Why running your own CMS is a bad idea: Part II

Drupalgeddon2

One of the benefits of engaging with our community is the valuable feedback we get. From my last post about why running your own CMS is a bad idea, I got to hear quite a few horror stories from customers that further cemented my theory.

Yet again, researchers found another remote code execution vulnerability in Drupal, named Drupalgeddon3. The new CVE-2018-7602, classified as highly critical, has been patched by the Drupal Security Team. The difference, in this case, is that a proof-of-concept, also known as a working exploit, was released the day after the official security patch.

The issue I highlighted in the last post was the difficulty of applying patches in a timely manner and managing your own infrastructure. However, this is the understatement of the year.

Everyone who runs an open-source CMS knows about the biggest management nightmare of all: plugins, extensions and themes.

Plugins and Extensions

One of the advertised powers of running your own CMS is the ability to extend it to your needs. A plugin, a term used interchangeably with extensions, is a bundle of files with code you run in your CMS that extends its out-of-the-box functionality. Usually, the development of plugins is powered by the open-source community.

The open-source community is indeed excellent. However, this is source code that needs to be securely developed, maintained and patched. According to Drupal, only 35% of the extension modules are actively maintained. Many of them have a note from Drupal stating that the "project is not covered by Drupal’s security advisory policy". This means many extensions your website relies on will most likely never ever get patched, no matter how efficient your patch cycle is.

This is not a rant on Drupal, though. As a person who has managed Wordpress, I struggled with outdated plugins all the time, like this one reported by ZDNet. Unfortunately, Wordpress.org does not provide a way to filter its 55,215 available plugins by maintainability.

Themes

As with plugins, themes are created by the community or commercially sold by designers. Themes are part design and part source code. One of the ways themes can look fantastic is with the embedding of Javascript code on the web page.

You guessed right. This code also needs to be securely developed, maintained and patched. Themes suffer the same fate as plugins; that even led Wordpress.org to write a section on "Common Vulnerabilities" in its Theme Handbook.

Licensing

Wait, licenses are a legal matter, why are you concerned about vulnerabilities here? I’m not. The real concern here is intellectual property. Wordpress is licensed under GPLv2, a copyleft license that requires modified work to be made available to the community. Basically, it demands that all changes to the original source code be made available publicly.

If you put in the effort to customize your CMS and happened to use a Wordpress plugin, which by definition must be compatible with the GPLv2, this code must be open-sourced.

The solution — Content Infrastructure

You can run a website without the burden of maintaining a full CMS. We call our solution Content Infrastructure.

Focus on code and content — not administration

Developers want to develop. Building apps and services that interact with our content infrastructure is the modern way to free developers from the burdens of managing an old-school, monolithic CMS. Worrying about database architecture, uptime, and scalability issues is now a thing of the past.

Content infrastructure adds a layer of security

With a hosted solution like content infrastructure, you get that extra layer of protection. No longer will you stay awake at night wondering if your CMS is correctly patched to keep hackers at bay — and your data safe.

Contentful takes care of keeping your content secure so that you can focus on building modern software. And in a suitable HTTPS everywhere fashion, we serve content using an encrypted connection right out of the box.

Blog posts in your inbox

Subscribe to receive most important updates. We send emails once a month.