Headless CMS Security - An Overview
When it comes to growing and scaling websites, security increases in importance when evaluating which Content Management System (CMS) to deploy. Putting good practices in place is the first step, as many security breaches can relate to poor access management.
Alan Gleeson
Co-Founder / CEO
April 27, 2023
5min read
General CMS Security Principles
When it comes to any application where users have access rights, it is important to ensure there is robust management of access credentials. This may sound like a rather obvious point to make, but when one considers the “on-the-ground” reality you’ll quickly realize why this is a key starting point.
For those working in fast-growing B2B SaaS and technology companies, the following conditions often apply:
Resource-constrained and time-pressed marketing functions
Use of freelancers in the early years
High turnover of junior marketing staff over several years
Use of lots of Plugins (every additional plugin increases your chance of being exposed)
Weak security credentials and processes in place due to a move-fast and break-things culture e.g. sites where the default user name is still “admin” [If this is the case with your site please change it now!]
Given this above context, it is easy to see why ensuring robust security processes are in place represents a key element of your broader security posture. These could include:
Regular audits to assess who has access to the website
Offboarding processes for freelancers and marketing colleagues as soon as they finish up with the company
Agreed process for updating PlugIns and Applications
Annual audit of applications used as part of the marketing stack (especially those which need code to be deployed on the site)
Use of two-factor authentication (2FA) like Google Authenticator where available
Internal education to ensure that users are not using basic or weak passwords (mandating the number and types of characters to use) and ensure passwords are changed regularly to minimize the risk of a brute-force attack.
Ensure that the site uses HTTPS rather than HTTP.
Another area that introduces vulnerabilities relates to the use of third-party plugins and applications. Again it is important to apply similar processes to these. Over time the sheer number of 3rd party applications a marketing function will use as various marketing leaders adapt their own set of marketing tools creates similar issues. Regular audits are important to remove legacy code, for applications that are no longer needed.
So in short, regardless of the CMS being used, it is worth focusing on the human behavioral elements first as they often represent the main vulnerabilities when it comes to security breaches at websites.
Security and the CMS
The choice of CMS will also impact your security vulnerability footprint. Legacy CMSs like WordPress are extremely popular but have well-known security issues that tend to get exacerbated by poor internal security processes. Junior staff can often be nervous about “applying updates'', fearful that they may “break the site” and thus simply ignore them. As the number of Plug-ins increases the situation becomes riskier, especially when the provenance of some of them is unknown and may have been introduced in a previous marketing leader's tenure.
Outdated software, plugins, and themes are responsible for some of the most common WordPress security issues. Theme and plugin developers regularly release updates that include critical security patches and bug fixes.
— Source: Will Morris, WordCandy
What Are The Main Security Issues WordPress Has?
Given the popularity of WordPress as the market leader in CMSs it is a common target for hackers. The following represent some of the key areas that make the platform vulnerable:
1- Plugin Vulnerability
WordPress is now almost 20 years old and the reliance on a plug-in ecosystem with thousands of plug-ins from various vendors has introduced levels of security risk that are troubling.
As of December 2021, WordPress.org has 59,756 plugins available according to Wikipedia.
While WordPress regularly patches known vulnerabilities most users fail to update their software promptly leaving them open to attack.
Outdated core WP software leaves sites vulnerable because updates are usually designed to address critical security issues. Users who don’t download an update are then vulnerable to hackers. For example, WordPress version 5.8.1 included fixes for three major vulnerabilities, including a cross-site scripting (XSS) vulnerability in the Gutenberg block editor.
If your software is outdated, you’re also unable to update your themes and plugins (which we’ll cover below), and your site becomes more vulnerable to many of the security threats on this list.
— Source: Hubspot
2- Two Factor Authentication
The lack of a default 2FA (two-factor authentication) on the login page is also far from ideal (WordPress does offer a 2FA capability and 2FA plugins are available e.g. WP 2FA but it should be mandated.)
3- Outdated Software
An often encountered security concern related to WordPress is the use of outdated software, which comprises outdated core files, themes, and plugins. Hackers can exploit known security weaknesses in obsolete software to gain unauthorised access to your website. Add in themes, plugins and 3rd party code and a fear some people have of updating stuff in case it breaks something and you end up with a large gap between what is being done and what should be done when it comes to keeping everything up-to-date.
4- Weak Password Credentials
With WordPress, several areas could be improved including prompting users to change the user name ‘admin’ right out of the gate and ratcheting up the minimum requirements for passwords in terms of character count and mix of numbers, letters, symbols, and capitalization. In short, weak passwords are a prevalent problem that can be exploited by hackers who utilize automated tools to guess them and gain unauthorized access. To safeguard your website, it's crucial to employ strong, distinctive passwords and enable two-factor authentication.
