Drupal, Joomla and WordPress (DJW) are among the most
popular content management systems used for website
building — and each can easily be the means through which
criminals can endanger a business owner’s livelihood.
While CMS platforms appear to be closed environments,
their infrastructures include databases, which create opportunities
for hacking. Most enterprises choose a CMS
for speed of development and ease of maintenance, but
this often occurs at the cost of security.
According to a report by The Hartford, 85 percent
of small business owners believe a data breach is unlikely.
In reality, they are its most common victims.
Many times we don't hear of hacks within DJW systems,
because the only way to trace the hack is to look
at the database activity report, which many website
owners don't do.
There are various options, based on time and
budget, that website owners can implement to protect
themselves and their users — before they both become
Ensure all activities on the site are visible. Web workers
must regularly check the database activity report to ensure
only authorized users are accessing the database
and site admin tools. To enhance security, they should
give users different privileges, allowing them to access
only the sections relevant to their responsibilities.
Be aware of any overall security issues. Even a simple
Google alert for “Drupal” and “security” may help the
Keep an eye on technical changes. Although most DJW
websites appear composed of a dizzying array of formats
such as blogs, calendars, product lists and more,
they are ultimately a content management system,
which stores and manages all content in specific database
tables. Thus, installation of new modules can
cause new security breaches, while changing, removing
or renaming essential tables can also cause problems.
Install a database security system. A database security
system worth its weight should provide full separation of duties, an advanced audit trail with a secure “before
and after” log of database changes, SQL injection detection
and prevention, real-time alerting and extensive
Keep in mind, SMBs aren’t the only organizations
vulnerable to attacks. They, and much larger organizations,
as seen from the Sony and Zappos hacks, are all
susceptible to the following:
Compromised Sites: Hackers may have injected a constant
link within a site’s database that hosts malware
— and site owners generally have no idea this has occurred.
And, any user who accesses this website is exposed
SQL Injection: This uses the form on a website as a
gateway to the backend database. For example, the
hacker may include code that says to the database ‘send
the contents to firstname.lastname@example.org.’ These type of
attacks occur more than 70 times per hour.
Hacking: The PHP pages (the basis of DJW) may not
have been programmed correctly and contain their
Internal Data Theft: Not all employees have the company’s
best interests in mind. An easily guessed password
can provide them entry into the whole system —
or they could even be using their own password to access
databases, due to lack of separation of duties
within the system.
The Web Server: Many times common users don’t upgrade
the Web server being used to run the content
management system, which exposes it to known vulnerabilities
and makes it easier for the hacker to penetrate
Many small businesses are vulnerable to hackers,
because they generally don't have a dedicated IT team.
Easy-to-use, easy-to-install, affordable systems are out
there to help; website owners need to get one before
the hackers get them — the first time, the second time,
the third time.
About the Author: David Maman is CTO of GreenSQL, the database security
company for SMBs.