The Web is a Big Thing. More money ($190B) is spent on designing, building and maintaining websites than on all of digital advertising ($154B) combined. In retail, online spending crossed over $300 Billion in the US alone in 2015. On a human level, we increasingly rely on this medium to share stories, stay in touch with friends and loved ones, plan activities, pay bills and more.
Our Responsibility as WordPress and Drupal
WordPress and Drupal now power over half of the top million websites. For those of us who can remember their humble origins, this is an amazing success. For those of us who’ve built our careers and businesses on the strengths of these tools, this is a huge opportunity.
However, all of this success also makes these tools a promising target for bad behavior. We web professionals have a duty to help secure this medium, and even more so for those of us working with Drupal and WordPress. Open source succeeds based on the strengths of our communities and the talents of our contributors, and every single one of us has a role to play in securing these tools.
[Related] Pantheon Website Security Services
Web Content Management Is Inherently Risky
Unfortunately for all of us, a CMS is an inherently risky tool:
Web content management systems are connected to the Internet. Anything connected to the internet is a target. Websites are no different. We can sometimes forget this risk in our increasingly-connected world, but we need to remember that connecting something to the internet is inevitably a security risk.
Web content management systems are designed to be edited by the Internet. From a security standpoint, this is an incredibly poor design choice. Making something explicitly editable via the Internet is a recipe for problems. Of course, there are tremendous benefits from having a CMS-powered website, but we shouldn’t lose sight of the fact that those benefits comes with security risks.
Indeed, from a security standpoint, the whole genre of web CMS could almost have been designed as a Honeypot detection tool. Unfortunately, however, we happen to use these sites for real things, and there will always be security issues for every CMS out there.
Data Breaches Are Common
We all know that big data breaches happen. In order to register in the news cycle, you now need to be exposing millions of records to hackers. If you haven’t ever seen it, the good people at Information is Beautiful have a fantastic visualization of data breaches. It’s subtitle—“Selected losses greater than 30,000 records”—indicates how common this is and highlights that this is just the tip of the iceberg.
But I’m Tiny!
I suspect that most of us reading this article do not have millions of records to secure. Many of us maintain and manage much smaller sites. They might be important to us, but relative to these massive organizations, we’re hardly a target, right? Surely the hackers, criminals and forces of evil have no interest in our tiny websites? WRONG.
You Are A Target
By virtue of having a website, you have a number of valuable assets that others would like to have:
Computing Power. Every single website is sitting on top of a computing resource that is connected to the internet. In turn, that resource can be used to attack other internet-connected systems. This computing resource is a fundamental building block for botnets.
Visitors. Every single website has visitors. Those visitors might have an outdated browser or one with other security vulnerabilities. By controlling your website, they can gain access to every single one of your visitors.
Proximity. In addition to the above, about 35% of data breaches start with websites. Your website is on a server somewhere. That server is next to other computers on a network. Some of those computers might have sensitive information and/or access to the next system in the chain that leads to their goals.
Personally Identifiable Information? Transactions? If your site is doing anything with e-commerce, donations, membership or anything else people create accounts to do, it has financial and personal information that can be stolen.
Each of these assets individually are plenty of reason to target a website. All of them together make every single website a target. That, combined with the fact that a massive amount of these attacks are automated means that your Drupal / WordPress website is absolutely a target.
Next up, we’ll talk about how to understand the threat in Part 2: Website Security Isn’t Binary.
Note: This is the first part of a series of articles on website security. Read the rest:
- Part 1: You Are A Target
- Part 2: Website Security Isn’t Binary
- Part 3: Security in the Platform Layer
- Part 4: The Application Layer
- Part 5: Securing Drupal
- Part 6: Updating WordPress Securely
- Part 7: Administering WordPress
- Part 8: Organization Processes