On Fri, Dec 16, 2011 at 2:03 PM, Anton Cohen <[email protected]> wrote:
> On Tue, Dec 13, 2011 at 9:21 AM, Æleen Frisch <[email protected]> wrote: > >> Does anyone have a recommendation for a CMS for use by non-technical >> folks (free or not)? > > > > tl;dr: I recommend none. Or at least none you've heard of. > > The most popular CMSs I see are WordPress (PHP), Drupal (PHP), Joolma > (PHP), and Plone (Python). WordPress (the blog software) is rapidly > becoming the most popular CMS for small sites. What to use depends on your > needs. > > Most of the PHP CMSs are riddled with security vulnerabilities, partly > because of their popularity. In the last two months there have been 18 > security advisories related to WordPress, 15 for Joomla, 11 for Drupal, 0 > for Plone [1]. Most of the issues are related to third-party > plugins/modules, though the core products have issues too, and the CMSs are > pretty useless without plugins/modules. > I see 3 vulnerability announcements in Drupal this year (some fixing multiple issues), not counting the plugins. Yes, most of the security vulnerabilities in Drupal come from plugins, but you need to take into account that vulnerabilities are not evenly distributed across all plugins. The most commonly used plugins should be much more stable/secure than the fringe ones that likely account for most of the published issues. > I see very little use for CMSs. Most of the time they are used on small > sites, as if CMSs are the new Dreamweaver. For larger sites the CMSs > require so much customization they might as well be done from scratch in > Django or Rails. No small businesses should be using self-hosted or > self-managed CMSs for outside facing websites, only companies with staff > dedicated to their upkeep should be using them. Small businesses should be > using services like Weebly, Shopify, and WordPress.com. > I'd say that recoding the entire site from scratch is MORE likely to introduce security issues than hand selecting a few plugins. At least using Drupal and the plugins will allow you to have a source to look for newly discovered issues in addition to any code reviews you may want to implement on your side. -- Greg
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
