CMS Security: How Secure Is It To Build My Website On An Open-Source CMS?
Contents of This Guide
Open Source CMS Security vs Hosted Solution
If you’re worried about the security of doing… well, just about anything on the internet today, no one can blame you. With data leaks all over the place, private data exposed for the world to see and fraud efforts on unprecedented scales, we are far from the wide-eyed optimism of the web’s early days.
To get by in such a turbulent time, people are increasingly committing to more stringent CMS security standards. Such standards are typically associated with SaaS companies capable of keeping everything locked down for you, with your access covered through end-to-end encryption. For running a website, that means using a package CMS such as Wix, 3dcart or Weebly.
But what if you don’t want to use that type of locked-down system? What if you need to get more creative with your web development, requiring the freedom of an open-source CMS? Can you realistically expect a decent level of security? Let’s run through the basics..
CMS security: There are pros and cons to going open-source
First of all, it’s not as simple as saying that using an open-source system is inherently more risky than using something closed-source. Yes, it’s true that an open-source system has added vulnerabilities through the accessibility of its code base (anyone can deconstruct it to find weaknesses, or modify it to introduce fresh ones in a particular distribution). But there are two reasons why open-source software can be more secure:
- It’s battle-tested by communities. Because open-source platforms tend to attract more tech-savvy users and have less consistent official support, they typically gather large communities around them. Being invested in its success, those communities probe it for issues, warn users of possible threats, and even create unofficial fixes for them.
- There’s less value in attacking it. Major e-commerce hosting platforms like the cloud version of Magento or any tier of Shopify host a lot of stores, including many high-profile brands — and because they all update automatically, finding a weakness in the latest version of one of them will allow someone to attack every store using it. Not so with open-source software: because it can be reworked and updated on a standard basis, there’s less financial value in attacking it.
The takeaway here is that moving from a closed-source CMS to an open-source CMS doesn’t necessarily place your website in greater danger. More than anything else, it’s going to come down to the relative quality of the platforms being used. A mediocre closed-source CMS can be disastrous because it can offer you bad security that you can’t do much to mitigate, while using the best that open-source platforms have to offer (like combining WooCommerce and WordPress), will deliver an excellent overall experience even before you add more plugins.
All that said, you have to approach security differently when you’re using an open-source CMS, as explained next.
CMS security: You’ll need to be more proactive about security
When you choose a closed-source CMS, whether run on a closed system or provided over the cloud, you’re essentially banking on the skills and dedication of the developers. If a vulnerability is found, it’ll be up to them to patch it — you won’t even have the option of doing something about it. This sounds bad, but in practice, it’s a strength because you’ll have some uptime and security guarantee to protect you.
But when you go with open-source software, the responsibility is on you to keep on top of security matters. You’ll still need the developer to update the core, but when and how you update will be your choice. If you want to stick with the same version for several years, you’ll probably be able to, regardless of how dangerous that is.
The best thing to do is to read up on best practices for whichever open-source CMS you decide to use. Learn about how to manage plugins, including which ones you should avoid entirely. Think about what you need to achieve your goals, and what you can pass up. In addition, take the time to research common security attacks so you know how to respond to them should they occur. When you don’t have the luxury of passing the buck on every issue of consequence to the developer, you must be confident enough to get things done yourself.
Open source CMS security: There are excellent security services available
Using an open-source CMS doesn’t mean that you have to accept absolute control over the security of your website, because you have the option of integrating a security service to take care of most of the threats on your behalf. That way, you get the best of both worlds: the creative and operational freedom of an open-source framework and the reliable security and support of a high-end hosted system.
Signing up to a monthly service like Astra will guard you against a huge range of attacks and fraudulent activities for a cost that compares very favorably to what you’d spend on a high-end hosted platform with a similar level of security. It integrates with everything from Magento to Joomla, so if you’re taking the open-source route (particularly for e-commerce), it might be exactly what you need to keep your website protected from intruders.