Open Source CMS: The Good, Bad & Ugly

The Basic Principles of Open Source CMS Software

The open source community is one of the best things that has happened to the programming community, yet one of the worst things to happen for business cyber security. And for the exact same reason. For those of you who are not intimately involved in the world of programming languages and software development; open-source software (OSS for short) means software that you can crack open and look right at the source code. Line by line, you can see exactly how the software works on the inside for those who know how to read it. WordPress is the leading OSS Content Management System (CMS) example, and is a website CMS used by thousands.

Open Source Projects: Educational and Unsafe

Of course, this is not just a transparent window into working software, it is also something you can copy and modify. Anyone with sufficient IT skills can read open source software like a book and change anything they want. Programmers use it to learn how to replicate specific features they like. Or they will take an open-source project and build on the freely available code to make something excellent on top of it or as an alternative. This is where things like user-made WordPress modules come from.

Students use OSS to study how working programs are put together from start to finish, or to study specific pieces of code that are useful to them. And open source CMSs give every business a chance to produce and customize their websites. Unfortunately, hackers are also able to take a look directly into the code everyone is using for their websites and business software. They are building malware and targeting the thousands of legitimate OSS users, to inject viruses and malware to exploit weaknesses in the WordPress software. And they can get away with it simply because open-source is inherently insecure.

Open Source Reveals A Program's Weaknesses

The problem with OSS is not necessarily that programs are built without security in mind. The problem is hackers can pour over the details of the OSS software code. They have the opportunity to scan for weaknesses, loopholes in the log-in function or a lack of security surrounding packet transmission. Perhaps just a point where they could corrupt data as it flows through the backup process.

You see, friendly programmers aren't the only ones who build 'modules'. Malware made to target a specific popular OSS is also essentially a module, made to fit right onto the existing software and exploit a weakness rather than building additional functionality. Or worse, it does add more functionality, but those functions are to steal credit card numbers, trade secrets, or the identities of your customers.

The Risks of Using Open-Source CMS Software

Websites built using open source CMS software like WordPress, Drupal, and Joomla make up more than 30% of the internet; if your website is built using any of these open source software projects your online reputation may be at risk. For example, the reason you're hearing about a variety of open source targeting malware like Dimnie and Baba Yaga is because hackers can see all the code, making the open source software programs they infect easy targets. These malware can literally infect thousands of websites, even hundreds of thousands, of websites with one malicious script. To get started all a hacker has to do is download the freely available source code like everyone else, then design specific malware made to target the identified vulnerabilities via security holes in login, database, or network features - to name a few.

Once the attack-malware is designed, everyone who has used the targeted OSS in the past is at risk because they all share the exact same weaknesses. Unfortunately, many companies companies turn a blind eye to open source security risks, for the convenience of using the popular software.

Building a Secure Website and CMS

Even if you only use your website to provide contact information and host your blog, it is vital to keep your website and CMS secure. You cannot afford the brand or reputational risk of an OSS-targeting malware attack breaching your system. Especially if your website handles sensitive information or client services. Instead, consider a proprietary (ie: closed-source) CMS that can provide enterprise-level security that hackers have never had a peek at.

QuickSilk’s solution provides a smooth and easy-to-use CMS that has not been looked at by every ambitious hacker in the world, and which undergoes regular penetration testing by third party security providers, to ensure security is top of mind. With an easy drag-and-drop design system and cutting-edge features, you get everything your friends using OSS are raving about without the vulnerability to 'skeleton key' malware attacks. For more information about how you can build and manage your website securely with QuickSilk please contact us today!