What a question! And, it is one we receive all the time. Through the years, website owners have been burned by security inefficiencies with platforms such as WordPress or Joomla (which I name first since they are the largest offenders).
My favorite line about WordPress is: There are two types of WordPress sites: Those that have been hacked and those that are going to be. Maybe it’s a bit exaggerated but more often than not it becomes a reality for many unsuspecting website owners.
The question of CMS security is involved and much beyond the scope of any one blog post. What makes any one system the most secure CMS is relative to many people. Are you worried about CMS intrusions? Customer data stability? Being hacked for the purposes of defacement and embarrassment? Or perhaps just worried about the automated bots that seemingly never go away?
Ideally, all of these items should scare anyone running a website today. The value of customer data can put a business at risk in the event of a breach–that type of vulnerability can literally put you out of business. And nothing is more embarrassing than having your pages hacked and displaying, umm, uncomfortable content—to say the least!
So, how can you secure your website and CMS to industry standards or even higher?
The first key is to not use a platform that is a target. The vast majority of hacks are towards software packages that are popular and have the largest install base. This means the biggest players in the industry: WordPress, Drupal, Joomla, and Magento. These platforms are notorious for being targeted simply for existing.
Automated bots will scour the internet looking for vulnerable installations. A recent estimate is that there are over 5,000 current vulnerabilities to WordPress and its plugins. That is crazy!
Removing the risk of a popular platform is the first step to making your CMS the most secure CMS it can be. Once you are under the radar, then it becomes a matter of preventing actual intrusion from nefarious, villainous offenders.
Why a decoupled CMS system can help.
This is where the new model of decoupled CMS systems can help. As a quick primer, a decoupled CMS separates the administrative portal of a website from its front-end display, or user experience. This enables your site to have a variety of advantages, such as:
- Ability to tightly secure the administrative portal: With the administrative portal living in another location, you can tightly secure access with a variety of means. You can IP restrict any access to the application itself, for example. You can also secure it by hosting it on another port.
Since the front end and back end will not communicate by any means other than a data pipeline (such as an API), you can remove the ability for outsiders to access the tools to publish and amend content.
- You can publish flat HTML: This sounds crazy, right? But there are many reasons that an organization would consider using its CMS to publish flat HTML files as opposed to actually allowing for database interactivity.
Even though you can power your website dynamically with the use of an API, for example, this is a method we’ve seen used and it works quite well. For what limited areas you require interaction, the API can provide that capability. This approach also limits the ability of hackers to utilize techniques such as SQL injections: you can run your site on a server that doesn’t even have SQL installed or connect to it!
- Scalability: It is easy to scale the front end of the site if traffic requires it. Either you’ll do this because flat HTML files are easy to load balance, or by easily caching the API requests to the database. Either way, it’s easier to scale a decoupled CMS than an integrated system such as WordPress or Drupal.
Of course, we have other tricks up our sleeves to make your custom CMS installation into the most highly secure CMS possible. But this summary serves as a quick primer to the advantages of a headless architecture, especially if your concern is security.
It goes without saying, if your number one requirement for your CMS is security, you should highly consider whether any of the off-the-shelf platforms are right for you. Simply choosing to stay away from them will enhance your security efforts significantly. And from there, the options for ensuring your site is administratively and technically safe will increase, the more customized the approach you choose.