Security of open source CMS versus proprietary CMS
Recently we have had some questions about whether open-source content management systems (CMS) are more "hack-able" than proprietary systems. The concern is likely being planted by salespeople for a proprietary CMS, but I do realize that the subject does warrant research and a comparative assessment.
To clarify what I am talking about, open-source CMS platforms, like Drupal, Wordpress and Joomla, are free to use, and developers can adjust code at will. The platform is built and updated by a community of developers. Proprietary or closed-source CMS platforms have been built and packaged by a company, and remain in the possession of that company. That company, or their certified partners, are typically the only ones that can provide maintenance and updates.
Over the past ten years, the companies I have led have implemented hundreds of websites on both proprietary systems as well as open-source systems. Here are some of the truths about security and hack-ability as it pertains to all content management systems, both proprietary and open-source.
- The biggest vulnerability of all CMS is through the users. For example, user account password strengths are an important variable.
- Security issues, like everything on the web, are dynamic. For any system to be secure, it needs to be constantly tested, updated and improved.
- All websites on a shared or grid server are only as secure as the least safe site on the grid (meaning if someone has a weak FTP password on your server, then that potential renders all sites on that server vulnerable).
Here are comparative strengths and weaknesses for security of open-source CMS versus proprietary CMS. My comments pertain to the big three open source platforms - Drupal, Wordpress and Joomla. On the proprietary CMS side, there are many platforms ranging from relatively small niche-based systems with hundreds of installs or less, up to wide-ranging enterprise systems.
Open-source security strengths
- Strength in the crowd. When it comes to the most common open source CMS platforms, there have been millions of installs and there are hundreds of thousands of developers and programmers ensuring the strength of the platform.
- 24/7 around the world monitoring means that holes are discovered and closed quickly. Security updates are provided on an ongoing basis that should be performed in a timely manner.
- Use by prominent sites where security is highly important. For example, Drupal is being utilized by the White House and by the Canadian Security Intelligence Service. These are the kind of organizations that are a target for hackers and, therefore, must ensure their systems are highly secure.
Open-source security weaknesses
- Open-source sites are easily installed and hosted in a shared server environment. As previously mentioned, a shared hosting server can be susceptible to hacking through weak passwords (users, FTP or databases). Ensuring this isn't the case for your site, by having hosting assurance through a dedicated server, will remove this weakness.
- Add-on modules have the potential to be less secure than the core platform. They need to be tested, checked and monitored too.
Proprietary CMS security strengths
- Proprietary systems are secretive, so even though there may be weaknesses, they aren't necessarily publicly known.
- Hosting environment is typically more secure and controlled by the service provider.
Proprietary CMS security weaknesses
- Depending on the size of the proprietary solution there may be very few, if any programmers actively working on keeping it secure as vulnerabilities evolve along with web technologies.
- Less testing. Has it really been tested, and by who, with what bias or agenda?
- Secrets - you won't know what issues the proprietary system has had in the past, or is having currently, because the provider isn't going to voluntarily divulge this information.
If a CMS is hacked in the forest, does anybody hear?
In my experience, the answer is yes if it is open-source, and no if it is proprietary. If you are a company that sells a proprietary CMS and it gets hacked, and assuming you find this out yourself, would you let everybody know or would you quietly try to patch the hole in such a way that nobody finds out?
Open-source CMSs may "appear" to be more vulnerable because core maintainers of these projects (in following with open-source spirit) are very open about security issues and the actions that are being taken to patch identified holes. There's a high degree of transparency for open-source projects that commercial CMSs don't necessarily provide. This means that looking at raw numbers of security issues on open-source platforms versus closed commercial systems is very skewed.
I look at the security of content management systems as a fence. The fence used for open-source systems is visible to everybody. This means weaknesses are dealt with quickly and openly. Conversely the fence used by proprietary systems is shrouded in a forest, which fosters a degree of secrecy where weaknesses don't get noticed by the bad guys, but conversely they also don't get noticed by the good guys either, and when they do they are quietly plugged.
The Bottom Line
In the end, whether you are a publicly-traded company, a government body, or non-governmental organization, security of your website should be examined and you should make sure your eyes are open to the issues.
From my biased point of view, I encourage you not to buy the line from proprietary CMS sales people that open source systems are more "hack-able." This is most likely untrue. The truth is that while no system is bullet-proof, when using a secure hosting environment, the security of open source CMS platforms offers distinct advantages in terms of a high degree of transparency, abundant programming resources when needed and ongoing security updates.