Are Open Source Content Management Systems Worth It?

By Peter Otte – September 16, 2009

It has become the chic trend these days for anyone seeking a web site to request a CMS, or Content Management System. Any code-a-phobe with scant knowledge of programming or HTML may suddenly find themselves creating a CMS-based web site. Just log in, locate the page you want to edit, click on the page’s form, and edit the text using the built-in editor. And put that Gold Amex back in your wallet: these puppies are free! Download, install, swap out a few pictures, create a link or two, hatch a few pages, and presto, you’re the Michelangelo of cyberspace with quite the divine touch.

Well, it’s a bit more involved than that, as anyone can attest. Open-source systems such as Mambo, Joomla, Drupal, and Wordpress, promise a lot features and functionality but their persistent bug fixes and security problems, however, may make you wonder if they’re worth all the trouble in the first place.

Open Source

Joomla is a successful and popular content management system and a good starting point for any discussion about content management. According to the organization’s site, eager web site owners have downloaded 10 million copies since it was first introduced. Many web-hosting companies offer Joomla as a one-click installation, making the initial setup seem simple and unintimidating.

Take a careful look under the heading “Joomla Announcements”, however, and you may get a different impression. On Wednesday, July 22, 2009, Joomla made the 1.5.13 Security Release available for download. It contains over 26 bug fixes, one high-level security fix, and one mid-level security fix. This is the 13th such fix since version 1.5 was released. Look again and you’ll find Security Release 1.5.14, which was brought out only eight days later. Can we expect a new release every week or month?

When I first evaluated Joomla they were still on version 1.3.xx and I had a very good initial impression. Isn’t it reassuring, I thought, that the developer community works aggressively to spot and remedy these vulnerabilities as they emerge?

Then it dawned on me: that sure is a lot of bug and security fixes. Why so many?

When a feature doesn’t work the way it was originally intended, the developers issue a bug fix to correct the flaw. A security fix is more serious: it means that somebody found a potential security breach. Joomla 1.5.13, for example, fixed a gaping hole in version 1.5.12: if you used the built-in content editor (TinyMCE), it was possible to upload and then delete files on your server without logging in. An attacker could loot your site and leave an empty storefront.

It’s beyond the scope of this article to review every single security fix with Joomla and the potential ones that will be fixed, one hopes, in the future. But if you were to check the other offerings, you might find that Drupal currently has 439 pending bugs and 401 critical issues. Good thing they get it out in the open. I commend their honesty.

Wordpress.org has made 2.8.4 available and they ask under the download link to add your email to their mailing list so they can notify you when the next stable release becomes available. Well, what about the current one? Is it shaky? Definitely. This release fixes a very serious security flaw that allows an attacker to bypass a security check and reset the admin password, effectively locking you out of your own site.

Go to next page >>

• web design 
• |
•  logo design 
• |
•  video 
• |
•  packaging 
• |
•  collateral 
• |
•  advertising

• home 
• |
•  about pop 
• |
•  services 
• |
•  clients 
• |
•  contact 
• |
•  privacy 
• |
•  site map 
• |
•  articles