Web Development

Securing Your CMS: 2016 Best Practices Guide

Part of what has made the internet more of a necessity than a luxury is how accessible it is for people. So accessible that just about anyone can have their own website, which is why there are over one billion existing websites right now-a number that grows as impressively by the second as it has by the year.

To drop down to your specific CMS platform click on your platform below:


InternetLiveStats.com’s tracking reveals explosive growth in total number of websites across the web in the past 15 years.

As is evidenced by the graph above, the internet has seen an explosive growth in the number of websites within the past decade. Why or perhaps more appropriately, how has such a massive growth been possible? In large part because open-source Content Management Systems (CMS) experienced an explosive growth period as well.

A recent security overview by Sucuri reports that over a third of all websites online are powered by four key CMS platforms: WordPress, Joomla, Magento, and Drupal. The popularity of these specific CMS platforms is due to a handful of appealing factors, such as platform accessibility, focus on user experience, platform success in niche markets, etc.

But an unfortunate problem that has developed right alongside these CMS platforms is a serious threat to cyber security. The widespread accessibility of CMS technologies has resulted in as many unskilled webmasters as there are skilled. This leaves websites more susceptible to hackers through gaping vulnerabilities in simple cyber security practices.

Cyber security threats and attacks increased by 194% between March 2015-2016. 



Breakdown of infected websites distributed across the most widely wised CMS platforms from Sucuri’s “Website Hacked Trend Report 2016,” Q1.


So, why are CMS platforms targeted by hackers?

First, because websites on these platforms are so prevalent. Second, because the open-source framework of these systems requires webmaster responsibility and attention to security precautions.

There’s a lot of monetary incentive for hackers to find and exploit vulnerabilities in these systems since these CMS platforms are so widely used by businesses and for e-commerce purposes. That, on top of already existing hacker culture, is incentive enough for digital perpetrators to regularly target open source CMS systems.

How to Protect Your Website

Though the capabilities and tactics of hackers are constantly evolving, so are the resources and opportunities for cyber security. As more websites on these CMS platforms continue to pop up, it becomes increasingly important to regularly maintain and update the security features of your website(s). If your website exists on WordPress, Joomla, Magento, or Drupal, here’s what you can do.

WordPress: Security Best Practices for 2016

  • Don’t use admin as part of your username or password. Brute force attacks try plugging in an assortment of passwords and phrases exhaustively until the correct one is found. Since admin is part of the default username on WordPress, it’s one of the first phrases tried in brute force cyber attacks. By simply going into the Users section of your WordPress site and making a New User with administrative rights, you can delete the default admin user. This strategy coupled with an uncommon, unique password is an easy way to reduce security risks.
  • Use two-factor authentication. For the little extra authentication hassle is costs you, the security benefits are well worth it. It’s used on notoriously secure websites, like Gmail and Paypal, and you should be using it too. The Google Authenticator is a painless way to add this to your WordPress security practices, and the mobile app is compatible with all smart phones.
  • Limit the number of login attempts, because after fifteen failed attempts it’s probably a red flag. There are WordPress plugins for this and it will also help with brute force attacks.
  • Choose a good hosting company. As a starting point, it’s worth noting that when it comes to hosting companies, you get what you pay for. Be prepared to pay a little extra for hosting companies that boast impressive loading speeds and other such features, and pay attention to whether or not the company uses shared Sharing a server with other sites can be dangerous, because if one website gets hacked, yours may be at risk. An ideal host will have assistance if you get hacked, redundant firewalls, and more.
  • Consider comprehensive security packages. Since WordPress is the most prominent CMS platform and therefore represents a big slice of the hacker pie, it might be worth it to invest in a website security service that protects your site from every angle. Aforementioned security giant Sucuri offers a security stack with a slew of impressive features and has a 30 day money back guarantee.

Joomla: Security Best Practices for 2016

  • Use a secret login key. One of the best ways to secure backend access to your website is to actually hide the login key. KSecure is a Joomla protection extension that shows you how to add a secret key for accessing the admin login page. For example, whereas a normal website would have login access at www.example.com/administrator, adding a secret key will tack on an extra word or symbol after /administrator that will reveal the backend login page. If hackers don’t have the key and only type /admin, they’ll be redirected to the home page.
  • Update to the latest version of Joomla and your Joomla extensions. According to Blue Bridge Development, the number one reason Joomla websites get hacked is because their version is outdated. Part of the reason this is such a problem is because not all Joomla extensions have update notifications. You can stay on top of updating by going to Extensions>Manage>Update.
  • Use Joomla security extensions. Speaking of extensions, you can always try using one of the Joomla security extensions. These will be armed with strategies to prevent the most common Joomla security vulnerabilities.
  • Sign up for Joomla’s security notifications. Whenever a new vulnerability or problem is discovered within Joomla, two email notification services notify the list members. You can sign up here.

Magento: Security Best Practices for 2016

  • Review your server for “development leftovers.” Magento urges its users to ensure there are no accessible log files, publicly visible .git directories, database dumps, or any other unprotected files that could potentially be used in an attack. Over time, these kinds of files tend to accumulate on servers as a result of normal website admin behavior, and it’s important that these “leftovers” are as secure as the rest of the files on the site.
  • Maintain regular backups. Magento’s administrative panel has a built-in backup system in case files are accidentally deleted, hackers penetrate a website store, data disappears, etc. These backups can quickly restore your website back to normal. You can access the backup features through System>Tools>Backups in your admin panel.
  • Add an extra layer of security by using encrypted connections. A URL without an encrypted connection begins with http://… and is open to hackers who can potentially get usernames and passwords to your website. Using an encrypted connection will changed your URL to https://… indicating the website uses a Secure Sockets Layer (SSL) that protects information between clients and servers. Through the back end of your website, go to System > Configuration > General > Web > Secure and change the Base URL setting from “http” to “https”, and set “Yes” to using secure frontend URLs and secure Admin URLs.

Drupal: Security Best Practices for 2016

  • Back up your site-both the database and files on the web server, and test them often to make sure they’re working. In the event of a cyber attack and/or site issues, it will make it much easier to restore the website.
  • Use PHP snippets sparingly and carefully. When it comes to coding, an out of place piece of punctuation or letter can break the PHP snippets and cause issues with your website. Even worse, if a hacker gains access to PHP snippets it opens up your entire website. That’s why it’s vitally important to only entrust site developers with PHP access and always test your code blocks inside a temporary page before applying to your website.

Final Thoughts

To clarify, these are the best practices for website security across the prominent platforms, not all the practices. Effective website management will combine the best practices in cyber security alongside the routinized smaller methods. There is also significant overlap in the best practices across these four that are worth carrying out regardless of your website platform (i.e. keeping uncommon login and password information, two factor authentication, etc.).

Airtight security practices are what distinguish good sites from great sites and earn user trust. As cyber threats continue to advance, so should your plans and strategies for protecting your website and the information entrusted to it by your users. Make your site safer this year and put security at the top of your priority list.

Is your traffic declining? Are you not generating enough leads or sales? We’ve been growing businesses since 2009, let us do it for you!

Schedule a Consultation

Let's Talk

We’ve been growing businesses since 2009, let us do it for you!