Understanding the Risks of Content Management Systems How Open Source Web Platforms Can Open Your Organization to Attack

Understanding the risks of content management systems How open source web platforms can open your organization to attack

IBM X-Force® Research Managed Security Services Report

Click here to start ▶ ◀ Previous Next ▶ Contents Executive overview common for one or more to be included as a standard feature of web hosting services. Their In today’s fast-paced business world—especially in Executive overview status attests to their popularity and effectiveness, retail, where products change daily, even hourly— 1 • 2 but CMS platforms also have security issues. there’s an ever-growing need for quick changes For example, one provider of WordPress security to web content. That used to be the responsibility The development of CMS plugins found that 73 percent of all WordPress of webmasters and coders who created HTML installations studied had unpatched vulnerabilities Why are CMS deployments code, JavaScript modules and plugins on the that could be easily detected with a freeware vulnerable? fly, but therein lay a fundamental problem: a vulnerability scanner. It’s been argued that the critically important task depended on a handful of Security concerns with CMS figure could be overinflated because the study people. The process had to be decentralized, so focused on a limited subset of WordPress WordPress attack metrics a new method was developed: the web content installations. Nonetheless, cybercriminals quite management system, or CMS. Attacking the attackers plainly know that there are large numbers of unpatched installations on the web. That’s why they Today’s most popular web CMS platforms Recommendations and focus heavily on CMS-based sites. mitigation techniques are WordPress, Joomla and Drupal. Together accounting for 75 percent of the market, it is Protect your enterprise while reducing cost and complexity

About IBM Security

References

About the author Cybercriminals know that there are large numbers of unpatched installations on the web. That’s why they focus heavily on CMS-based sites.

2 ◀ Previous Next ▶ Contents

Executive overview About this report 1 • 2 This report was created by the IBM Managed Security The development of CMS Services Threat Research group, a team of experienced 1 • 2 and skilled security analysts working diligently to keep IBM clients informed and prepared for the latest cybersecurity Why are CMS deployments threats. This research team analyzes security data from vulnerable? many internal and external sources including event data, Security concerns with CMS activity, and trends sourced from tens of thousands of endpoints managed and monitored by IBM for Managed WordPress attack metrics Security Services accounts around the globe. Attacking the attackers

Recommendations and mitigation techniques The next phase of development came in the 2000s, Protect your enterprise The development of CMS while reducing cost The first stage of CMS development began in driven primarily by software companies with new and complexity the late 1990s with platforms like Roxen, Blitzen, ideas for the future of CMS. Led by DotNetNuke, Ingeniux and Vignette. Mostly the work of web Mambo and RedDot (companies that united later About IBM Security design agencies, not software developers, they all to create the Joomla CMS system), they built in features such as WYSIWYG, search capabilities, References offered a very structured development environment using templates, but lacked a true WYSIWYG (what podcasts and survey tools, and even improved the About the author you see is what you get) component. After the dot- HTML language. This phase saw the birth of the com crash, most of these platforms were put out to open source movement, which began largely in pasture as agencies shifted their focus away from reaction to the high costs of enterprise software coding toward design. and created a split between paid and free software that still exists today. With the open source market

3 ◀ Previous Next ▶ Contents booming, CMS products became feature-rich and hacker community at large, and hackers are hard at the demand for them increased. Web agencies work defacing web sites and embedding malware Executive overview now had a new marketplace: templates they could into ecommerce sites to harvest credit card design, code and sell to consumers, who could in information. The argument against commercial The development of CMS turn customize the look and feel of their websites use of open source software in an enterprise 1 • 2 without knowing how to code. environment has its roots here.

