Hello Everyone,
For our KIT325 Cybersecurity Project, we recently checked the security of ProcessWire CMS, a system used for managing website content. We wanted to see if its default settings are secure enough based on the OWASP Top 10 standards, which are common web security guidelines. Here’s a quick look at what we found and what could be improved:
Blocking Brute Force Login Attempts:
What We Found: ProcessWire does slow down login attempts if someone keeps trying the wrong password. But it only blocks based on username, not by tracking where the login attempts come from (like IP addresses).
Suggestion: It would be safer if ProcessWire blocked login attempts based on IP as well. Also, the system could use a response code like “429 Too Many Requests” to alert attackers that they’re being blocked.
Session Cookie Security:
What We Tried: Session cookies (used to keep users logged in) seem secure, but we couldn’t fully test if they were safe from all advanced attacks.
Future Testing: We’d need more tools and knowledge to explore if these session cookies could ever be forged to trick the system.
File Access Control:
What We Saw: Files from unpublished pages could still be accessed if someone knew the file path, which could leak private information.
Fix: ProcessWire should make a certain setting ($config->pagefileSecure) enabled by default to restrict file access based on page permissions. This way, only authorized users can see those files.
HTTPS (Secure Connection) Enforcement:
Current Setup: ProcessWire requires HTTPS (secure connection) settings to be turned on manually in the .htaccess file, which may not be done by every user.
Recommendation: It would be better if HTTPS were enabled by default, so all sites are secure right from the start.
Improving Activity Logs:
Missing Logs: Some important activities like content changes and role updates aren’t logged by default.
Suggestion: ProcessWire should add logs for these actions. This way, any unusual activity can be tracked and traced back to the user who made the changes.
Password Rules:
Issue: Passwords set through the API (another way to interact with the system) might not meet the same security rules as those set in the admin panel.
Improvement: ProcessWire should require all passwords to meet the same standard, ideally making them at least 12 characters long and easier for users to remember.
Overall, ProcessWire has a strong security foundation, but these adjustments could make it even safer. This experience showed us the value of secure default settings, especially for users who might not make these changes on their own.
