There are those that purport that updating your Content Management System (CMS) is one of the most basic practices in securing your website, but what happens when hackers “reverse engineer” security patches? According to CMS Garden, which is part of the Secure Websites and Content Management Systems project funded by the German government, hackers can exploit security patches in as little as four hours.
The process is surprisingly simple. When your current CMS, be it WordPress, Drupal, Joomla, or others, releases a security update/patch, hackers can reverse engineer the patch by comparing patched and unpatched files to learn how to exploit vulnerabilities that were meant to be patched. This allows them to quickly create an exploit code effective against systems that haven’t applied the update and easily turn your infected website or websites into spam sites, malware hosts, or part of larger DDoS botnet to attack other computer systems.
So to update or…not
Many website owners choose not to update their CMS right away for several reasons: plugins may no longer work as intended so a workaround needs to be found, and it may take too long to get approval from their web developers to apply those updates. Furthermore, security administrators may find compatibility issues between the update and the existing system, or updating may simply consume many resources which aren’t always available (e.g. manpower, time, testing environments). You might be thinking then, how can you secure your website when the reality is that patching your CMS takes time? Websites without active protection face significant vulnerability, and rapidly evolving unknown and modified threats cannot be anticipated and be dealt with in real-time even by the best developers. However, if your website is protected by a Web Application Firewall (WAF), and the WAF sits in front of the web server, your website isn’t left completely vulnerable between patches. Website owners choose to deploy active protection like WAFs because addressing all vulnerabilities in a website through precise, secure coding and design is very difficult for most.
Is a WAF the next best alternative?
Concern regarding a WAF’s capability in offering protection against new threats is valid; WAF protection varies based on detection methods, and unfortunately, all WAFs aren’t created equal. There are certainly WAF services on the market that have disappointing protection capabilities, oftentimes because they are slow to evolve away from strictly signature-based detection methods, meaning modified and unknown attacks can evade detection.
Luckily, companies and users are quickly gaining a better understanding of what to look for in a WAF. Instead of solely relying on signature-updates, which target known threats, users should look for WAFs that also use heuristic and semantic analysis to identify and block unknown and modified threats. It is good security practice to use the most updated version of your CMS. However, in circumstances where updating to the latest version is difficult, instead of completely relying completely on security patches, you can manage and reduce that level of risk by using alternative security measures, such as deploying a WAF or WAF service.