Why are CMS deployments We’re living today in the third phase of CMS vulnerable? Why are CMS deployments development. Some of the key features of third- vulnerable? Security concerns with CMS generation CMS products are: Hackers highly prize CMS platforms as targets. WordPress attack metrics • Modular add-ons called plugins which require You might assume that the big three, WordPress, minimal coding for integration Joomla and Drupal, are security-hardened out Attacking the attackers • The ability to be run as a hosted application of the box—that the platform developers must have built a very high degree of security into their Recommendations and and sold by design agencies and affiliates like products. But the opposite is true. These products mitigation techniques templatemonster.com • Integration into databases, ecommerce and are built on open source frameworks within shared Protect your enterprise email as modules instead of plugins developer environments, just like Linux, Apache while reducing cost • Use of front-end client-side code rather than the and Open Office. Being so popular, and having and complexity back-end, server-side code that used to so many widely publicized vulnerabilities within About IBM Security be required them—mainly in the third-party themes and plugins designed by thousands of different References The central concern arising from this phase is the authors—it’s no wonder the big three CMS well-publicized recent spate of hacks on open platforms are so tempting to hackers and About the author source platforms. The widespread use of open worrisome to security researchers. source software has not gone unnoticed by the

4 ◀ Previous Next ▶ Contents Security concerns with CMS SQL injections and cross-site scripting Vulnerabilities within CMS platforms are a goldmine New and improved attack strings are widely Executive overview for hackers, giving them an efficient way to execute reported on a daily basis on many underground hacking sites. With a simple Google search you can The development of CMS mass-scale, automated attacks. Let’s look at some of the problems. find hundreds of known SQL injection and cross- Why are CMS deployments site scripting (XSS) attack parameters affecting vulnerable? Brute force CMS platforms, specifically within the popular PHP scripting language environment. The SQL injection Web site operators who use weak passwords leave Security concerns with CMS attack vector has been on the top of the Open Web their administrator accounts vulnerable to brute 1 • 2 Application Security Project (OWASP) list of top force attacks. With access to an admin account, ten web vulnerabilities for years now, and that’s not WordPress attack metrics hackers can inject malware that turns websites into expected to change. distributed denial of service (DDoS) bots, or they Attacking the attackers can deface or disable a company’s web site and distribute malware that might lead to blacklisting on Recommendations and Distributed denial of service mitigation techniques Google and other search engines. Researchers from security services provider Protect your enterprise Themes and plugins Sucuri uncovered a straightforward trick in which while reducing cost There are thousands of developers designing hackers simply sent a pingback request to the and complexity CMS themes and plugins for custom use. With XML-RPC file within WordPress. XML-RPC is a protocol used by WordPress and other CMS About IBM Security such diversity in the development community, no guarantees are possible; any and all components platforms and applications to provide services References must be considered potentially vulnerable. In such as pingbacks, trackbacks and remote access fact, it’s been found that of the 50 most popular to users. Hackers are able to greatly amplify the About the author WordPress plugins, 20 percent—one in every five— bandwidth at its disposal, as shown in a 2014 DDoS were vulnerable. The average CMS deployment attack that leveraged over 162,000 WordPress uses at least four plugins. Eight million of them were sites, creating a super DDoS net that focused on downloaded from WordPress in 2014 alone. one website and took it down. This type of DDoS attack is particularly effective because XML-RPC

5 ◀ Previous Next ▶ Contents is directed at layer 7 (application layer), which installations being attacked heavily during the first handles many different protocols including HTTP, three months of 2014. The pattern diminishes from Executive overview DNS and FTP. Attacks against it require much less April through September, then briefly resurges. data than most mainstream DDoS attacks, which Shellshock attacks against WordPress were noted The development of CMS are focused on layer 3 (network layer). in November through December, but weren’t Why are CMS deployments numerous enough to include in the data. The data vulnerable? WordPress attack metrics represents actual security incidents where IBM customers were notified of these attacks. The IBM Managed Security Services data indicates Security concerns with CMS data query was focused primarily on instances of that many SQL injection and command injection 1 • 2 the path to WordPress being found within a SQL attacks were specifically targeting WordPress injection or command injection security incident. WordPress attack metrics instances. In Figure 1, we see WordPress 1 • 2

Attacking the attackers 2014 WordPress Attacks 12,000 Recommendations and mitigation techniques 10,000 Protect your enterprise while reducing cost 8,000 and complexity

About IBM Security 6,000 Total References 4,000 About the author 2,000

0 JanFeb MarApr May Jun Jul Aug Sep Oct NovDec

Figure 1. WordPress attacks identified by IBM Managed Security Services in 2014.

