TR-26 Security Recommendations for Web Content Management Systems and Web Servers

Recommendations for Web Content Management System - CMS

Web content management systems (CMS) are regularly used to maintain website content. But as they offer a lot of flexibility to the authors, they also offer a huge opportunity to attackers like modifying content in order to host malicious content and infect users with malware who navigate to these websites.

Extensions and Plugins in CMS

A major source of vulnerabilities are the extensions and plugins of Web Content Management Systems. Even though the core CMS part can be vulnerable, the vulnerabilities in plugins are accounted for more than 80% of the CMS vulnerabilities.

We recommend to regularly review the plugins installed and check if software updates are available.

Not all the extensions and plugins are properly maintained or documented. You should not always rely on the update process to keep your extensions up-to-date. You are advised to check on CIRCL CVE search:

If you have customized extensions or plugins, you have to keep track manually of potential security vulnerabilities and merge the update from the upstream version of the extensions.

Administration of CMS

  • Add an additional layer of protection to access administrative panel of your CMS (e.g. like an .htaccess or packet filter access to your source IP address only)

  • Rename or disable default accounts (e.g. like admin or demo)

  • Enable SSL/TLS access to, at least, your CMS administration panel and disable clear-text HTTP access to the administration panel

  • Change the default path of your CMS administration panel as attacker tends to brute-force URL to find accessible CMS administration panels

  • Use strong passwords for the CMS administration panel or dual factor authentication if available,

  • enforce strong passwords for other users (like authors) as well

  • Install updates for the CMS (including core and extensions) when updates are available

Reduce CMS Risks by Generating Static Content

Operating a full fledged CMS, publicly accessible on Internet, to distribute your content might be an important security risk (e.g. Go Static or Go Home In the end, dynamic systems are simply less secure.). In order to limit the risk, operating a private CMS (not directly accessible to the whole Internet) which generate static content is usually a safer approach. Some CMSes propose extensions to automatically generate static HTML pages to be published on a minimal harden Web server (like staticpress which is a WordPress extension to generate static HTML pages).

If you want more information about a complete setup of WordPress generating static content, CIRCL published “TR-36 Example setup of WordPress with static export”.

Recommendations for Web Servers

Logging

  • Enable logging, using extended logging (e.g. Apache combined format) is recommended for each virtual host including a default log

  • Include the TCP source port in your Web server logging (as a lot of connections might come from NAT)

LogFormat "[%h]:%{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "[%h]:%{remote}p %l %u %t \"%r\" %>s %b" common
  • Ensure that logs are retained for a period allowing incident response and retention times follow your local data retention policies.

  • Centralized logging is recommended to ensure the integrity of the logs in case of compromised servers

Backup

We highly recommend to have an adequate backup strategy for your CMS. In case of an intrusion, attackers often modify the data to include malicious elements in your content. If you have a regular and trusted backup policy, you can easily restore your content even after being compromised. Don’t forget to backup your content (from the database) including your CMS directories to a trusted location.

Secure Coding

This publication doesn’t include secure coding recommendation for web application. The OWASP Secure Coding Practices Quick Reference Guide is a good start.

References

Revision

  • Version 1.2 April 28, 2015 Include information about static pages generator for WordPress (TLP:WHITE)
  • Version 1.1 December 29, 2014 Updated with feedbacks from users (TLP:WHITE)
  • Version 1.0 September 23, 2014 First release (TLP:WHITE)

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.