Keeping Your CMS Secure

We live in a world of passwords. And we live in a world in need of security.

Passwords surround everything we do. For those responsible for managing passwords across family, children, or business, collection and safekeeping of passwords simply become one of the day’s tasks, just like brushing your teeth or putting on socks.

But keeping those passwords safe and hidden is just one side of the battle. Programs like 1Password provide access to easily saved and totally random password strings, helping stay away from basic passwords like “1234” or “password,” but even the longest passwords can be cracked if given enough time — and enough motive.

This means we need more than just a password to protect highly valuable sources of information. Like your personal contacts and photos. Like your bank account information.

And like the content and permissions with your content management system (CMS) or digital experience platform (DXP).

That’s where multi-factor authentication comes in.

Why multi-factor authentication is important.

As a reminder, when we talk about multi- or two-factor authentication (2FA), we’re talking about asking for a second or third (or, in rare cases, even more!) pieces of evidence in order to authenticate a user. This most often manifests as entering a second unique ID that’s based on something in close proximity, such as a key fob with an ever-changing number, or a code sent to a secondary device.

What’s important is that the additional layers of authentication happen separate from your already accessible online accounts — something that can’t already have been hacked. For example, when you log in to something like Apple’s iCloud, and a notification pops up on another linked device asking for confirmation — that’s two-factor authentication.

The truth is, strong passwords are still valuable and important, but they’re not perfect. In a lot of cases, a password may have been cracked for days before there’s any indication, simply because there’s rarely any notification when a password has been entered on a strange or new device. Given that your CMS or DXP might be accessed multiple times by different people on different devices, this seems obvious — no one wants to get an email every time someone logs in.

But, in reality, most people ultimately do not know when — or how — their sites are compromised. In an article written about Two-Factor Authentication in WordPress sites, it was found that 61.5% of respondents had no idea how an attacker compromised the site.

Even scarier, there’s little idea of what someone might do once they’re in there. They might change a line of text.

Or, they might attempt to throw the site into chaos.

Why you need it for your CMS or DXP.

Of course, this is more than just someone getting access to your social networks or streaming queue. Unauthorized access of your content management system is akin to gaining control of your business’s entire online persona — and, in the case of an organization that depends on content as a business asset or, even more critical, a business that depends on uptime to sell online products, unauthorized meddling in the content management system can lead to loss of reputation, loss of income, and even loss of actual assets.

With the understanding that your CMS or DXP is as valuable and private of a tool as your CEO’s laptop or a safe of petty cash, it makes the necessity of two-factor authentication even more crucial. You need to protect your site and make sure only the right people can access it, and this cannot be done through passwords alone.

Because, let’s face it; even the most secure password can fall into the wrong hands, especially for those who don’t depend on password protection software, or those who log in so infrequently that they wouldn’t notice any malicious action for weeks after a security breach.

So let’s get that site protected.

How to enable it.

Two-factor authentication plugins and functionality are available for most major content management systems and digital experience platforms. Blend most often works with Optimizely and Umbraco, so we'll talk about those here.

First, Umbraco has outlined the steps for implementing two-factor authentication — "Two-factor Authentication" — as a part of its existing documentation. 2FA can be set up using several different services.

Meanwhile, Optimizely facilitates their 2FA process through the developer community — an article from friend-of-Blend developer Joshua Folkerks from the Episerver days offers a walkthrough: "2 Factor Authentication In EPiServer."

Google Authenticator and other two-factor authentication methods can be used to secure any modern content management system. If you’d like additional information, drop us a line and we’ll see how we can help!