Open source site security...

In general hackers are looking for simple exploits that they can run across a large number of sites. They will write scripts that attempt to inject code on thousands of sites and find a few that are vulnerable. The reality is that if a talented hacker wanted to expose a vulnerability in your site they could. Similar to door locks (that are easily picked) our goal is to discourage this by not leaving the door wide open.

From what we've seen, the largest vulnerabilities in open source sites come from poorly developed add-ons. This happens quite frequently because the user base is so large and there are many people that aren't following coding best practices contributing to add-on libraries. At Floodlight we prevent this by developing the majority of the extensions we use in-house. While we do use a handful of open-source plugins/modules/components we have fully vetted their security and keep an eye on updated releases.

Another exploit that we've seen used is breaking in to an admin simply via the login page. Various issues with forgot password functionality and overly simple passwords allow this to be a point of vulnerability. On sites that we are concermed about this, we've implemented server level logins and query string requirements that prevent unauthorized users from even accessing the page.

Even when eliminating these significant vulnerabilities we always plan for the worst. We perform nightly, offsite backups of all our sites that we save for 6 months. This allows us to easily restore the site if disaster hits.