Security

Webnodes CMS is designed with security as one of the major design goals.

100% secure against SQL injection attacks

SQL Injection is one of the most common attacks on websites. It exploits websites where form input isn't filtered correctly, and it allows the attacker to perform SQL queries on the database. That allows the attacker to delete or alter the data in the database.

Webnodes CMS prevents the use of SQL injection attacks by using parameterized SQL statements in all database access.

Spam prevention (CAPTCHA)

Spam is a major problem on the internet today. If a form is left unprotected on a website, spambots will quickly try to use it for illicit purposes. Webnodes has a spam prevention control built in that's easy to use on form in your Webnodes website.

Email address protection

If you publish an email address to a website without any protection, it will be harvested by spam bots scanning websites for email addresses they can send spam to, within a short amount of time. Many people solve this problem by using contact forms on their websites. While it works, the visitor has to navigate away from the current page, and fill in a form which is much less user-friendly than a proper email client.

Many people also like to add "click here to send me an email" type link in the middle of the text on their webpages. In Webnodes CMS we have solved the email spam problem by overriding the behaviour of links with email addresses in them. In the create link dialog in Webnodes, the user can check a checkbox called "Protect against spam". If checked, Webnodes CMS alters the page output, and substitutes the email address in the link with a dynamically generated captcha protected link.

Hashed passwords

All the passwords stored in the Webnodes database are hashed as default. The process of hashing is a one-way process, so it's impossible (if the hash function used is secure) to get the password if you know the hash code. That means that there is no way for anyone to steal the passwords of the users in Webnodes when hashing is used. We recommend all customers to use hashing to store passwords.

For special circumstances, we also offer two other forms of storing passwords. One of the methods is by storing the password as plain text. It is normally frowned upon, and we don't recommend it, but in some special situations it's useful.

The other alternative method is a method where passwords are stored in the database as an encrypted string. The key to decrypt the string is handled internally by Webnodes CMS. It's more safe than storing passwords as plaintext, but not as secure as hashing passwords. The benefit is that administrators can decrypt the passwords to see what the password is. But the weakness is that if someone manages to find out what they key is, they too can decrypt the passwords.