Content Management Systems Security and Associated Risks

Number: IN13-001
Date: 24 January 2013


This product was developed as a collaborative effort between Public Safety Canada and the U.S. Department of Homeland Security. This informational note is aimed to raise awareness of important cyber security practices in regard to content management systems, specifically Joomla! installations.


Compromised web servers are increasingly being utilized by malicious actors to carry out cyber attacks, such as distributed denial-of-service attacks against critical infrastructure companies around the world. These web servers offer increased networking and computing capacity compared with average user workstations, and are therefore a target of choice for malicious actors to build their attack infrastructure. For this reason, it is imperative to secure servers according to best practices, and thus limit their exposure to control by potentially malicious actors.

Specifically, the compromised servers running Content Management Systems are consistently targeted and leveraged to launch cyber attacks. Content Management Systems (CMSs) are software suites that allow site administrators to easily manage the design, functionality, and operation of websites with minimal technical expertise. In recent years there has been an increase in the number of deployments of CMS software on the Internet. This has been fueled by popular open source projects which are freely available under General Public License (GPL) model. Unfortunately, some CMS web server operators are not following security best practices, exposing them and others to cyber security risks such as compromise and denial of service.

Joomla! is one of the most widely used CMS in the world. It is PHP-based and allows rapid deployment of dynamic content on websites. It is recognized for its simplicity of deployment and usage while offering extensive features and plugins. However, like many other large software packages, Joomla! has been the subject of a number of vulnerabilities in recent years and, if left unpatched, can represent a risk for site owners, and any other Internet users.

The Canadian Cyber Incident Response Centre and US-CERT are aware of malicious actors exploiting unpatched CMS installations, primarily Joomla! installations, to gain control of web servers and launch Distributed Denial of Service (DDoS) attacks against critical infrastructure organizations.

Suggested action

In general, web site administrators should strive to follow patching instructions from their software providers. Additional security practices and guidance are made available by community efforts such as The Open Web Application Security Project (OWASP) and US-CERT's Technical Information Paper on Website Security.

Joomla! and other CMS packages regularly update their software as vulnerabilities are reported and patches are developed. The National Institute of Standards and Technology (NIST) National Vulnerability Database provides assessments of such vulnerabilities, accompanied by links to specific remediation activities for users and administrators to follow.

Specifically, administrators of Joomla! CMS servers should insure their installation includes the latest software version available ( Additionally, administrators should consider guidance found under the Joomla! community security section and review the following best practices:


Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589

Date modified: