menu close
start a project

How Craft CMS protects your website from modern security threats

4.5 min read

Craft Security

Craft CMS stands out not just as a powerful content management system, but as a secure platform trusted by global giants and agencies alike.

No website or CMS is completely secure but ensuring your website is as secure as possible is crucial in protecting against data breaches, hacking attempts, and potential SEO penalties. It also shows that you take your visitor's privacy seriously.

Our chosen and only CMS that we use is Craft, and the developers of it, Pixel & Tonic, take security extremely seriously. So much so that it’s trusted by top global brands such as Netflix, Adidas, Volks Wagon, Ikea and Ella’s Kitchen.

Our codebases and their dependencies undergo security reviews regularly by our team and third-party security researchers, both manually inspecting the code and using automated auditing tools. We also regularly interact with security experts to stay current on best practices and learn about new attack vectors.

Pixel & Tonic

What are Craft CMS’s built-in security features?

You can rest easy knowing that Craft CMS has security at its very heart.

Pixel & Tonic maintain regular collaboration with security experts to stay updated on the best practices and emerging threats, as well as their aforementioned security reviews by their team and third-party researchers.

More so, Craft has been designed with security in mind

Core security features

PDO (PHP Data Objects) for database security

Craft CMS uses a tool called PDO (PHP Data Objects) to handle all communications with the database.

When data is passed to the database, PDO uses placeholders, which act like reserved spaces in the query, where actual data can be added later.

What does that mean for your website data?

If a hacker tries to pass harmful data into your website, through a form for example, PDO will spot this and not allow the code to run.

This helps to stop a very harmful and common attack called a SQL injection, which attempts to access sensitive data (i.e. usernames, passwords, or credit card details), modify or delete data, or gain administrative control of your database or even your server.

Secure user authentication

Craft 5 simplifies enhancing account security by offering two-factor authentication (2FA) and passkeys for all user accounts. These features provide an additional layer of protection beyond passwords.

2FA can be implemented natively, without the need for third-party plugins, and is compatible with all major authentication apps. Passkeys offer an even more seamless way to verify your identity, utilising your device’s built-in facial recognition or fingerprint sensor for secure sign-ins, eliminating the need for an authentication app.

Moreover, 2FA can be made mandatory for all new users in Craft, significantly reducing the risk of compromised accounts due to weak or reused passwords.

From two-factor authentication to defence against SQL injections, Craft CMS’s security features make it a trusted partner for businesses and governments around the world

Protection against common attacks

CSRF protection with tokens

Cross-Site Request Forgery (CSRF) is when an attacker deceives your website into doing something it shouldn’t such as changing user settings, via forms and inputs.

Craft automatically adds tokens onto forms, so if a request is made to their website and it doesn’t include the correct token, it’s rejected, stopping your website from being exploited.

Escaping variables to prevent XSS (cross-site scripting)

Cross-site scripting is when attackers try to inject harmful code into your website, for example into a form element or comments section.

Craft automatically checks all data that is added to your website, removing all harmful code and showing it as plain text rather than code and stops attackers from running harmful code on your website.

Safe file uploads

Attackers can use file uploads to be able to inject harmful code into your website, but Craft screens every file that is uploaded, only allowing safe file types and preventing harmful ones from running, keeping your site safe from malicious file uploads.

Best practices for securing Craft CMS websites

Setting a strong foundation with an SSL certificate

It’s important to set a strong foundation when securing any website and this starts with having an active SSL certificate.

The SSL certificate allows the browser and the server to create a protected and encrypted connection for the user, called the SSL handshake. As the data is encrypted. it makes it nearly impossible for a third party to intercept or decrypt your data.

Modern browsers make it extremely straightforward to check if a website has an SSL certificate.

How do you know if a website has an SSL certificate?

  1. If the URL starts with https or http the site is SSL encrypted.

  2. In the address bar select the padlock icon to show the site's security credentials, this will show you if the site has an active SSL certificate.

Keeping on top of updates

Regular updates to Craft CMS, Plugins and PHP are critical to ensure the security of a website. As I mentioned previously, Pixel & Tonic are regularly monitoring for potential security vulnerabilities and releasing updates to combat them, however, if you aren’t applying these updates to your website, it leaves you extremely vulnerable to potential security breaches.

Ensure you’re working with a development team or have a maintenance retainer in place with your agency to keep your Craft site running securely.

User management

User management is key to maintaining a secure website and Craft makes this super straightforward.

Users can be organised into groups allowing an admin to set blanket permissions. This makes managing user permissions of an entire team seamless, without the need to set permissions for each user. Craft also verifies all new email addresses to make sure that users can access their inboxes before they are accepted.

Configure session management

Public spaces can pose a vulnerable environment for your website. If a user walks away from an open Craft dashboard without securing their device, it can leave your website vulnerable to prying eyes or potential attackers.

Craft CMS automatically logs users out after a period of inactivity and this period can be adjusted depending on the level of required security.

We choose to work and be a partner of Craft CMS because it is renowned for its robust security and is trusted by businesses and government agencies worldwide.

Choosing Craft means placing your trust in a CMS designed with security at its core. Its extensive built-in features proactively defend against common threats, while its advanced user permission controls empower you to minimise risks, reduce downtime, and protect sensitive data.

James small profile

James Harrold

James specialises in frontend and creates high-performing websites, focusing on page speed optimisation for super smooth, quick-loading experiences online. 

He has specialist knowledge in Craft CMS and optimisation.

Connect on LinkedIn.

New to Craft CMS?

Craft is specifically aimed at professional developers responsible for building completely bespoke solutions. That’s why fewer agencies use Craft, but is the most widely used CMS by the world's top digital agencies.

Discover more about Craft

Is now the time to explore WordPress alternatives?

3 min read

Wordpress vs WP Thumb 1

The state of Craft CMS | 2024

3 min read

CMS Growth Thumb

New features in Craft CMS 5

3 min read

5