How secure is your content managed website?

Over the last 18 months, we’ve made no secret of the fact that we are huge fans of Craft CMS - in fact, our design, development, content and account management teams are all massive advocates. Not to mention all of our clients that have migrated to it from some of the more well-known content management systems.

We originally moved on to Craft for a multitude of reasons, including stability, flexibility, scalability, performance and ease of use, but one of the biggest reasons was security. We were particularly concerned about the security of WordPress as a CMS and needed a solution that we were confident would be safe, secure and future-proof. Take a look at our Craft vs WordPress article to find out more.

Our concerns about WordPress's security were reinforced last month when Search Engine Watch published new data that showed 86.5% of WordPress websites in the UK are vulnerable to known hackable exploits.

They also stated that there are more than 100,000 known vulnerabilities that can be exploited by hackers to perform all kind of malicious activity, including but not limited to, extracting customer data, planting crypto-mining software and stealing user credit card information. Even if your WordPress install is fully up to date, a single outdated plugin with a vulnerability can allow unauthorised access to the CMS and database. Frightening? - much! Especially considering the upcoming GDPR legislation.

A recent research study conducted by cybersecurity monitoring platform CyberScanner, who scanned 93,930 WordPress websites and 9834 WooCommerce websites (in the UK), found that on average 80.7% contained at least one known hackable exploit that can be deemed as a severe security risk. The worst offending WordPress website had a total of 23 separate high-risk known vulnerabilities, among other medium and low-risk classified exploits!

People often ask why WordPress is so at risk. The simple reason is its popularity - between 25-40% of the internet is built on WordPress. In addition, WordPress is heavily reliant on 3rd party plugins, many of which aren’t maintained or updated. This plethora of out-of-date code is a hacker’s heaven.

Craft, in general, is a very secure CMS, and all vulnerabilities are fixed and released as soon as possible with the normal Craft updates. Pixel and Tonic (the creators of Craft) take security extremely seriously and have stringent steps in place to ensure the integrity of the system. Having said that, no system is completely infallible and there is no such thing as 100% bug-free software.

As an agency, we therefore take additional steps to ensure the stability and security of our client’s websites, including but not limited to:

- Client specific VPS box
- Seamless HTTPS integration with LetsEncypt
- Daily server security batch updates
- Ongoing Craft updates
- In-app purchasing

A key part of the GDPR legislation is that individual businesses are responsible for both securing their customer data, including data captured on their website(s) in order to prevent data breaches, phishing, and other forms of malicious online activity, and for putting their customers in control of who, how, and where their personal data is stored.

Businesses who fails to comply risk fines of up to €20 million, so it’s a BIG thing! The security of your CMS and database is not something to be taken lightly. You can outsource responsibility but not accountability and owners of websites that currently fail to adhere to GDPR guidance should take action now.

If you are using WordPress for your website, please read Search Engine Watch's article and take their recommended steps to protect your business and your customers as much as possible. If you have a Craft website and would like to discuss additional security measures in the wake of GDPR, or if you are interested in migrating over to Craft, please get in touch to speak to one of our team.