6 ◀ Previous Next ▶ Contents Geographic distribution of attack sources Industries most attacked IBM Managed Security Services WordPress According to both the Web Application Attack Executive overview attack metrics show that the United States was the Report and IBM Managed Security Services data largest source of attacks in 2014 (see Figure 2). The for 2014, the retail trade sector was by far the The development of CMS 2014 Web Application Attack Report by Imperva most frequently attacked WordPress target, with Why are CMS deployments reached the same conclusion, adding that hackers the finance industry sector a distant second (see vulnerable? from other countries are using hosts within the U.S. Figure 3). to launch attacks—chiefly because their targets Security concerns with CMS are closer. WordPress attack metrics 1 • 2 Top 5 WordPress attack sources Top 5 WordPress attack targets by country by industry Attacking the attackers France 4% Administrative services 6% Ukrane 7% United States 47% Recommendations and Air transport 7% Retail trade 70% mitigation techniques Italy 10% Rubber/plastic products 8% Protect your enterprise while reducing cost Financial and complexity services 9%

About IBM Security

Germany 32% References

About the author Figure 2. The United States was the leading Figure 3. Retailers were the most frequently source of WordPress attacks in 2014. attacked WordPress users.

7 ◀ Previous Next ▶ Contents Attacking the attackers • Never use default settings. Change the default “ADMIN” name. Rename default database Primarily because of the weaknesses outlined in Executive overview prefixes to prevent SQL injection. this report, WordPress is a very appealing target. • Reduce credentials. The administrator account The development of CMS The tools hackers need for various kinds of attacks should be needed only for performing updates on many CMS brands are readily available online. or adding/changing themes and plugins. Tasks Why are CMS deployments Meanwhile, security researchers provide white-hat vulnerable? like editing posts or writing articles should never service to the open source industry by working require administrator-level access. to identify weaknesses, spread awareness of Security concerns with CMS • Always use strong passwords. vulnerabilities they find, and help authors design • Protect the .htaccess file. Code added within the WordPress attack metrics patches and mitigation procedures. .htaccess file will prevent anyone from reading Attacking the attackers or writing any files that begin with “hta” (see Recommendations and “Securing .htaccess” in the References section). Recommendations and mitigation techniques • Use a cloud-based security service. Solutions mitigation techniques The following measures can go a long way towards such as Cloudflare and Akamai act as a shield in protecting websites built on a CMS platform: front of your website, blocking bad user agents Protect your enterprise and offering some protection against SQL while reducing cost injection and DDoS attacks. and complexity • Always run the latest version of any CMS. • Update CMS deployments regularly. Look • Back up your CMS installations at regular About IBM Security specifically for vulnerability patches and intervals and design a robust disaster bug fixes. recovery plan. References • Always use trusted sources for themes and About the author plugins. Never use free themes and plugins.

8 ◀ Previous Next ▶ Contents Protect your enterprise while About IBM Security IBM Security offers one of the most advanced Executive overview reducing cost and complexity From infrastructure, data and application protection and integrated portfolios of enterprise security The development of CMS to cloud and managed security services, IBM products and services. The portfolio, supported Security Services has the expertise to help by world-renowned IBM X-Force® research and Why are CMS deployments development, provides security intelligence to vulnerable? safeguard your company’s critical assets. We protect some of the most sophisticated networks help organizations holistically protect their people, Security concerns with CMS in the world and employ some of the best minds in infrastructures, data and applications, offering the business. solutions for identity and access management, WordPress attack metrics database security, application development, risk management, endpoint management, network Attacking the attackers IBM offers services to help you optimize your security program, stop advanced threats, protect security and more. IBM operates one of the world’s Recommendations and data and safeguard cloud or mobile. An IBM broadest security research, development and mitigation techniques Application Security Assessment can help you stay delivery organizations, monitors 20 billion security one step ahead of cyber attackers by proactively events per day in more than 130 countries, and Protect your enterprise identifying and resolving security weaknesses in holds more than 3,000 security patents. while reducing cost your CMS before data thieves can exploit them. and complexity The IBM Managed Web Defense service from IBM uses cloud-based Akamai Kona Site Defender About IBM Security technology to help you stop DDoS attacks before References they affect your web presence.

About the author

We protect some of the most sophisticated networks in the world and employ some of the best minds in the business.

