Reducing Web Security Vulnerabilities in DJW

Drupal, Joomla and WordPress (DJW) are among the most popular content management systems used for website building — and each can easily be the means through which criminals can endanger a business owner’s livelihood.

While CMS platforms appear to be closed environments, their infrastructures include databases, which create opportunities for hacking. Most enterprises choose a CMS for speed of development and ease of maintenance, but this often occurs at the cost of security.

According to a report by The Hartford, 85 percent of small business owners believe a data breach is unlikely. In reality, they are its most common victims. Many times we don't hear of hacks within DJW systems, because the only way to trace the hack is to look at the database activity report, which many website owners don't do.

There are various options, based on time and budget, that website owners can implement to protect themselves and their users — before they both become victims.

Ensure all activities on the site are visible. Web workers must regularly check the database activity report to ensure only authorized users are accessing the database and site admin tools. To enhance security, they should give users different privileges, allowing them to access only the sections relevant to their responsibilities. Be aware of any overall security issues. Even a simple Google alert for “Drupal” and “security” may help the fight.

Keep an eye on technical changes. Although most DJW websites appear composed of a dizzying array of formats such as blogs, calendars, product lists and more, they are ultimately a content management system, which stores and manages all content in specific database tables. Thus, installation of new modules can cause new security breaches, while changing, removing or renaming essential tables can also cause problems.

Install a database security system. A database security system worth its weight should provide full separation of duties, an advanced audit trail with a secure “before and after” log of database changes, SQL injection detection and prevention, real-time alerting and extensive reporting.

Keep in mind, SMBs aren’t the only organizations vulnerable to attacks. They, and much larger organizations, as seen from the Sony and Zappos hacks, are all susceptible to the following:

Compromised Sites: Hackers may have injected a constant link within a site’s database that hosts malware — and site owners generally have no idea this has occurred. And, any user who accesses this website is exposed to malware.

SQL Injection: This uses the form on a website as a gateway to the backend database. For example, the hacker may include code that says to the database ‘send the contents to hacker@criminal.com.’ These type of attacks occur more than 70 times per hour.

Hacking: The PHP pages (the basis of DJW) may not have been programmed correctly and contain their own vulnerabilities.

Internal Data Theft: Not all employees have the company’s best interests in mind. An easily guessed password can provide them entry into the whole system — or they could even be using their own password to access databases, due to lack of separation of duties within the system.

The Web Server: Many times common users don’t upgrade the Web server being used to run the content management system, which exposes it to known vulnerabilities and makes it easier for the hacker to penetrate a system.

Many small businesses are vulnerable to hackers, because they generally don't have a dedicated IT team. Easy-to-use, easy-to-install, affordable systems are out there to help; website owners need to get one before the hackers get them — the first time, the second time, the third time.

About the Author: David Maman is CTO of GreenSQL, the database security company for SMBs.