Maintaining Your CMS

Back in the bad old days when the World Wide Web was just getting started, everyone built web sites by writing HTML code directly. This was fine back before having a web site was basically required for anyone to take you seriously, but it does require that you have a certain level of skill before you can manage a web site. In the intervening time, we have seen the advent of “user friendly” web site editors which have steadily acquired more and more features until we have the complex content management systems (CMS) of today. Odds are pretty good that your web site is running one of these CMS packages, such as WordPress, Joomla, or Drupal.

Basically, if you are not keeping your CMS up to date, you are inviting the bad guys in to do whatever they want with your site. You do not want that.
To be fair, a CMS does make operating your web site a lot simpler, at least in most cases. However, it comes with a major drawback. Back in the day when everything was a static HTML page which may or may not have a smattering of Javascript or the like, you could put up a web page and be sure that the page itself was not a security vulnerability. Sure, you still had to worry about the underlying server hosting it (presumably maintained by the server operator) and whatever credentials you used to upload the files, but you knew that nobody could use your web page to gain access to the server. With a CMS, however, you have an additional piece of software that is accessible through your web site that can have security problems. That is, the software itself is exposed to anyone who cares to poke at it. What’s worse is that if some nefarious individual manages to break that CMS software, they now have full access to do whatever they want with your web site.

The practical upshot of this is that while static HTML pages can be put online and basically forgotten without any additional risk, a CMS operated web site cannot. New and updated versions of popular CMS software packages are released regularly. New releases almost always have security fixes in them. The same goes for any add-ons or plugins you add to your CMS. Every one of those updates serves to improve the overall safety of your CMS. Assuming you install them, that is. If you fail to install them, those same updates serve as flashing neon signs drawing the attention of the unsavoury types to the specific problem that was fixed, even if they didn’t know about the problem previously.

Basically, if you are not keeping your CMS up to date, you are inviting the bad guys in to do whatever they want with your site. You do not want that. Here are some of the things the bad guys do:

  • Deface your site. That is, they put  up their own content, or put up something that is either embarassing or otherwise unhelpful in place of your site. This can do lasting damage to your brand or reputation.
  • Install back doors. A back door is anything that allows access to your CMS or the files on the server without having to go through the usual authentication processes and without having to exploit a security vulnerability. Unless these are found, they will usually persist long after the original security problem is fixed. These can be anything from an extra administrative login to special code left somewhere on the server.
  • Attack others. Often, the bad guys will use your newly compromised site as a platform for attacking additional sites. This is definitely something you do not want.
  • Adding malware to your site. That is, they modify your site such that it looks okay at a quick glance but attempts to deliver some sort of malware to site visitors. You really do not want that to happen.
  • Uploading phishing pages. This is a very common activity these days. You know all those spam emails you get claiming to be your bank, credit card company, and the like, which have links to click on? Those links often go back to a web site that has been compromised to host the necessary pages to collect your login details. You don’t want your web site to be hosting those pages.
  • Random other things. Basically, once the bad guys have access, they can do anything they want.

Usually, you can clean up from a compromise by restoring a clean backup of your site (you do have one, don’t you?). Otherwise, your best option is to rebuild your site from scratch. Yes. That’s right. I said “from scratch”. That’s the only way you can be sure you don’t have any back doors left behind. If you have to, however, you can try patching your CMS and having someone attempt to remove any back doors and improper content left behind. This can be very expensive, however, and it is not possible to be completely certain everything is cleaned up.

I should mention that you are ultimately responsible for your own web site. In particular, your hosting company is not responsible for keeping your CMS patched and up to date. Neither are they responsible for having a suitable backup of your site in case you get compromised. Even if your host has a suitable backup, you will likely be charged a premium for the privilege of restoring it. More likely, your web site will simply be disabled if your host notices it has been compromised. Ultimately, you need to take responsibility for running your own web site. That means actively maintaining it.

Of course, you’re probably thinking that this should be the hosting company’s responsibility. After all, hosting sites is what they do. But think about it carefully. A hosting company will have potentially thousands or millions of sites hosting on their servers. Every one of these sites is operated by a third party who can upload whatever software they want to their web site. How is the web hosting company even going to know there is a CMS there that might need patching? How many man hours would be required to do all that patching? Do you really want to pay $500/month for hosting a simple WordPress blog site?

Leaving aside responsibility for updating, you should also be aware that having your web site compromised can impact more than just the web site itself. If you are using the same domain for your email, which is quite common, you may find that people stop receiving your emails or they get marked as scams or spam. This is especially likely if your site is used as a phishing or malware delivery platform. Basically, it can cause your domain to pick up a poor reputation. Because of the volume of scam email out there that links back to web pages to complete the scam, there is a large movement to track domain reputation. Email messages mentioning a domain with a poor reputation will often be filtered and never delivered to their intended recipients. Having your web site compromised can lead to exactly that situation and you may find that you can no longer communicate effectively over email!

In short, you need to keep your web site clean even if you just use it as a sort of brochure. It doesn’t matter how infrequently information on it changes. If you are using a CMS, you need to make sure that is up to date. You do not want your domain to pick up a poor reputation and then find your email no longer works or find that search engines are flagging your site as a malware source or scam.