We use cookies to make your viewing experience better. By accepting you consent, you agree to our Cookie policy

Improve your Craft CMS skills

Craft CMS And Security

10 min read
Shape April 2022 HR 201

With data breaches on the rise, securing your Craft CMS site is non-negotiable. This article provides invaluable techniques to lock down user access, protect content, harden servers, monitor for threats, and sustain defenses over time. Gain peace of mind knowing your Craft data and infrastructure are safe from compromise. Expect actionable advice to implement robust security that stands up to modern cyberattacks.

Craft CMS implements robust security including encrypted passwords, permissions restricting access, detailed edit logging, content workflows, server hardening, network firewalls, monitoring, penetration testing, and mandatory patching. Following Craft's layered security model and proactive maintenance enables protecting site infrastructure and data from compromise.

Securing User Access Control in Craft CMS

User Authentication in Craft CMS

Craft CMS takes user authentication seriously, implementing robust measures to prevent unauthorized access. All user passwords are encrypted, salted, and hashed for maximum security. Users can enable multi-factor authentication (MFA) for added identity verification using services like Google Authenticator.

Craft gives site admins the flexibility to configure front-end or backend login options. Front-end login enables user authentication directly through the site frontend, while backend login requires accessing the /admin control panel URL. Restricting login to the backend enhances security by limiting access points.

Additional user authentication settings like password length, login attempts, forcing a password change, and remembering past passwords are available. By leveraging these configurations, site admins can dial in authentication to suit their security needs. Overall, Craft's layered user authentication sets it apart from other CMS options.

User Accounts and Permissions in Craft

Managing user accounts is a cinch in Craft thanks to its intuitive control panel. Creating new user accounts is straightforward, requiring only a username, email, and password.

User permissions are where the magic happens. Craft implements a granular, role-based permissions system for fine-grained access control. Users can be assigned pre-defined roles like Admin, Editor, Author, that grant common permissions. Beyond that, custom roles with specific, one-off permissions are simple to create.

For example, a "News Editor" role could be made that allows editing only news section entries. Similarly, a "Calendar Update" role might permit modifying calendar entries but nothing else. The possibilities are endless.

Permissions can extend all the way down to enabling or denying editing access for single sections, categories, entries, and even fields. Content authors can be restricted to only edit their own entries, allowing for decentralized content creation. Overall, Craft offers unparalleled flexibility and security with its user accounts and permissions.

User Group Management in Craft

To streamline user permissions, Craft enables creating user groups that user accounts can be added to. Groups allow assigning the same permissions and restrictions to multiple users sharing common access needs.

For example, a "News Team" group could be created for all news content authors. This group would have permissions for editing and publishing news entries but not other sections. Another use case is project teams that need access to specific sections or categories temporarily during development.

User groups add efficiency to user administration. New team members can be added to the appropriate group(s) to inherit the correct permissions, rather than individually configuring each account. Group permissions can also be updated in one place rather than on individual accounts.

Craft's user authentication, permissions, and groups combine to form a secure user access control system. Options for MFA, frontend vs backend login, granular role-based permissions, and user groups allow dialing in the right level of access for a site's needs. With Craft's flexibility, almost any user management workflow can be accommodated.

Protecting Content Security in Craft CMS

Content Permissions in Craft CMS

Craft provides granular control over content permissions, enabling restrictions on who can add, edit, publish, and delete entries. Settings are configured per user group or account.

For example, an "Author" group could be limited to only create and edit their own entries. A "Reviewer" might have permissions to edit anything but not publish. An "Editor" could edit, publish, and delete any content.

Permissions extend to sections, categories, and even individual entries and fields. Authors might have full control over "Blog" section entries they create, but be unable to alter "News" section content. Granular options like enabling edits but not deleting, or vice versa, are available.

Content staging further secures published content from unwanted changes. Edits can be made in a draft version without affecting the live version until changes are approved. Overall, the depth of permissions ensures only authorized users can modify content.

Edit History and Tracking in Craft CMS

Craft retains a complete edit history of all content changes, enabling auditing and tracking unauthorized edits.

