There is a fascinating article by WordFence about a WordPress vulnerability as the possible source of the ‘Panama Papers’ here:
It also mentions known vulnerabilities in Drupal.
I imagine that the various RW CMSs are less vulnerable, if only because nobody has spent much time trying to hack them! Although I don’t have anything quite as sensitive to protect as Mossack Fonseca, we all have a legal and moral duty to protect the data of those who visit our sites.
Wordpress is the a nightmare to keep secure. I have messed around with different pluggins etc to keep hackers out and its a full time job. There is a solution I now use created by wehostmacs.com that points at my installations that locks wordpress down to keep the hackers out. Simple it works and frees up my time to work on things other than fixing wordpress.
Yes, @scottsteven, I’m sure that WP security is a nightmare, although much less so if one keeps all plug-ins up-to-date and uses WordFence or similar. However, I’m curious to know how secure the various RW CMSs are. Much, of course, depends on the individual. The very absence of RW CMSs which accept 3rd-party plug-ins must help.
Armadillo does a lot to make sure your data is safe, but the single biggest point of failure for most people will be their own password. Most still don’t use a good, long, randomly generated password.
As for Armadillo, it does the following for you:
Limiting the number of login attempts. You can customize this number, and how long an account is “locked out” after too many failed attempts.
Passwords are never stored in plain text. Armadillo uses PBKDF2 to hash your password before it’s stored in the database. When logging in, Armadillo hashes the entered password and compares it to what’s stored in the database. The hashes will match exactly if the password is correct. When PHP 5.5 is more widely available across shared hosting providers, we’ll be switching to PHP’s built-in password_hash which uses the bcrypt algorithm.
Armadillo escapes all submitted input before submission into the database, to reduce the possibility of a SQL injection attacks.
Armadillo also reduces the possibility of XSS (cross-site scripting) attacks by filtering URL parameters and preventing the use of certain special characters.
No software is 100% secure. If bad guys are smart enough, and determined enough, they will find a vulnerability eventually. The “way in” might also be completely unrelated to the CMS itself, but rather a weakness in the hosting configuration, or even social engineering.
My hosting company has an app they send you one click locks all the folders and keeps out the hackers from your site, plugins not up to date does not matter the site is locked from hackers. Have not been hacked ever since they sent this out. Brilliant bit of work.
Easily done as well with Total and Easy CMS. In fact, the clients get more of a feel since you make the admin page look the way you think the client will like it, and if they don’t, you can change the look.
Again, since the CMS is in a folder on your server, again easily done with Easy or Total CMS
Again, the same for Easy and Total CMS. Any update to the stacks and all you need to do is republish all files and it works.
Guess I am not sure what you mean by this, but once the CMS is published to your site, you can actually edit CMS content inside of the RapidWeaver project file. I have Armadillo but never used it. Got it when it came out and never found a need, so I am not sure if you can add content into Armadillo in RapidWeaver.
Not sure about other CMS’s out there, but your answers to @Shadow do not seem to fit. Just my 2¢.
Did not mean to start a competition/argument, just asking a simple question about security features of said CMS systems for my own peace of mind.
I have not decided which to use yet, they each offer their own strengths and weaknesses, I can see each useable under certain circumstances such as the availability of a database being primary, some clients do not want to pay for hosting with DB access, some will…
It comes down to what you like, what you can make use of and what your client has available… to each their own.
Thank you developers for providing some feedback, @nimblehost, yours was the most thorough, thank you!