Website security issues from CMS platforms and third-party plugins

I use WordPress to run my website. I could have used another solution, but the WordPress approach suited my needs and allowed the use of third-party plugins to add styling and functionality. I was aware that some of these may cause security issues, but decided the risk was acceptable as I am not capturing or storing any sensitive information. Was this the right decision? I decided to research some of the leading Content Management System (CMS) platforms to check.

The CVE Details website provided information on the platforms. The computer vulnerabilities and exposures (CVE) list was the main source for issues on platforms and plugins. Using a simple text filter, the number over the past two years were extracted. There may be some double counting as the same issue could be reported against different versions of the CMS.  For Umbraco, their blog has details of security issues.

There have been few issues in the CMS platforms; more have been found in third-party plugins.

CMS platforms – reported issues
Platform 2015 (to 9 September) 2014
Drupal  10  14
Joomla 0 0
Umbraco 0 1
WordPress 5 29
CMS platforms and third-party plugins – reported issues
Platform 2015 (to 9 September) 2014
Drupal  162  78
Joomla 6 22
Umbraco 1 2
WordPress 101 301

The Akamai State of the Internet Security report includes a case study on WordPress plugins. 1,322 plugins and themes were tested, 25 had at least one vulnerability — and in some cases, multiple vulnerabilities — totaling 49 potential exploits (approximately 4% of what was tested). The developers were contacted, and many fixed the issues very quickly.

The conclusion isn’t a surprise. Security issues continue to be uncovered, many in third-party plugins. Some CMS platforms have fewer reported issues than others. The platforms with the most are probably the most popular and, therefore, have more third-parties producing plugins. Should you change to a CMS  with less reported issues? It is something to consider, but the costs of doing it may not be justified as each CMS will have issues at some time.

If a third party has built your website, check they are keeping up-to-date with security alert notifications and applying fixes as soon as they are available. If you have built your website, you need to look out for any security alerts and decide if any action is required.