Many CMSs, mainly open source, offer hundreds of plug-ins to enhance the functionality of the websites and the CMS. Some are useful, many are not. A certain degree of redundancy exists. They are often created by the community or anonymous third-party companies, which makes it almost impossible to track their compliance with security standards. Especially in the PHP world, where thorough testing and coding standards are not a priority. Those plug-ins are potential back doors to the company’s data on the servers as they usually have full access to all data.
According to Imperva, “98 % of WordPress vulnerabilities are related to plug-ins, which extend the functionality and features of a website or a blog”1. Security breaches caused by using insecure plug-ins might compromise enterprises in a completely different way allowing hackers to change content on websites, exploit personal data or even install malware. In the age of GDPR, this can lead not just to bad PR but also to significant fines by the data protection authorities.
Other plug-ins, especially those available for commercial CMSs, are difficult to adjust or enhance. At best, the support of a developer is needed. At worst, those plug-ins don’t work and cause code to break, requiring PHP or Java specialists to locate and fix errors.
And the best thing is, as those widgets all run in the browser, they’re safe by default. They can’t compromise any servers, because there aren’t any.
This blogpost is an excerpt from the “Measurable Success” white paper. You can download it for free to learn about the 10 most relevant factors by which the success of a CMS can be measured.