3 tips to ensure your CMS isn't hacked

Has your site been hacked? There are a lot of sites that have been. It's not a pretty site when it does happen. 

One organization I worked with was told that they were avoiding installing Drupal. This was the content management system (CMS) used by their parent organisation. Someone had decided that they would only use Wordpress. I thought this odd as Wordpress was the one I'd heard about getting hacked most recently. So I did a Google search for each of the three open source content mangement systems and the word "hacked" to see what the result was. Here was what I found. The article counts from google for the three most common open source content management systems gave me the following results:

  • Drupal: 1.15 million articles
  • Joomla: 2.33 million articles
  • Wordpress: 9.55 million articles

Of course if your site is hacked it is your reputation and image that is on the line. When someone ruins you site, working to quickly repair can be stressful, and you don't always see how deep the damage is. Don't assume your site is too small to be noticed. As a communicator, you never want your site to be that small anyway, do you? Nor are social media sites immune to being hacked. Being prepared can help reduce the stress. So, here are three simple tips to help prevent being hacked and to quickly recover if you are.

Keep your CMS software patched

Programers are human. They make mistakes. They can't always see all the ways someone might try to exploit the software that they write, hard as they might try. So, like your computer patches are regularly available for most content management systems and their modules, plugins, and themes. Depending on how things are set up you may be able to do this or, once again, you you may need help from your IT staff. One caveat: if you are using open sourced software, you might want to keep a copy one version back. I've seen cases where a patch for a vulnerability have actually breaks your site or makes it function suboptimally. If you have one copy back, and a backup of your content database, you can likely revert back, and skip the broken update. 

Use strong passwords and keep them safe

Strong passwords make it harder for someone to guess your password and come in as a legitimate user and destroy your site, and this should also apply to all of your social media accounts as well. If it is on the list of the "top 30 dumb passwords people still use" revealed when LinkedIn had a data leak (or any other list for that matter) don't use it. Also, you can keep your passwords save by set your login page to have a SSL connection. Just saying a form is "secue" doesn't mean it is. I once saw a car dealership had a "secure" contact form, but all they had done was said in the text of the form that it was secure. I contacted the manager and complained. Some content management systems have a setting to force you to have to use SSL for logins, but this should only be turned on if your server supports SSL connections. If you are the only one that logs into your site, a self signed certificate may be sufficient; however, if you have visitors who are authorised to comment (without being screened and such) you should use a certificate from a recognised certificate authority. Again, your IT people can help you ensure SSL is turned on. They will likely have to be the ones to install any SSL certificates for you. Choosing a service that looks after updates and does backups for you can be helpful, but choosing a strong password is something you have to maintain for yourself. But as social media sites being hacked have shown, nobody is immune. If you think someone may have your password who shouldn't have it (or shouldn't have it anymore), or you hear that a social media site has been hacked, be proactive and change it. 

Like any other system, do regular backups. 

Most database servers have utilities a means of backing them up. Both Postgres and MySQL (the two major databases used by open source CMSs) have command line utilities to do backups. This means that they can be scripted to happen regularly, though you should still check them to make sure your backup is working properly. If you are using SQLite, it is just a file, that you can copy. Your IT people can help make sure you are getting your backups if they aren't doing this already. Also creating a backup right before you update the software means you can go back to the previous version by restoring the old software and database if something goes horribly wrong.

Hopefully you will never need to worry about dealing with being hacked, but being prepared can help you recover before too many people see the damage.