Skip to content

Basic Security Practices for CMSs

Popular content management platforms, such as Wordpress, Joomla and Drupal, are often targeted by attackers, due to their widespread usage. You can avoid most attacks by following several simple rules.

CMS updates

First and foremost, you need to keep your CMS up-to-date. The knowledge of security vulnerabilities is  shared between attackers and automated scripts quickly spring up to take advantage of them. Wordpress, Joomla, as well as Drupal, can be automatically updated. However, you need to carefully consider the risks, as an update-gone-wrong can take down your whole website.

It is important to pay the same attention to installed plugins and themes. You need to always keep them updated. Install only widely-used, trustworthy ones. If a plugin is no longer developed, look for an alternative.

File permissions

Another important point are permissions on files and directories. For all three CMSs, the directories should have 755 permissions, while files should have 644. Furthermore, you should set permissions to 600 on wp-config.php if using Wordpress and 444 on configuration.php when using Joomla. With Drupal, you should deny access to authorize.php, cron.php, install.php and upgrade.php. Never set permissions to 777!

General advice

Do not use common usernames such as 'Admin' or 'Administrator'. These will be tried the first during a brute-force attack. Use a secure password. It should not include a common word and should contain lower and uppercase letter, numeral and a special character.

Securing your site with .htaccess

You can allowe access to sensitive parts of your CMS based on IP address.

Wordpress

Add the following block to the .htaccess file at the root of your application:

<Files wp-login.php>  
Order deny,allow  
Deny from all  
Allow from 12.34.56.78  
Allow from 98.76.54.32  
</Files>

Joomla

You need to create an .htaccess file in the /administrator directory with the following contents.

Order deny,allow  
Deny from all  
Allow from 12.34.56.78  
Allow from 98.76.54.32

Drupal

Create an .htaccess with the following contents at the root of your website:

<Location "/user/login">  
Order deny,allow  
Deny from all  
Allow from 12.34.56.78  
Allow from 98.76.54.32  
</Location>

Turn off PHP in certain directories.

Directories for uploading files, usually images, are not meant for PHP scripts. So, if you find one there, it has most probably been uploaded by an attacker. From the security standpoint, it is better to turn off PHP execution in these directories altogether. You need to create an .htaccess file with the following contents in the upload directories.

php_flag engine off  

<Files *.php>  
Order allow,deny  
Deny from all  
</Files>

Wordpress

In the case of Wordpress, you should create it in the following directories.

/wp-includes  
/wp-content/uploads

Joomla

For Joomla, in:

/images