Keeping Your CMS Secure

Unauthorized meddling in your content management system can lead to loss of reputation, loss of income, and even loss of actual assets. Enabling multi-factor authentication protects your site and makes sure only the right people can access it.

1/30/2020

Authored by

Categorized

  • Development

We live in a world of passwords. And we live in a world in need of security.

Passwords surround everything we do. For those responsible for managing passwords across family, children, or business, collection and safekeeping of passwords simply become one of the day’s tasks, just like brushing your teeth or putting on socks.

But keeping those passwords safe and hidden is just one side of the battle. Programs like 1Password provide access to easily saved and totally random password strings, helping stay away from basic passwords like “1234” or “password,” but even the longest passwords can be cracked if given enough time — and enough motive.

This means we need more than just a password to protect highly valuable sources of information. Like your personal contacts and photos. Like your bank account information.

And like the content and permissions with your content management system (CMS).

That’s where multi-factor authentication comes in.

Why multi-factor authentication is important.

As a reminder, when we talk about multi- or two-factor authentication, we’re talking about asking for a second or third (or, in rare cases, even more!) pieces of evidence in order to authenticate a user. This most often manifests as entering a second unique ID that’s based on something in close proximity, such as a key fob with an ever-changing number, or a code sent to a secondary device.

What’s important is that the additional layers of authentication happen separate from your already accessible online accounts — something that can’t already have been hacked. For example, when you log in to something like Apple’s iCloud, and a notification pops up on another linked device asking for confirmation — that’s two-factor authentication.

The truth is, strong passwords are still valuable and important, but they’re not perfect. In a lot of cases, a password may have been cracked for days before there’s any indication, simply because there’s rarely any notification when a password has been entered on a strange or new device. Given that your CMS might be accessed multiple times by different people on different devices, this seems obvious — no one wants to get an email every time someone logs in.

But, in reality, most people ultimately do not know when — or how — their sites are compromised. In an article written about Two-Factor Authentication in WordPress sites, it was found that 61.5% of respondents had no idea how an attacker compromised the site.

Even scarier, there’s little idea of what someone might do once they’re in there. They might change a line of text.

Or, they might attempt to throw the site into chaos.

Why you need it for your CMS.

Of course, this is more than just someone stealing your tweets or accessing your Netflix queue. Unauthorized access of your content management system is akin to gaining control of your business’ entire online persona — and, in the case of an organization that depends on content as a business asset or, even more critical, a business that depends on uptime to sell online products, unauthorized meddling in the content management system can lead to loss of reputation, loss of income, and even loss of actual assets.

With the understanding that your CMS is as valuable and private of a tool as your CEO’s laptop or a safe of petty cash, it makes the necessity of two-factor authentication even more crucial. You need to protect your site and make sure only the right people can access it, and this cannot be done through passwords alone.

Because, let’s face it; even the most secure password can fall into the wrong hands, especially for those who don’t depend on password protection software, or those who log in so infrequently that they wouldn’t notice any malicious action for weeks after a security breach.

So let’s get that Episerver site — or any site, really — protected.

How to enable it.

With regards to how to enable 2 Factor Authentication on an Episerver site, we know a guy.

Joshua Folkerts, Blend partner and lead developer — as well as one of the nation’s only Episerver EMVPs — has written a post about Episerver two-factor authentication over at Episerver World. His method provides a QR code that allows for access to a unique six-digit code through Google Authenticator.

Upon setting up the Google Authenticator, it will be active any time you attempt to log into the Episerver site. You’ll still be using your original name and password, but now you’ll simply need to provide an extra always-changing six-digit code to complete the transaction. It’s your code, and your code only, which means you’ve made the CMS — and all the content therein — a lot more secure.

Google Authenticator and other two-factor authentication methods can be used to secure any modern content management system. If you’d like additional information, drop us a line and we’ll see how we can help!

Resources on .NET development.

We’ve written at length, both here and beyond, on .NET development.

How Code Rots (and What To Do About It)

Just like humans, animals, and opinions, websites age. This means — again, just like humans, animals, and opinions — websites need to be cared for. Here are a few thoughts on how to manage and prevent "code rot."

October 28, 2022

2022 OMVP Summit Review

Bob Davidson

The Optimizely Most Valuable Professional (OMVP) program is designed to promote collaboration and expertise among Optimizely developers. This year was Bob's first year as an OMVP — and these are his thoughts.

October 21, 2022

The Web Project Guide on Agile Digital Transformation Off-site link

The Web Project Guide’s Corey Vilhauer and Deane Barker joined Tim Butara and the Agile Digital Transformation podcast to talk about the process of writing the book, the web project process itself, and the role of agility when moving toward a successful launch.

September 29, 2022 | The Web Project Guide

Sunsetting Umbraco 7: Your Path to Upgrading

Content management systems — like all software applications — are living, breathing systems of code and design. Here's what to do to ensure your Umbraco install doesn't fall behind as Version 7 is sunsetted in 2023.

September 13, 2022

Check out our most recent articles on development.