Zero Hacks

Win the Update Race Against the Hackers

As seen in many reports, vulnerabilities in web-based CMS systems are a constant factor. Common CMS security issues are derived from running default installations which are not security-hardened, not regularly updated (often hard to do, given the 542 security exploits WordPress suffered from in 2018) unstable deployment procedures, improper security configurations, outdated databases/os/web servers, known default passwords, lack of data security knowledge, broken authentication or hijacked session management.

While some security issues are related to high complexity and the human factor on the server, it is worth mentioning that the server is not the sole component to monitor: many threats come from vulnerabilities introduced by add-on software like modules, plug-ins, themes, and extensions. They open back-doors to the system.

Using open-source CMS invites security issues

Using an open-source CMS increases the probability of hacking significantly. Given the widespread use of these systems, they result in a very lucrative target vector for attacks. The number of additional, often poorly maintained plug-ins increases the risk and therefore the system administrators’ workload by having to update software all the time. Since resources are unavailable to test every software module, it is often only a matter of time before some door to the system is left wide open. Such an incident does not necessarily disable the site. In most cases, the system is misused for other purposes. The number of undetected hacks in WordPress is much higher than the number of outages. Many cases of misuse are not noticed. A true 365/24 service has to be established to avoid these risks. Very few organizations are doing so.

Website infections by CMS platform - chart

Reports show numerous weaknesses and hacks of websites due to the underlying CMS systems. A typical on-premise CMS installation - whether commercial or open-source - comes with servers, a database, and additional modules such as search engines or plug-ins for editing. These servers are the main target of attacks.

Unfortunately, the nature of these attacks is inherent to the systems running a traditional server-bound legacy CMS. There is simply no way to fix this, as software is written by humans and they are prone to making errors. It is impossible to run a feature-rich, on-premise CMS securely. Period.

The only solution to this problem is to rethink the whole CMS architecture radically by minimizing the number of server components, exposing as little data as possible through well-secured, firewalled APIs, move most of the former server logic to the Browser and use serverless functions-as-a-service for the remaining components. And this is exactly what the JAMstack architecture does.

JAMstack architecture improves security 

Using a fully maintained virtual service, instead of traditional servers, reduces the risk of being hacked. With no databases, plug-ins or dynamic software running on a server, the potential for code injection and hacks is reduced dramatically.

When the website is just a data service, with all dynamic functions handled with APIs and client-side JavaScript, reliance on an individual CMS server is eliminated. While an external API handling persistent data may expose a vulnerability, eliminating the CMS server removes many points of failure and attack vectors.

How does having a dynamic web application or a personalized website running a service instead of a server work? SaaS CMS Scrivito provides a serverless environment combined with the most modern JAMstack (JavaScript, API, Markup) approach1.

Serverless computing is a cloud computing model where the cloud provider runs the server and dynamically manages the isolated allocation of machine resources – the developer just provides the code as functions (FaaS – Function As A Service)2. Serverless computing can dramatically simplify the process of deploying code into production, scaling it and keeping it available.

Modern JAMstack web application architecture vs traditional web architecture

Scrivito’s architecture is based on JAMstack principles: JavaScript, API, and pre-built Markup. This JAMstack approach can dramatically improve your app’s security as this architecture generally has a small attack vector by design.

This means that the page is pre-built, distributed via a CDN and displayed in the user’s browser and all further activity happens there. This approach means it is almost impossible to break into the system and represents a significant decrease in risk. Projects focus less on security, updating, patching and other maintenance tasks and more on the business results.

These are two of the numerous technical concepts behind SaaS CMS Scrivito that prevent hacker attacks by system architecture rather than updates. That there were over 20k confirmed websites hacked in Wordpress in 20183 and zero in Scrivito indicates its advanced concept.

Read more from the paper

Whitepaper - Measurable Success

10 points to measure the success of a CMS. Only measuring can indicate what can be improved. Behind every aspect in this paper, there are years of experience in the CMS world from the authors. There are also strong technical skills and a strong belief that it is important to build a new generation of Enterprise SaaS CMS which radically changes the approach to how a CMS needs to meet the next generation of digitalization requirements.

Measureble success white paper cover

1 Source: Matt Biilmann speech at JAMstack Conf 2018 in San Francisco
2 Source: Miller, Ron (24 Nov 2015). “AWS Lambda Makes Serverless Applications A Reality”. TechCrunch
3 Source: Sucuri, Whitepaper, “Hacked Website Report 2018”, 2019

More great blog posts from Michał Kunysz

  • List of seful, customizable widgets Scrivito offers out-of-the-box

    10k+ Audited Frameworks

    Low Code: Avoiding to Reinvent the Wheel

    Security is a challenge Many CMSs, mainly open source, offer hundreds of plug-ins to enhance the functionality of the websites and the CMS. Some are useful, many are not. A certain degree of redundancy exists. They are often created by the community or anonymous third- party companies, which...

  • pyramid hierarchy

    < 10 Min. of Training

    Only by Providing Users with a Great Way to Utilize the CMS, Projects Will Succeed

    User experience is key to success The usability of many traditional CMSs is poor. Some systems are even inoperable from the user's point of view. This starts a downward spiral: the more difficult the use of the CMS, the less it is used - quickly leading to outdated content on the websites....

  • 99.95 % + Uptime

    No Breaks in Content Delivery.

    Non-stop availability Running a traditional content management system comes with system administration jobs that might affect the availability of service: installing CMS patches and avoiding breaking plug-in dependencies while doing so, updating staging and production systems, CMS and...

  • 100 % Cloud

    Only the True Cloud Offers Real Benefits

    Full-stack, cloud-native architecture Current CMS set-ups require a lot of IT infrastructure. In addition to the CMS and the operating system itself, databases, servers, load balancers, monitoring/backup systems, and search engines are needed. The production environment includes development and...

  • CMS-Projekte erfolgreich aufsetzen

    Status Quo - The Role of the CMS is Changing 

    Limitations of current CMS systems The web has constantly changed and improved since Sir Tim Berners-Lee invented it in 1989. Unfortunately, the technology behind it has not. Web pages still load too slowly, responsiveness sometimes is just a promise, and weak security remains an ongoing issue....

  • JAMstack, full of jam

    Everyone’s Talking About JAMstack, But What Does it Mean?

    You’ve probably heard a lot about JAMstack recently as it is one of web development’s great buzzwords in 2019. And you maybe don’t know that our enterprise CMS Scrivito is based on this architecture. So what exactly is JAMstack? According to jamstack.org JAMstack is “a modern web development...