The audit log records every alteration, logged by date, user, and IP address. Recent activity shows edits made in the last 24 hours. Any suspicious changes made by unknown users quickly become apparent.

Version history tracks all revisions, allowing rolling back to earlier drafts. Accidental edits or deletions can easily be undone. Edit blurbs require entering a note for each change, keeping a running log of intent.

Email notifications can alert when entries are created, updated, or deleted. Notices help detect rogue activity. Change tracking gives both insight into content evolution and an audit trail to investigate issues.

Content Workflows in Craft CMS

Craft CMS allows creating flexible content workflows to match an organization's review and approval process. Workflows enforce content moving through required steps before going live.

For example, a blog workflow could require submission to an editor for review. Only once approved could the content be published. Workflows support single or multiple stages, with permissions assigned to user groups at each stage.

Emails at transition points keep stakeholders aware of status. Viscount feature enables simultaneous multi-user content review before publicizing. Overall, workflows enable governance over publishing to prevent premature or unapproved content.

Together, the depth of permissions, change tracking, and configurable workflows in Craft provide a robust content security framework. Tight controls restrict publishing power while auditing and notifications quickly identify unauthorized activity. Workflows standardize the review process. Craft gives complete command over content integrity from creation to publication.

Server Hardening and Network Security

Server Hardening

Properly hardening Craft CMS servers is crucial to reduce the attack surface. Unnecessary services and open ports provide opportunities for exploitation and should be disabled. Require SSH key authentication over password-based login for the root user and disable remote root login.

Follow OWASP configuration guidelines to enable security headers like HTTP Strict Transport Security (HSTS), disable dangerous PHP functions, and strengthen user authentication. Keep Craft and plugins updated to the latest versions to ensure vulnerabilities are patched. Consider restricting Craft's access to only required directories.

For optimal security, hosting Craft on a cloud platform like Amazon Web Services or Google Cloud provides additional measures like security groups, private networking, and DDoS protection. Overall, hardening locks down servers to prevent intrusions.

Firewalls and Network Perimeter

Craft sites should be protected by a firewall with tight rules restricting inbound and outbound traffic. Allow only required ports such as 80, 443, and 22. Block everything else. Require users to connect through a VPN for backend admin access.

Enable a Web Application Firewall (WAF) to monitor and filter incoming traffic, preventing exploits like SQL injection and cross-site scripting. A WAF can also detect common attack patterns and botnet activity.

For availability, implement redundancy with multiple firewalls and proxy servers along with employing DDoS mitigation services. Keeping Craft infrastructure isolated from other systems enhances security. Automated intrusion detection aids in identifying threats. Robust network perimeter defenses prevent unauthorized access.

Application-Layer Defenses

In addition to network protections, applying application-layer controls bolsters security. A Web

Application Firewall at the application layer provides deep inspection against OWASP threats.

Disable unused Craft CMS routes to reduce exposed endpoints.

Install an anti-virus plugin to scan uploads for malware. Leverage tools like Varnish Cache to limit traffic to back-end servers. Enforce SSL/TLS across all pages to encrypt connections.

Monitor for bot activity with Google reCAPTCHA or fingerprinting techniques and blacklist IPs as needed. Conduct frequent vulnerability scans to uncover any misconfigurations or flaws before criminals do. Employing layered security at the app level along with network defenses provides maximum protection.

Together, properly hardening Craft CMS servers, implementing strict firewall policies, and deploying application layer controls helps mitigate risk and guard against intrusion. Keeping infrastructure patched, secured, and monitored is essential given the sensitive data sites often manage. A vigilant, defense-in-depth security posture keeps Craft websites safe.

Security Monitoring, Testing and Incident Response

Monitoring and Intrusion Detection

Ongoing monitoring and attack detection is essential to identify threats targeting Craft CMS sites. Review access logs regularly for signs of unauthorized access attempts and failed logins.

Enable intrusion detection systems (IDS) to get alerts on reconnaissance scans, exploitation efforts, and other suspicious activity.

