3 simple ways to boost your Craft CMS security

At Good Work, we’re passionate about building your website on a foundation that is as secure, robust, and reliable as possible. That’s why we choose Craft CMS. However, as a website administrator, you too have a vital role to play in keeping your site and data safe.

Here are three simple, non-technical steps you can take today to protect your website from the most common security threats. This isn’t just our advice; these are foundational practices recommended by leading experts, including the U.S. National Institute of Standards and Technology (NIST) and Center for Internet Security (CIS).

1. Strengthen Your Logins

Your login is the gateway to your website's control panel. Keeping it locked down is the single most important security step you can take.

Use Strong, Unique Passwords

Many security breaches happen when attackers get their hands on passwords from another website's data breach. If you reuse the same password everywhere, a breach on one site means all your accounts are vulnerable.

We’d recommend using a password manager (like 1Password or your browser’s built-in manager) to create and save a long, random, and unique password for your Craft login. Curious if your old passwords have been exposed? You can check them safely on the free tool, Have I Been Pwned. If you’d like to enforce a password check on all your users, we built the free Pwny plugin that integrates with the Craft authentication system.

Enable Multi-Factor Authentication (MFA)

You’ve seen this on banking apps for a reason—it works! MFA means that even if someone steals your password, they can’t log in without this code.

Log into Craft and enable MFA – it’s a core feature of Craft 5. You’ll link it to an authenticator app on your phone (like 1Password, Google or Microsoft Authenticator), which provides a fresh 6-digit code every 30 seconds. It’s a tiny extra step for you, but a huge barrier for an attacker. If you’d like to make this compulsory for admins, or all users, our team of developers can help set this up too.

Consider Passkeys

The latest versions of Craft also support Passkeys. This new technology lets you log in securely without a password by using your computer or phone’s built-in security (like your fingerprint or face ID). It’s the next generation of login security and is highly resistant to phishing.

Check Your Email

Make sure the email address on your Craft user account is correct and one you check regularly. This is how you’ll reset your password or receive important security notices. If you’d like to receive an email every time someone logs into your account or the email address is changed, we created our free Nag plugin just for this.

Why this matters

The Center for Internet Security (CIS) lists robust Account Management (CIS Control 5) and Access Control Management (CIS Control 6) as fundamental defenses. By taking these steps, you’re implementing professional-grade security on your own account.

2. Use the “Principle of Least Privilege”

It’s easy to add every team member into the Admin group, just in case. The problem is, this gives every user the keys to the entire kingdom. A safer approach, favored by security professionals, is the “Principle of Least Privilege.” This just means that a user should only have the bare minimum permissions they need to do their job, and nothing more.

Take a moment to review who has access to your website. Does your marketing intern really need the ability to manage orders or change global settings? Use Craft’s built-in user permissions to fine-tune what each person can do. For example, you can give a guest blogger access to only write in the blog section. This dramatically reduces your risk if one of those accounts is ever compromised.

Why this matters

Limiting user permissions is a key recommendation in the NIST Cybersecurity Framework’s “Protect” function. It contains the damage an attacker can do. By carefully managing roles, you ensure a mistake or a compromised account doesn’t become a catastrophe. This also directly aligns with CIS Control 6: Access Control Management.

3. Have a Plan for People Coming and Going

Every person who uses the control panel must have their own account. Never share logins! Having clear processes for when people join and leave your team is essential for good security hygiene.

• Onboarding: When a new team member needs website access, create a brand-new user account for them with the appropriate (and limited!) permissions.
• Offboarding: When an employee or contractor leaves, disable or delete their account from Craft CMS immediately. Don’t leave old, unused “ghost” accounts active; they are a common target for attackers. Craft makes it easy to reassign any articles or entries they created to another user, so you won’t lose any work.
• Regular Review: Once a quarter, take five minutes to look through the user list. Do all of those people still work with you? Do they still need access? Clean out any who don’t.

Why this matters

This process is a critical part of Account Management (CIS Control 5). A core safeguard is to maintain an inventory of accounts and disable dormant ones. By keeping a tight leash on who has access, you significantly reduce the number of potential entry points for an attacker.

---

If you’d like to know more about keeping your website secure, or want our team to perform a more in-depth security audit of your Craft CMS website, please get in touch. We’re here to help!