Why would a web developer advise against a CMS? We say so because you might…
Could I be better off with an HTML site than a CMS?
There are a lot of advantages to having a CMS (Content Management System) for your website, and there are disadvantages as well. How good or bad either choice is for you depends on usage, unique needs, and the time or money you plan to spend on maintenance.
If you own or manage a website, you may have noticed that hacking attempts and successes have increased nearly 50-fold. In past months, we have seen a competitor & colleague’s entire client list get hacked. We have also had substantial corporate industrial websites come under our care to find hundreds of vulnerabilities and evidence of years worth of tampering.
Where are all these hacking attempts coming from?
The majority of traffic we see comes from a handful of bad-actor states. Many have been horrible for decades and are just worse recently. For about as long, we have configured our Cloud Application and Web Application Firewalls to filter, block, or challenge traffic from these sources when the client does not need to do business in those countries.
Though a lot of this activity is from increased attempts on websites, many of the successful hacks are zero-day exploits placed within websites pre-emptively, laying dormant waiting for times like these. A good firewall might block this malware from being triggered and used, but that is not likely. There are bots and hackers constantly searching and spidering for these trojan toolkits on every website. Even if you could block the hacker who put it there, someone else will use it.
How do I know if my website is hacked?
When your website suddenly becomes a fake Chinese marketplace/malware delivery hub, it is obvious. Many other times, administrators and even visitors might not notice. Even if it is plain as day, most people do not check their websites often enough.
If your website disappears from Google search, or suddenly Google is showing 2000 added pages, chances are there is malware on your website. Sometimes you may find pages for online casinos and fake web stores. Recently, these have been hidden from search and linked to from Facebook ads run by stolen Facebook profiles.
These will hurt your search placement, your brand, and perhaps even your website administrators and visitors. A compromised website can infect owners and customers with malware and steal passwords. Hackers can make modest changes such as changing phone numbers and email addresses in order to impersonate the business.
What CMS is the best and most secure?
It doesn’t matter whether WordPress, Drupal, Joomla, any brand of Code-Igniter or Firebase CMS, or even a super-secret and proprietary CMS. Many of the same vulnerabilities exist for any public-facing website that can communicate between visitor and server, even if no forms or inputs are present. As with any machine, if you do not maintain it, it will eventually cost you *way* more to repair it.
If your CMS is proprietary, it is not updated down to the smallest snippet regularly. There will often be overused pieces of “custom” code from Github or Stack Exchange, outdated/deprecated functions long-lost and forgotten, just waiting to become a vulnerability or become unstable.
There will be vulnerabilities found and exposed eventually, even regularly, but those vulnerabilities will likely be patched before they are well-known. All of the worst core vulnerabilities were probably patched years into development and years ago. The more considerable risk may be plugins. Choose paid plugins over free plugins when you can, and check their support history before investing. Do this to have plugins that are well-developed and well-supported.
If it has a small fan-following of developers, you could be a beta tester, or part of a failed experiment.
Many of these websites will be vulnerable for long after exploits are discovered. There may be no direct and stable upgrade path to a secure version. These can be fun experiments, but until there are enough supporters to provide weekly patches, don’t turn your company into a test group.