Security is not a measure -> the question is subjective. Same like: What is „hot“ Security and money -> elaborate for the application -> but you have to protect the important informations Security and usability -> user access control is maybe a barrier -> Session-Timeout is not user friendly -> Password meter is confusing the visitor But in the most of the case you need the elements. Therefore: Security is supposed to be part of the „master plan“ for a new Website. Therefore, always keep in mind security. What is security in a CMS
piracy (data theft) data loss image damage of your company identity theft / identity fraud unavailability of your website, after a attack attacks against users by the CMS possible risks
don’t use a default admin as an access and pickup a secure password for the admin Good passwords for your users A lot of tips – 10/10
Other tips Increase your awareness. Subscribe to your CMS Development Blog. It should be on your list of feed so you are updated about recent development, including security issues. Update. Your CMS takes only a few minutes to update, so spend some time at the end of the day to do so. I prefer to allocate some time in the weekend though. With update, I don’t mean just the core code, but also the plugins, libraries and or modules. Use supported themes. If you are not a theme designer, make sure you use a theme that is well supported so if there are problems you know who to run to for a solution. Backup often. There is no reason not to do so because you can easily schedule backups of your CMS database and files. Be safe rather than sorry. A lot of tips – other
Server / CMS funnel Web Server- Database- and CMS Security funnel 1. intelligent server security 2. database security 3. basic CMS configuration 4. CMS user groups 5. CMS user permissions 6. Module permissions 7. third-party libraries 8. check attacks 9. update your system 10. go back to 1.
* randomize database table prefix * separate sensitive data and place in “trust path” * randomize the “trust path” directory name * randomize the name of the secure data file * full integration with HTML Purifier (with options) * multiple password hash options, selectable by site * admin warnings for practices not followed * of course, protector module * session regeneration on login * using salt keys * protect email addresses against SPAM * handling of server-errors * the installer don't create a default admin * password meter (with security level) for the user * 17 password encryption (recommend is SHA256) ImpressCMS security features
Any questions? If not, I like to present you our ImpressCMS now... www.impresscms.org
Icons by: GNOME Desktop Created by: René Sato http://www.impresscms.de Thank you / Credits Thank you: skenow, phoenyx, Madfish, david Thank you to all Open Source CMS around the world.