A Security Standpoint: Static Site Generators over WordPress and Other CMS Software
I would like to start this blog with some intriguing statistics that I came across recently:
More than 600,000 sites were hit by blind SQLi vulnerability in the WP Statistics plugin according to a report by the Wordfence Threat Intelligence team.
As per WP White Security, 30.95% of Alexa’s top 1 million websites are using the outdated version 3.6 of WordPress, making them vulnerable to hacking attempts.
According to Sucuri, 83% of all CMS-based websites, which are hacked, are built on WordPress.
On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.
CVE-2020-36326 was a critical vulnerability that discovered object injection vulnerability in the PHPMailer of WordPress with a CVSS score of 9.8. WordPress released the 5.7.2 update to patches this vulnerability.
As alarming as these statistics are, WordPress still continues to dominate the website market as it makes 39.5% of all websites in 2021.
Advantages of using CMS
WordPress, Joomla, Drupal are common dynamic website generators supported with CMS (Content Management System). CMS eases the technical work for the site owner and is quite easy to use and maintain.
They provide several advantages like:
- The collaborative atmosphere of CMS enables multi-user options.
- Non-technical people who are not interesting in coding their websites can use CMS.
- The themes can be changed easily and the whole look of the website can be redesigned.
- CMS helps the users to deliver SEO-friendly (Search Engine Optimized) content widening their reach.
Due to the prime advantage of unsophisticated website maintenance and user-friendly experience, they have a huge userbase of website owners. The volume of users on these platforms attracts attackers.
Security Concerns with CMS and Dynamic Websites
Content management systems are built on an open-source framework, and often the vulnerabilities and bugs are not reported responsibly or after the exploitation has affected the users. This results in the end product being infected with serious security flaws.
Working of a Dynamic Website
In simple words, dynamic websites store the data as a database. Suppose a bakery shop has a website with all its dishes and desserts. Now each time a user visits the website and looks for a specific item, the website fetches the item details like price, image, and quantity from the backend database.
I have summarized a more detailed view of the working of the dynamic websites is in the process flow diagram below:
Security Flaws in Dynamic Websites
Database Attacks
These databases of dynamic websites are quite vulnerable to injection, scripting and many more attacks. Once the attacker gets access to the database through one of these vulnerabilities like an SQL injection, he can further gain access to the admin credentials and extract sensitive information like:
- PII (personally identifiable information),
- Customer details,
- Passwords,
- Salts and hashes, etc.
Recurrent Updates
Another issue in the dynamic platforms is that they need to be constantly updated. If the user is ignorant of these updates, this could lead to an attacker exploiting his/her website with unpatched security issues.
Third-Party Plugins and Themes
Dynamic website generators offer a plethora of options of themes and plugins to ease the user’s work. The security of these themes and plugins is hard to maintain due to their quantity and constant updates. WordPress also offers plugins to the users, but a lot of them come from a 3rd party. These 3rd party plugins are hence quite vulnerable to attacks and a vulnerability in a single plugin affects thousands of users who use it.
WordPress Plugins are responsible for 98% of all vulnerabilities. These vulnerabilities generally stem from the 3rd party plugins and themes and not from the main core of WordPress. Security concerns generally occur due to user mistakes like not updating to the latest version, using buggy software, etc.
Advantages of a Static Website
Static websites eliminate the need for databases and display the same webpage to all users, unlike dynamic websites. Static websites are just plain text files that can contain HTML, CSS, or Javascript. Static site generators like Hugo, Gatsby, and Jekyll are getting increasingly popular for the benefits they offer. They bridge the gap between dynamic and static websites. They source a directory of files and templates and use these to create a complete website.
Security Benefits of Static Websites
Static sites reduce the attack surface, thereby reducing both the possibility and severity of an attack. Static websites provide commendable security assurance to the users:
- They eradicate the possibility of database attacks as no databases are involved.
- Also, as almost no input is taken from the user, attacks like SQLi are prevented.
- The possibility of DDoS attacks is much lower than the dynamic sites.
A static site that uses a Content Delivery Network or CDN is faster, provides a better user experience and is more secure. This is because of the fact that many other web servers on the network are ready to send out the website’s pages if one web server on the network goes down due to an attack. Some commonly used CDNs are Netlify and Cloudflare.
For dynamic content that requires storing information like forms and comments, the static sites use 3rd party APIs like google forms. This website uses Disqus for the comment section, so any attack or a payload injected in the comment affects Disqus and not my website.
But similar to the previously mentioned scenario, if the security of these 3rd party APIs is compromised this does affect my website and the data it entails. So, the users must carefully decide the 3rd party software and APIs they use for their website. Apart from security benefits, static sites are faster and cheaper than dynamic websites.
Static != Secure
Static site generators are not flawless or perfect. They are not suitable for websites with a lot of activity and need to be constantly updated like news bulletin websites.
From a security point of view, although they are much more secure than the other options, they do raise some security concerns. These include:
- Github Leaks,
- DoS attacks,
- External injections,
- DOM vulnerabilities
- Vulnerabilities in hosting platforms etc.
Static site users often indulge in copy-pasting javascript code for their websites which can be misused by the adversaries. But they are indeed a much safer option than the dynamic sites that use CMS.
In the case of static site generators files are written in markdown, which may not be comfortable for everyone. Also, a good reason in defense of the large user base of WordPress is the WP Block editor and its usability constraint.
Conclusion
CMS does provide a lot of user-centered advantages, but with the surge in online website attacks and data breaches, it is not a very safe option. Although static websites require more effort, they are way more secure than dynamic CMS-based websites. Both dynamic and static websites have their own set of advantages and disadvantages, the decision depends on the user’s priorities and purpose.
P.S.- This blog is a result of my curiosity when I was learning about hacking third-party CMS software and common vulnerabilities in the same. The question in mind was why are people still using such vulnerable software for maintaining essential information about themselves, their business, etc. when a better alternative exists in the market? The answer is- comfort and lack of cybersecurity awareness, especially among the non-technical folks.
Hence I request all the readers to spread security awareness on whatever platforms and level they can. Thank you!