How to Protect Your CMS Site from Hacks Once and Forever

Konstantin KomelinKonstantin Komelin

I've been an active member of the Drupal community for many years. We've learned a lot together and solved many technical problems. Even today I follow updates of our local community group and sometimes answer folks' questions.

Last week, one of our members asked for advice. He needed to protect 30 landing pages built with old versions of WordPress/Drupal and third-party plugins. The owner was not going to update the sites himself, but he wanted them to stay operational. The problem was that the sites got hacked regularly and it was a pain to clean them from the hacks. The sites were hosted on VPS and served with Nginx.

Our community group brainstormed possible solutions, and I decided to share them along with my own thoughts in case a similar problem ever pops up for you.

Do your best to protect the site

  • Disable registering new users if your CMS allows it and remove all unnecessary accounts. Ideally, only keep the admin account with a very complex password.
  • Configure server/site firewall to prevent brute-forcing passwords. Limit the number of requests to the login url per short period of time.
  • Protect your login URL with HTTP basic auth through your web server (Nginx) config.
  • Deny access to all PHP files except the CMS entry point (normally index.php) through web server config.
  • Check your PHP settings. All eval-like functions should be denied.
  • Your site database should not be accessible from the outside (localhost-only access).
  • Every site should have its own database user with the access to that particular database only.

Make the site read-only

Make the site folder and database read-only except cache and contact form tables to which your site needs write access.

Make the site static

Export all site pages to static files (HTML/CSS/JS). There are plugins, tools and third-party services for that (more on it here).

Use a server snapshot to rollback regularly

Create a server snapshot when the site is in its clean state (not hacked) and rollback regularly, let's say, every night. This way any hacks are removed on the rollback.

Use third-party services for forms

If you have any forms that collect user-entered data in the site database (e.g. contact forms), replace them with a third-party services (e.g. Google Forms). The same is about email sending forms. It will prepare your site for switching to static or using the snapshot rollback option mentioned above.

If you know a better solution, please let me know in the comments below, so I could share it with the community.

A quick note from myself... I wouldn't recommend using CMS for every simple site if you're not sure you will be able to regularly maintain and update it. Instead, use site builder services or static site generators.