7 CMS Security Tips to Protect Your Site

Posted on by Jason Bales | Updated:
Home > Blog > Security > 7 CMS Security Tips to Protect Your Site

Are you considering using a CMS (content management system) on your website and unsure about security implications?

Running a CMS on your website generally makes your team work better together. Instead of all the required changes being hard coded by your developers, anyone can update the website in real time through an intuitive user interface.

There are dozens of popular CMSs to choose from, including Drupal or Shopify, and knowing which to choose will depend on your goals and tech stack. But finding, installing, and making the right CMS work for your company is just the first step. You also have to ensure that you and your customers’ data are completely safe and shielded from any potential malware or hacker attacks.

Here are a few quick CMS security tips for you to start with.

Have you outgrown your current host? Liquid Web offers CMS Hosting perfect for those using Kentico, Sitefinity, or Sitecore that require a high-performance cloud environment.

1. Keep the CMS Updated

Whichever CMS you pick, whether it’s closed-source or open-source, one of the most important considerations should be the frequency of its updates. As security threats evolve with lightning speed today, it’s paramount for the creators of your CMS to constantly check and patch it for new vulnerabilities.

If there’s such an option, turn on CMS auto-updates. Otherwise, set a recurring reminder to yourself or your IT Team to check if a new version has become available.

Similarly, if your CMS setup uses any plugins, make sure they get timely updates since it’s often one of the easiest ways for a malicious player to get access to your data. Use fewer plugins in general and get the latest version of those you absolutely need.

Key Takeaway: Ensure your CMS and any plugins are kept up-to-date regularly with the latest patches.

2. Set Unique and Complex Passwords

Logging into your CMS should be impossible to do from memory. If your coworker can remember your password, hackers can too.

To secure your login process, create a new user with an appropriate access level (guest, admin, editor, etc.) for every person that needs to use the CMS (rather than having a single login) with a unique and complex password generated by a password manager. Turn on 2FA (two-factor authentication) if such an option is available to require everyone to use another unrelated authentication method to get in.

Key Takeaway: Use complex passwords and a password manager paired with 2FA for the most secure stance.

3. Backup Data Frequently

One of the most widespread types of malware in recent years has been ransomware — scripts that block access to your data (by encrypting it) until you pay up. WannaCry ransomware, for example, infected more than 200,000 computers in 2017.

While protecting yourself from ransomware requires the same precautions you use for other malware, the best warranty here is to always have an up-to-date set of your data stored elsewhere. Thus, you should configure your backups to be frequent and automatic.

Key Takeaway: Backup your data frequently, automatically, and in different formats and locations.

4. Install HTTPS for All URLs

As nearly every CMS today requires you to log in to use it, HTTPS has become the predominant website security protocol. It’s important to install HTTPS on all webpages to ensure that none of your visitors’ requests could be imitated as ways to explore potential vulnerabilities.

Additionally, moving your website to use HTTPS will boost your SEO score with Google and other search engines, which could increase your website’s rank and even website traffic.

Key Takeaway: Ensure all websites you are using have HTTPS installed on all websites for web visitor peace-of-mind and SEO benefits.

5. Enable a Firewall

One of the best ways of preventing hackers from accessing your data is not letting them through to your CMS in the first place. If you know which connections need to use your CMS and which don’t, you can configure a firewall and keep all suspicious users and bots out (using IP address filtering) without affecting your day-to-day workflow. Specifically, a properly installed firewall will help you mitigate potential DDoS attacks.

Key Takeaway: Firewalls can prevent unwanted traffic to your site while allowing legitimate traffic and users through.

6. Prevent SQL Injections

Generally, hackers will try to gain access to your data in any way possible. Anytime an exchange of information is happening between your website and server, there’s a potential for a vulnerability.

If you have user-fillable web forms, for example, hackers will attempt to inject malicious code into them to manipulate your SQL database (e.g., change tables, delete data). The way to defend against such attacks is to always explicitly parameterize your queries.

Key Takeaway: Use specific query parameters in user-fillable web forms to protect against SQL injection attacks.

7. Rely on High-Quality Servers

If you’re hosting your CMS rather than relying on the cloud as part of SaaS, you should have absolute trust in the servers you use. If you’re working on cheap and badly managed servers or have been trying to squeeze your website into an oversubscribed shared hosting plan, you’re needlessly increasing your security risks.

Key Takeaway: For complete peace of mind, always use the best servers you can afford, with plenty of spare resources and well-defined procedures in place for mitigating potential attacks of any kind.

Migrate to a Secure CMS Host

Do you feel that it’s time to switch your CMS and company data to another server, but not sure where to start? At Liquid Web, we offer a variety of options, from dedicated on-premise solutions to virtualized private environments in the cloud. Contact one of our technical specialists today to see which secure and scalable hosting solutions are the best fit for your current situation and your plan for growth.

Liquid Web Knows CMS Hosting. See Our Cloud Packages.

CMS Hosting banner

Avatar for Jason Bales
About the Author

Jason Bales

As a former blog writer with Liquid Web, Jason has spent the last 20 years providing client strategy in marketing, enterprise software implementation, and managed hosting services.

View All Posts By Jason Bales