How to secure your CMS without patching

Attackers are exploiting CMSes by reverse-engineering security patches before they can be applied. German coders see a way to stop them.



In as little as four hours, the bad guys can reverse engineer a software patch for an open-source content management system (CMS) and build an exploit capable of turning millions of websites into spammers, malware hosts or DDoS attackers. 

"There's just not enough time for normal site owners to apply the updates," said David Jardin, a member of the German association CMS Garden, which promotes the use of open source CMS software including Drupal, Joomla, WordPress and others.

To help ordinary users patch more quickly, CMS Garden is participating in a government-funded project, Secure Websites and Content Management Systems (Siwecos), to make the websites of SMEs more secure. 

Siwecos is a three-pronged effort, Jardin said.

Project participants including researchers at the University of Bochum are building a scanning engine that will give business owners feedback about potential security problems on their website, such as SSL misconfiguration or vulnerabilities to cross-site scripting attacks.

CMS Garden is contributing the second part: A series of plugins for different open-source CMSes that will provide that feedback from within the CMS management interface, where site owners can act on it immediately.

The third part, and the one Jardin is most excited about, is a service that will help web hosting companies filter out attacks before they reach vulnerable CMS installations.

Jardin pitched the project to a June meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG, an organization that aims to fight abuse of internet infrastructure).

There's no inherent insecurity with the systems CMS Garden promotes, as Jardin sees it. The problem is that the site owners using them just don't have time to keep their systems up to date. Better, then, to take them out of the loop.

"I want to remove the site owners from the chain of responsibility by talking to the web host directly," he said.

He's not expecting web hosts to patch their customers CMSes for them. Instead, at the same time as the patches go out, he's offering the web hosts ready-made filter rules for their web application firewalls, designed to block the same exploits as the patches.

"They can apply it right away and work around the end user, giving them way more time to apply the patch," he said. "We've been doing this on a small scale for quite some time already for the Joomla project and a number of German web hosts, with tremendous effect."

In one recent incident, a German hosting company that applied one of the filters blocked 150,000 requests per hour in the first day after a Joomla patch was released.

Web hosts could create such filters for themselves, but that would involve them reverse-engineering the patch too. It's quicker and safer to leave it to groups like CMS Garden, said Jardin.

"For the CMS community it's not a big deal because we know our systems pretty well. We can figure out a rule that doesn't have many side effects, no false positives, and for the web hosting company it's free of charge and safe."

While the Siwecos project is funded by the German government and aimed primarily at German SMEs, internet traffic knows no boundaries. 

"Even German companies host their sites all over the globe," said Jardin. "We are talking to pretty much everyone so it's more a global program."

The Siwecos scanning system will use a modular API. It's in a closed beta test for now, but its developers expect to open it up by September, when they will publish the first plugins for it. Modules under development include one for scanning HTTP headers relevant to security, such as those for Content Security Policy.

"The CSP headers are quite relevant because they can prevent exploits from working even if a site has been infected," Jardin said. There will also be scanners to validate SSL and TLS certifcates in the server settings, and to check for malware in HTML code.

Jardin hopes to launch the web host service in September too. It will begin with a private mailing list so as to avoid giving bad actors additional clues for exploiting CMSes before they can be patched or otherwise protected.

"If you take a look at the firewall rules it's going to be rather easy for an experienced attacker to build an exploit. That's why we want to limit the circle of recipients."

The web app firewall element of Siwecos has some overlap with work WordPress is doing with some web hosts. Siwecos, though, is working with multiple CMS projects and will be open to more web hosts, he said. "The beauty of our project is that it's one central place for information about all CMSes."

Commercial web application firewall vendors have nothing to fear from the project, and much to gain, according to Jardin.

"They don't know our applications and they don't have any up-front information about security issues. It's going to take them at least 24 to 48 hours until they have the rule set in place that we can provide right from the beginning. That's the thing that's completely new."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Peter Sayer

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?