How good is CMS security?


(Peter Danckwerts) #1

There is a fascinating article by WordFence about a WordPress vulnerability as the possible source of the ‘Panama Papers’ here:

It also mentions known vulnerabilities in Drupal.

I imagine that the various RW CMSs are less vulnerable, if only because nobody has spent much time trying to hack them! Although I don’t have anything quite as sensitive to protect as Mossack Fonseca, we all have a legal and moral duty to protect the data of those who visit our sites.


(Scott Steven) #2

Wordpress is the a nightmare to keep secure. I have messed around with different pluggins etc to keep hackers out and its a full time job. There is a solution I now use created by wehostmacs.com that points at my installations that locks wordpress down to keep the hackers out. Simple it works and frees up my time to work on things other than fixing wordpress.


(Peter Danckwerts) #3

Yes, @scottsteven, I’m sure that WP security is a nightmare, although much less so if one keeps all plug-ins up-to-date and uses WordFence or similar. However, I’m curious to know how secure the various RW CMSs are. Much, of course, depends on the individual. The very absence of RW CMSs which accept 3rd-party plug-ins must help.


(Brad Halstead) #4

@peterdanckwerts This is a really good question and requires an answer from developers of CMS plugins for RapidWeaver!

Some CMS Solutions provide a hashed login, some do not…

@joeworkman, @zeebe - how secure are Easy and Total CMS?

@nimblehost - How secure is Armadillo?

@yuzool, @kryten - How secure are DropKick CMS and Pulse CMS?

Kuler - How secure is Kuler Edits?

Did I miss any?

Brad


(Joe Workman) #5

Easy and Total CMS are as secure as your web server is.


(Peter Danckwerts) #6

Good to know, although I don’t currently use them.


(Jonathan Head) #7

Armadillo does a lot to make sure your data is safe, but the single biggest point of failure for most people will be their own password. Most still don’t use a good, long, randomly generated password.

As for Armadillo, it does the following for you:

  • Limiting the number of login attempts. You can customize this number, and how long an account is “locked out” after too many failed attempts.
  • Passwords are never stored in plain text. Armadillo uses PBKDF2 to hash your password before it’s stored in the database. When logging in, Armadillo hashes the entered password and compares it to what’s stored in the database. The hashes will match exactly if the password is correct. When PHP 5.5 is more widely available across shared hosting providers, we’ll be switching to PHP’s built-in password_hash which uses the bcrypt algorithm.
  • Armadillo escapes all submitted input before submission into the database, to reduce the possibility of a SQL injection attacks.
  • Armadillo also reduces the possibility of XSS (cross-site scripting) attacks by filtering URL parameters and preventing the use of certain special characters.

No software is 100% secure. If bad guys are smart enough, and determined enough, they will find a vulnerability eventually. The “way in” might also be completely unrelated to the CMS itself, but rather a weakness in the hosting configuration, or even social engineering.


(Peter Danckwerts) #8

Good to know, Jonathan. I’m sure you’re right about passwords and social engineering.


(Scott Steven) #9

My hosting company has an app they send you one click locks all the folders and keeps out the hackers from your site, plugins not up to date does not matter the site is locked from hackers. Have not been hacked ever since they sent this out. Brilliant bit of work.


(Scott Steven) #10

my next site will be on Armadillo I dont want all the bloatware and maintenance issues of other systems and I can manage everything from Rapidweaver.


(Silas 'Shadow' skiá) #11

@scottsteven, what maintenance issues are there with solutions like Total CMS and Easy CMS that aren’t in Armadillo?


(Scott Steven) #12

The differences between CMS where discussed via this post


(Silas 'Shadow' skiá) #13

Yes, but what are the maintenance issues that you are concerned about?


(Scott Steven) #14

Maintaining a look and feel in a theme in Rapidweaver is key for me I have had to change themes a couple of times over the years for clients.

Database is a good central means to keep everything portable. if I need to changing hosting providers.

Maintaining updates on the latest version of armadillo is as simple as republishing when updates come out.

So much easier to have my projects all inside RW.


(Robert Ziebol 🖖🏼) #15

Easily done as well with Total and Easy CMS. In fact, the clients get more of a feel since you make the admin page look the way you think the client will like it, and if they don’t, you can change the look.

Again, since the CMS is in a folder on your server, again easily done with Easy or Total CMS

Again, the same for Easy and Total CMS. Any update to the stacks and all you need to do is republish all files and it works.

Guess I am not sure what you mean by this, but once the CMS is published to your site, you can actually edit CMS content inside of the RapidWeaver project file. I have Armadillo but never used it. Got it when it came out and never found a need, so I am not sure if you can add content into Armadillo in RapidWeaver.

Not sure about other CMS’s out there, but your answers to @Shadow do not seem to fit. Just my 2¢.


(Brad Halstead) #16

Did not mean to start a competition/argument, just asking a simple question about security features of said CMS systems for my own peace of mind.

I have not decided which to use yet, they each offer their own strengths and weaknesses, I can see each useable under certain circumstances such as the availability of a database being primary, some clients do not want to pay for hosting with DB access, some will…

It comes down to what you like, what you can make use of and what your client has available… to each their own.

Thank you developers for providing some feedback, @nimblehost, yours was the most thorough, thank you!

Brad


(Robert Ziebol 🖖🏼) #17

You did’t start anything, just telling people the truth about Total and Easy CMS.


(Brad Halstead) #18

@zeebe

Not referring to you at all Rob, I just see the thread going down a bad path with some comments on it so far and trying to steer things away from that lol

All feedback about use of products very useful in decision making without question!

Thanks
Brad


(Silas 'Shadow' skiá) #19

I don’t see any competition happening in here.

People may be making arguments, but that is exactly why people read the forums. They are looking for people to present reasons for or against a thing so that they can make an informed decision.

I have asked clarifying questions to make sure that I understand the meaning of a message.

This is to ensure that both myself and others are not misinterpreting and/or receiving misinformation.

@scottsteven, thank you for bringing up these concerns. These are all things that are great for Weavers to be aware of when making a decision in which CMS solution best fits their needs.

And thank you @zeebe for your reply which included some clarifying information to all those who make it this far in the thread. :smile:


(Jonathan Head) #20

Happy to help @Turtle. :slight_smile: