Author: Tim Priebe
Recently, one of my clients that uses an open source content management system (CMS) was hacked several times. I’ve talked about CMS’s in the past. But I’ve not really talked about the fact that open source CMS’s are prone to hacking by hackers.
Well, they are. That’s the ugly truth. Even with a heavily customized open source CMS (like the one my previously mentioned client is using), the sites are very prone to hacking. Mainly because anyone can view the code and search for vulnerabilities in it.
Given my recent experience, I’ve been doing a bit of research on the subject of securing your site from hackers. Here are five tips on securing any CMS against hackers. Some of these I was already implementing on my client’s site, some I was not.
1. Rename your admin file
Many open source CMS’s use simply named admin files, often called admin.php. Rename it to something like mysitebackend.php.
The only trick to this is now you have to rename all references to it in other files in your CMS. What you need to do is use a program that can search multiple files for the old name, admin.php, and replace it with the new name, mysitebackend.php.
For Windows, a good free program that has that capability is SciTE. If you’re using a Mac, a good one is TextWrangler.
2. Don’t publicly link to your admin file
This one is pretty simple. Don’t put a link out there to your newly renamed admin file for all to see. The most secure (but arguably inconvenient) way is to not link to it anywhere at all, but simply bookmark it in your browser.
3. Delete unused features
This is one I was guilty of not doing on my client’s site. Don’t just disable modules/features that you aren’t using (and have no plans to use). Delete them altogether.
Often the security holes that a hacker finds are in something that you’re not using on your site anyway. If the files aren’t there for him to access, he won’t be able to use that particular method to hack his way in.
4. Use strong passwords
The longer the password and the less like normal English it is, the better. It’s somewhat likely that your system has a maximum number of characters for a password. On many systems I’ve encountered, the limit is 10 characters. I encourage you to have a password that is as long as allowable if your limit is something small like that. Your password should ideally be 10-20 characters in length. The best passwords have numbers and both lowercase and uppercase letters.
5. Keep up-to-date on upgrades
The nice thing about many open source CMS’s is that they have a good community and security holes are found and patched. While you may not want to upgrade to a new release just as soon as it is released (give them a week or two to find any obvious security issues), keeping up-to-date on your software will help immensely.
Unfortunately, sometimes this is much more difficult than it sounds. This is especially the case if you have an extremely customized site where you’ve extensively modified the original CMS. In these cases, you need to find software that will compare files (your customized version and the latest upgraded version) and show you a line-by-line difference. You’ll then need to manually move the modifications over.
A good file to use if you want to compare differences in files on your Windows machine is ExamDiff. On a Mac, the aforementioned TextWrangler will take care of the job.
Unfortunately, even with all of these methods, you can still get hacked. Next time we’ll look at what measures to take before and after you’re hacked to prepare for that eventuality.
About the Author:
Tim is the owner and senior web designer at T&S Web Design. His company has developed and maintained website for dozens of small businesses and organizations. Tim also maintains a blog with free website advice for small business owners, GetASiteOnline.com.