9 ◀ Previous Next ▶ Contents For more information The perils of freeware http://premium.wpmudev.org/blog/free-wordpress- To learn more about the IBM Security portfolio, Executive overview themes-ultimate-guide/ please contact your IBM representative or IBM The development of CMS Business Partner, or visit: Securing and hardening Content Management ibm.com/security Why are CMS deployments Systems vulnerable? http://www.luminweb.com/clients/knowledgebase. For more information on IBM Security Services, visit: php?action=displayarticle&id=9 Security concerns with CMS ibm.com/services/security 162,000 WordPress Sites used in DDoS attack WordPress attack metrics Follow @IBMSecurity on Twitter or visit the IBM http://arstechnica.com/security/2014/03/more- Security Intelligence blog. Attacking the attackers than-162000-legit-wordpress-sites-abused-in- powerful-ddosattack/ Recommendations and References mitigation techniques CMS history OWASP list of top 10 web vulnerabilities Protect your enterprise http://www.contegro.com/info-center/designers- http://owasptop10.googlecode.com/files/ while reducing cost blog/blog-article/_thread_/a-brief-history-of-cms- OWASP%20Top%2010%20-%202013.pdf and complexity development WordPress Most Attacked Application About IBM Security Content Management Systems Security and http://www.computerweekly.com/ Associated Risks References news/2240232352/WordPress-most-attacked- https://www.us-cert.gov/ncas/alerts/TA13-024A application About the author Securing .htaccess Web Application Attack Report (WAAR) http://thematosoup.com/wordpress-security- http://www.imperva.com/docs/HII_Web_ htaccess/ Application_Attack_Report_Ed5.pdf

Is your WordPress site being used as an DDoS attack source? http://labs.sucuri.net/?is-my-wordpress-ddosing

10 ◀ Previous Next ▶ Contents About the author David became interested in security in the 1980s, when he owned and operated one of the first David McMillen, Senior Threat Executive overview companies to offer penetration and vulnerability Researcher, IBM Managed testing. As the Internet’s footprint grew, it became The development of CMS Security Services, brings more clear to him that there was a new challenge on than 25 years of network security the horizon: protecting data. David next worked Why are CMS deployments knowledge to IBM. David began vulnerable? with IBM Business Partner WheelGroup (later his career at IBM over 15 years ago as a member of acquired by Cisco), where he helped develop the core team that created the Security concerns with CMS the NetRanger IDS intrusion detection system IBM Emergency Response Service, which and NetSonar, a vulnerability scanner. David also WordPress attack metrics eventually grew and evolved into IBM Internet assisted with the development of the very first IBM Security Systems. Attacking the attackers intrusion detection system, BillyGoat. David has subsequently developed several other security- As an industry-recognized security expert and Recommendations and based methods and systems that have been mitigation techniques thought leader, David has a rich background in patented by IBM. IT security. He thrives on identifying threats and Protect your enterprise developing methods of solving complex problems. while reducing cost His specialties are intrusion detection and Contributors and complexity prevention, ethical hacking, forensics, and analysis Lyndon Sutherland, Security Specialist XFTAS About IBM Security of malware and advanced threats. As a member Michelle Alvarez, Researcher/Editor, Threat of the IBM Managed Security Services Threat Research Group References Research Team, David takes the intelligence he Nick Bradley, Practice Lead, Threat Research has gathered and quickly produces tangible About the author Group remedies that can be implemented within a customer’s network on IBM’s own proprietary threat detection engines.

Executive overview IBM Corporation IBM Security The development of CMS Route 100 Somers, NY 10589 Why are CMS deployments vulnerable? Produced in the United States of America December 2015 Security concerns with CMS IBM, the IBM logo, ibm.com and X-Force are trademarks of International Business Machines Corp., registered in WordPress attack metrics many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at Attacking the attackers ibm.com/legal/copytrade.shtml Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Recommendations and mitigation techniques Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Protect your enterprise This document is current as of the initial date of publication and may be changed by IBM at any time. Not all while reducing cost offerings are available in every country in which IBM operates. and complexity THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR About IBM Security IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted References according to the terms and conditions of the agreements under which they are provided. Authors Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

SEL03034-USEN-01