Leverage endpoint detection and response (EDR) solutions on servers to gain visibility into potential compromises. Monitor network traffic flows to uncover anomalies indicative of an attack. Implement a SIEM to aggregate and analyze security event data from multiple sources.

Set up alerts for when new user accounts are created or permission changes enacted. Automated monitoring provides 24/7 watch over infrastructure security.

Vulnerability Testing and Audits

Conduct frequent security assessments to uncover weaknesses before criminals exploit them. Perform network scans using tools like Nessus to identify misconfigurations. Carry out vulnerability scanning and penetration testing specifically focused on Craft CMS and any connected infrastructure.

Schedule regular external security audits to benefit from an independent evaluation. Audit authentication mechanisms, access controls, network segmentation, and disaster recovery preparations. Internal audits should also assess adherence to security policies and procedures.

Always address discovered vulnerabilities and issues according to their severity. Follow up testing ensures problems are resolved rather than lingering. Ongoing audits and penetration testing identify risks before they become breaches.

Incident Response Planning

Despite best efforts, security incidents can still occur. Develop and document an incident response plan to guide reaction. Include data breach response procedures addressing containment, notification, and recovery.

Outline DDoS mitigation protocols leveraging firewall, router, and upstream provider assistance. Implement a disaster recovery plan detailing how systems and data will be restored after outages.

Maintain backups in a geographically separate location that can be quickly accessed in an emergency. Conduct response plan training and simulations for the best chance of success during real incidents. Having robust incident response processes in place improves resilience.

By actively monitoring infrastructure and traffic, regularly testing for vulnerabilities, and planning incident response, site administrators can get ahead of digital threats. Never get complacent. A strong security posture requires constant vigilance, testing, and adaptation according to the ever-evolving threat landscape. Investing in preparedness provides the best odds of avoiding or withstanding an attack.

Ongoing Security Maintenance and Training

Patching and Updates for Craft CMS

Diligently applying the latest security patches and updates is imperative for maintaining defenses. Review Craft CMS release notes for vulnerability fixes and install minor releases as soon as possible. For major version updates, test in staging before production deployment.

Keep plugins updated to avoid exploits targeting outdated code. Schedule regular audits to ensure software versions remain current. Consider automating the update process for efficiency. Out-of-date Craft installs will miss vital security fixes.

Operating system and CMS framework updates also warrant attention. Incorporate new PHP releases that improve performance and security. Keep Linux distros like Ubuntu or CentOS patched. Server software like MySQL and Nginx may require patching as well.

Regular patching and version updates bring the benefits of community-driven security enhancements. They prevent attackers from capitalizing on known flaws.

Security Training for Teams

Ongoing education helps ensure teams remain security-conscious. Provide training on recognizing phishing, avoiding weak passwords, and identifying social engineering. Inform developers about sanitizing inputs, using prepared statements, and implementing access controls.

Share cybersecurity news articles to boost awareness of the evolving threat landscape. Sponsor conference and training opportunities to gain deeper knowledge. Focused training keeps security top of mind.

Craft a policy outlining web security protocols and best practices. Review at onboarding and annually after. Well-informed teams with the latest know-how better identify and prevent issues.

Ongoing Assessments and Monitoring

Regularly repeat assessments and monitoring activities to sustain defenses over time. Configuration audits validate settings haven't drifted. Vulnerability scanning uncovers newly discovered exploits to address.

Penetration tests assess how techniques like SQL injection, XSS, and session hijacking fare. Monitor user activity for anything unusual. Use integrity checking and file change monitoring to detect tampering.

Analyze web traffic flows and patterns for anomalies. Tune systems based on security intelligence and emerging threats. Look for weakness signals like slower performance.

Vigilance is required. Set calendar reminders for assessments and training. Allocate budget for activities that fortify security. Consistently maintaining awareness and defenses is imperative for long-term Craft CMS site reliability and safety.

Shape April 2022 HR 202
Andy Golpys
- Author

Andy has scaled multiple businesses and is a big believer in Craft CMS as a tool that benefits both Designer, Developer and Client. 

Show us some love
Email Us
We usually reply within 72 hours
Agency Directory
Submit your agency
Affiliate Partners
Let's chat