Security and Open Source Content Management Systems (CMS)

21 April 2008 - By Sean Fishlock

It is every IT manager's nightmare. Your website has been hacked, defaced, private and sensitive information has possibly been compromised, possibly even exposing gateways to internal systems. This can happen to any business and due to the rapid expansion of the open source software industry is particularly effecting small business.

One of the often overlooked when evaluating web software is security. Choosing an open source CMS, for example, particularly the popular ones can leave you wide open to hackers. No matter what size of site your company is or how big or small your site is, this is something you should definitely take into account. Make sure you read between the lines.

Many of our competitors "sell" solutions which include these open source packages. This offers a price advantage, as they don't have to pay for the software they use in their solution. They will often choose the most popular systems, because they offer the most features and extensive communities. In doing so, they forfeit much control over the software that they build their solutions in, lack understanding on how it works and how to protect it from attack and unless they actively update and maintain the software and apply patches (which many don't), they leave their customer's security wide open. When they customise it, how do you know that they aren't exposing new holes in the software to attack ? This concerns you whether you outsource your website hosting or host your own website. Do you really know which system your developer has built your website with and how much do you trust it ?

Having been burnt on my own personal hobby projects by Mambo, Joomla and PHPBB (all open source systems), I can tell you first hand that it is not a pleasant experience when things go pear shaped and you don't know for why. While I had applied every update and patch available and although I did not customise one bit of code I had both of these systems hacked and it caused me a lot of frustration and pain to get the sites up and running again. I have also heard firsthand of many of the disasters that happen when uni students and amateur developers whack websites together with these tools. There is a big difference between this and a professional approach.
There are a few key principles to consider here: read more go here

http://www.datalink.com.au/company/blog/best_practice_strategy/open_source_cms_security