WordPress and Security - A Summary
Is WordPress more insecure than more modern Content Management Systems like Contento, a SaaS Headless CMS? You’ll find robust debate on this depending on which side of the fence the writer is coming from. In some ways, WordPress is a victim of its own success - as the dominant CMS globally we are always going to hear more about WordPress issues and hacks compared to less popular ones.
While WordPress does have some security issues, it's important to note that many of these can be mitigated by following best practices for website security. This includes keeping software up-to-date, using strong passwords, installing reputable plugins and themes, and regularly backing up website data.
Traditional CMSs like WordPress and Joomla, which most people use for building websites, are code and file heavy. Hence, they have more material vulnerable to cyberattacks.
— Source: Momcilo
What is a Headless CMS?
A Headless CMS [What is a Headless CMS?] is a more modern approach to building and managing websites. It is an API-led approach where the front-end and the back-end are separated or decoupled. While this may seem counterintuitive given the trend in recent years to roll things up, this separation brings several significant benefits:
Highly performant blisteringly quick websites
A best-of-breed approach using a small number of leading solutions
Highly scalable infrastructure
The structured content approach facilitates omnichannel and internationalization requirements
Reduced footprint for attackers
How does it Differ from a Traditional CMS like WordPress?
So how does a Headless CMS differ from a traditional monolithic CMS like WordPress?
As mentioned above the decoupling of the front-end and back-end is a key basis for differentiation which informs a different approach. You are no longer picking a theme, tweaking it, and adding Plugins. Instead, you are giving your front-end developers (and designers) free reign to craft a beautiful website consuming content from the Headless CMS via API.
When it comes to Contento, the Headless CMS we offer all the key features you’d expect from a Headless CMS but we have focused on developing several areas we feel are neglected in broad marketing offerings. By building specifically for B2B, SaaS, and technology companies we can make assumptions and bake in features that we feel these sites typically require. We’ve also tackled head-on a gripe we hear a lot - that the marketing function feels that they can’t readily manage or maintain the site without relying on developer assistance.
Is a Headless CMS More Secure?
As the front-end and back-end are decoupled and the CMS is accessed via the API, this vastly reduces the internet-facing infrastructure and therefore the attack surface available. It also makes the API the most important focus that can be kept secure by following API best practices.
Headless CMSs are less susceptible to DDoS attacks as they typically don’t render the majority of the content. Instead, it is delivered to the browser as full HTML to be rendered. This reduces the likelihood of servers being overrun by large numbers of requests, as the computing power required to deliver the content is relatively much lower.
Most Headless CMSs are highly scalable, which means that they can handle large volumes of traffic without crashing or slowing down. This scalability is achieved through the use of cloud-based infrastructure, load balancers, and other technologies that distribute traffic across multiple servers e.g. Content Delivery Networks [CDNs].
It is also worth noting that a Headless CMS configuration means that the vendors take care of the security so you don’t have to do so yourself.
What Steps Should You Take to Secure Your Headless CMS?
Securing a headless CMS requires a multi-layered approach that includes both technical and procedural measures. Here are some steps that you can take to secure your headless CMS:
Choose a reputable CMS provider: Start by choosing a reputable CMS provider that has a proven track record of security. Look for a provider that is transparent about their security practices and has a history of promptly addressing security vulnerabilities.
Use strong passwords and two-factor authentication: Require strong passwords that are at least 12 characters long and include a combination of letters, numbers, and symbols. Implement two-factor authentication to add an extra layer of security.
Use encryption: Ensure that data is encrypted both in transit and at rest. Use HTTPS to encrypt traffic between the client and server, and consider encrypting data at rest using technologies such as disk encryption or database encryption.
Implement access controls: Implement granular access controls to restrict user access to only the features and content that they need to perform their job functions.
Backup regularly: Regularly back up your data to ensure that you can restore it in the event of a security breach or other disaster. Your Headless CMS provider should do this for you.
Conduct regular security audits: Regularly review your security practices to ensure that they remain effective and up-to-date. This can include penetration testing, vulnerability scanning, and other security assessments.
Summary
In summary, the security of your CMS is primarily dependent on user behavior and internal processes designed to mitigate breaches. However, it is also clear that when comparing the security of a Headless CMS to a Traditional CMS like WordPress that the former’s architecture and typical setup is a more secure approach to managing a website. If security is a key determining factor then a Headless CMS will be a good choice, however, without robust security policies in place the choice of CMS is immaterial.
Co-Founder / CEO
Alan Gleeson has 15+ years extensive B2B SaaS experience working with several VC backed Startups & Scaleups in the UK, US & Ireland.
Join our Newsletter
Learn how to build and manage a great website by subscribing to our newsletter to keep up to date with our products and services.
By subscribing to our newsletter you accept our GDPR terms and Privacy Policy