The Pros and Cons
a Content Management System
When making a comparison between the two main ways to produce web page content; writing web code vs. producing web code through CMS page builders, there arise two important distinctions to make when evaluating the benefits of each. While user experience certainly weighs in high with regard to evaluating how effective a website author will be in producing viable web content through the CMS UI, web security is a another highly important consideration to be measured if one is to fully evaluate the pros and cons of each web authoring technique, for despite relative ease of use, CMS remains highly vulnerable to a variety malicious web-based malware and hijack attacks.
HTML Website Security
The Multiple Vulnerabilities of WordPressCMS
The world of WordPress security vulnerabilities is vast and ever growing. WordPress related vulnerabilities saw a 30% increase in 2018 compared to the previous year climbing from 418 to 542. This figure represents verified script vulnerabilities and the figure for actual compromised WordPress installations worldwide could be far greater. ZDNet estimates that over 20,000 infected WordPress sites may be vulnerable due to bad plugins, while Threat Post estimates the count of vulnerable WordPress installations to be upward of one million due to website owner/manager failure to update faulty plugins. But due to the stealth nature of zombie bot operations working via SQL injection back doors without website owner awareness, the amount of compromised WordPress installations may be unknown and perhaps far greater than anyone imagines.
Blind SQL Injection
SQL Injection is the the typical type of exploitation done to a compromised WordPress CMS installation. Some of the exploits possible after such a hack are launching a DDoS attack on other websites, sending spam emails, storing and transfering illegal files, mining crypto currency and brute force attacks on financial institution accounts. WordPress CMS is written in PHP, a programming language. The quantity of PHP scripts in a typical WordPress installation number in the thousands. If a hacker gains access to the server, these PHP scripts can be exploited to open back doors to an incoming payload of malicious files, and then turn the SQL database into a zombie bot to execute all manner of havoc on the web. SQL injection attacks can occur from a weak password that has been found by a bot knocking on the WordPress logon page door with a brute force attack, or from a plugin or code vulnerability. A compromised WordPress website can then be used as a platform to execute more brute force attacks on other WordPress installations as well as spread infection to other shared hosting WordPress installations which happen to share the same server with an infected WordPress site.
A Solution For Those With Deep Pockets
While CMS provides the opportunity to create a fully functioning website with little to no web coding experience, the risk of malicious exploitation of a WordPress CMS continues to grow with alarming sophistication. Although there are many useful security plugins available to mitigate WordPress CMS attacks, proper configuration of the many security features is daunting and incorrect configurations can accidentally disable important WordPress features or even lock the administrator out of the website. One strategy to overcome a lockout is to directly edit the wordpress installation through the cPanel file manager and there manually edit the particular security plugin causing the lockout, but some security plugins edit the WordPress core files in such a way as to prevent this solution as well. The only solution then becomes to contact the plugin developer for help, or simply start over with a new installation. A website owner may neither be willing nor able to deal with security and/or other web development complexities. For them another web hosting solution is available. Managed Hosting as an optional service available whereby the hosting provider takes on management of the back end maintenance needs of the WordPress installation. With managed hosting, the web host assumes responsibility for the security of the website.
The HTML vs. CMS Shootout
WordPress CMS offers web content creators the ability to build websites with little or no coding skills, but security risk management is in the details and is certainly high. Managed hosting is available to take care of all the back end details including security but the dollar cost is high. WordPress CMS is clearly a worthy option for those with no coding skills seeking to create a website, but if content creators don’t have the big bucks to shell out for managed hosting and don’t want to get hacked, it will be required to stay hands on with ongoing back end maintenance including regular plugin updates and security systems management through the chosen WordPress security plugin. Online CMS web building platforms are another seemingly viable option. The on-screen drag and drop editors provided by these web-based CMS platforms are an easy to use solution but come at a price of limitations in appearance, feature and function of the website. Another disadvantage of online CMS page builders is that they are not cross domain friendly. You will be locked into the hosting provider you built your website on.
And the Winner Is