Nobody wants to be hacked. But when was the last time you've made a backup of your site, or checked if it was safe from intrusion?
In this article I'm going to look at the major CMS platforms and see their recent history of vulnerabilities. If your site uses one of these platforms, you'll probably want to stop along the way to do the math and think if your site is at risk. If none of these platforms is powering your site, you'll soon find out how to make the same test, quick and easy, and get the same info.
How do I check?
Googling your platform's name and the world "vulnerability" will probably get you some good info right away. But there are companies that track this kind of problems and maintain updated lists of known issues. One of this companies is Flexera Software, who offer the Secunia Research Advisory Database, which is a community driven effort that according to them is "The World’s Premier Vulnerability Intelligence Resource". I've registered and gave it a spin looking up the 3 biggest names in the CMS space to see what pops up: Wordpress, Drupal and Joomla. And of course, being a ProcessWire fanboy, I'll see how it compares to the bunch - he says rubbing his hands.
If your site uses something else, I advise you to check this database. Just follow this link, sign up (it's ok, they don't spam), and search your platform's name.
Ready? Set? Go!
Spoiler alert: Wordpress is the worst. 1168 vulnerabilities, and in 2017 alone there were 21 detections.
Now don't panic right away. In all fairness, these are not highly critical vulnerabilities and some relate to specific plugins that your site may or may not use. However, "SQL Injection Vulnerability" (2017-11-01) means something that can be exploited to compromise your site's data.
One of the entries, "WordPress Multiple Vulnerabilities" in 2017-09-20 is listed as "Moderately Critical", and with an impact to "Security Bypass, Cross Site Scripting, Spoofing". You can easily understand what security bypass means, and the other two... well just update your Wordpress before you find out. Hold on! Don't do it so fast. Make a full backup first, because updating may break it.
Drupal fares a way better, apparently, with 830 entries, and only 5 this year. The most recent was in August 16th, so if you haven't updated after that, it's a good idea to check if your site uses the REST API.
But be warned. In 2017-06-22...
Multiple vulnerabilities have been reported in Drupal, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to compromise a vulnerable system.
Nah relax, it's not as dangerous as it may sound initially. Exploiting this vulnerability requires certain privileges that are not easily attained. Overall I'd have guessed a much worse scenario for this one.
620 advisories from the beginning of time, 6 this year. None of the most recent are listed as highly critical, only a few moderately critical ones.
The most recent one, on November 9, says:
Multiple vulnerabilities have been reported in Joomla!, which can be exploited by malicious people to disclose certain sensitive information and bypass certain security restrictions.
1) An error related to the LDAP authentication plugin can be exploited to disclose usernames and passwords.
This means that if LDAP authentication is turned on and your luck is low, your site can give out more information than you'd like. If you're one of those people who use the same password everywhere, that's something that can be leaked here.
Yes, you're seeing it right. Zero entries. As in nothing. As in "nah, you're pulling my leg, this can't be".
Oh but it is. This is something that from time to time comes up in the ProcessWire community, and nobody knows of a single PW site that has ever been compromised. Of course I expect to eat these words at some point but, so far in the 2, almost 3 years that I've been working with this platform and been engaged in the community, the record has remained absolutely clean. More, I've searched the forums and found people commenting the exact same thing back in 2014: "I've been working with PW since version XX and never heard of a site being compromised".
Why is this?
First, this isn't as reliant on plugins as other platforms. For Wordpress, plugins are usually the culprit whenever an issue appears. You will not find an image gallery plugin for ProcessWire that renders a fully working slideshow with thumbnails, animations and all that like you do on Wordpress. What PW does best is provide a solid platform for managing content and an amazing API for presenting that content. For developers like me who prefer building everything as bespoke as possible, that's as good as it gets.
Everything is closed from the start, and the developer opens just what's needed for a particular project, with very easy tools to filter data and ensure that what comes in does so in an orderly fashion.
The preoccupation with security in ProcessWire is something I like to illustrate with this quote from Ryan Cramer (father to ProcessWire, Obi-wan to us all):
By default, the "Forgot Password" module is not turned on in v2.1. My thought was that lack of such a function is technically more secure (on any site or CMS). Why? Because having such a function active means your password is only as secure as your email (...) So I thought we'd start things out as secure as possible and let people adjust it according to their own need.
Now do you still want password recovery?
Final thought, should you worry?
Yes, but don't lose your sleep over it. In the end, what makes a site secure or not is who developed it. If it was well built and you keep an eye on it, you should be fine. But I'll refrain from asking when was the last time you've secured a backup of your site ;)