing hackers look for to map your application directory structure
- Set 644 (rw-r--r--) Permission on all your .htaccess, index.php and config files
- Change your administrator Default Username from “admin” to “anything”
- Maintain an inventory of Trusted Users for remote access and ensure to revoke their right once the work is completed
- Apply Access Restriction on your admin module (as this is only used for administration purposes by limited people) or change your admin path from /administrator to /siteadm/adm.php. The idea is to remove /administrator directory from CMS installation
- Delete all Default Configurations and redirect users to application customized error page
- Audit and remove HTTP Response Header that discloses your CMS version, web server version and operating system details
- Remove all Unused or Unreferenced files from your CMS installation directory
- Apply strict Password Policy for FTP, Admin module and any other remote access to your server. Your policy must include:
- Must be 8 characters in length
- Must be alpha-numeric
- Must change every month
- For Joomla Based Websites, ensure:
- .htaccess file is not accessible via http://www.site.com/htaccess.txt
- Admin password page is not directly accessible i.e. http://www.site.com/administrator/index.php
- Ensure you have up-to-date Antivirus and Malware tool installed on your server and it scans your application files on a weekly basis. I recommend to use ClamAV.
- Deploy a Web Application Firewall and configure it to prevent at least some of the common web application attacks. For linux environments, mod_security is the recommended one.
- Install a Wordpress and Joomla security scanner to quickly detect and fix the security issues. Below are the recommended one:
- Wordpress:
- Joomla:
- Ensure all your application files are linked completely and do not disclose any internal server path
