MWCMS and other programs

In most web-based applications using databases there is a need for storing the password to the database openly in configuration files.
MWCMS source code was encoded with ionCube Encoder and only authorized persons have access to it. This allows encryption algorithms to be used in order to protect the passwords to the database.

Complexity of passwords

MWCMS security policy allows to designate a required length of passwords and whether they need to contain small or capital letters, numbers or special characters. User passwords are stored in the form of SHA1 hashes.

Anti-takeover session security

Double login to the Administration Panel improves the security against XSS attacks and prevents session takeover. Each login session of a user is associated with an IP address. This improves protection against attempts to take over user session ID. MWCMS also has protection mechanisms against attempts of obtaining user passwords by using a Brute Force attack. It is possible to set a maximum number of login attempts after which user account becomes blocked for a specified amount of time.

Anti-Flood and anti-DoS

MWCMS has also anti-Flood mechanisms limiting the amount of data or content a user can send within a specific period time in order to prevent spamming. It also contains mechanisms for automatic blocking of IP addresses which are trying to overload the website, by setting a maximum number of HTTP requests sent to the MWCMS script within 1 minute. The list of “suspicious” IP addresses may be saved on server as a txt file, which in turn may be utilized in other IP blocking mechanisms, for example cron+iptables.

Advanced authorization policy

MWCMS has the option of giving specific rights and privileges to particular groups, such as global admin, admin, junior admin, advanced users.