Yet again, researchers found another remote code execution vulnerability in Drupal, named Drupalgeddon3. The new CVE-2018-7602, classified as highly critical, has been patched by the Drupal Security Team. The difference, in this case, is that a proof-of-concept, also known as a working exploit, was released the day after the official security patch.
The issue I highlighted in the last post was the difficulty of applying patches in a timely manner and managing your own infrastructure. However, this is the understatement of the year.
Everyone who runs an open-source CMS knows about the biggest management nightmare of all: plugins, extensions and themes.
Plugins and Extensions
One of the advertised powers of running your own CMS is the ability to extend it to your needs. A plugin, a term used interchangeably with extensions, is a bundle of files with code you run in your CMS that extends its out-of-the-box functionality. Usually, the development of plugins is powered by the open-source community.
The open-source community is indeed excellent. However, this is source code that needs to be securely developed, maintained and patched. According to Drupal, only 35% of the extension modules are actively maintained. Many of them have a note from Drupal stating that the "project is not covered by Drupal’s security advisory policy". This means many extensions your website relies on will most likely never ever get patched, no matter how efficient your patch cycle is.
This is not a rant on Drupal, though. As a person who has managed Wordpress, I struggled with outdated plugins all the time, like this one reported by ZDNet. Unfortunately, Wordpress.org does not provide a way to filter its 55,215 available plugins by maintainability.
You guessed right. This code also needs to be securely developed, maintained and patched. Themes suffer the same fate as plugins; that even led Wordpress.org to write a section on "Common Vulnerabilities" in its Theme Handbook.
Wait, licenses are a legal matter, why are you concerned about vulnerabilities here? I’m not. The real concern here is intellectual property. Wordpress is licensed under GPLv2, a copyleft license that requires modified work to be made available to the community. Basically, it demands that all changes to the original source code be made available publicly.
The solution — Content Infrastructure
You can run a website without the burden of maintaining a full CMS. We call our solution Content Infrastructure.
Focus on code and content — not administration
Developers want to develop. Building apps and services that interact with our content infrastructure is the modern way to free developers from the burdens of managing an old-school, monolithic CMS. Worrying about database architecture, uptime, and scalability issues is now a thing of the past.
Content infrastructure adds a layer of security
With a hosted solution like content infrastructure, you get that extra layer of protection. No longer will you stay awake at night wondering if your CMS is correctly patched to keep hackers at bay — and your data safe.
Contentful takes care of keeping your content secure so that you can focus on building modern software. And in a suitable HTTPS everywhere fashion, we serve content using an encrypted connection right out of the box.