Website Security: Open Source vs Commercial CMS

Written by Tom Greenwood - July 12, 2013

One thing that many people want to know is what CMS will give them the highest level of security, and whether Open Source is more or less secure than commercial rivals and custom content management systems.

Security varies between all content management systems and also for each individual website, but hopefully in this article we can give you a good overview of how a popular open source CMS like WordPress compares with typical commercial alternatives.

How secure is the core code?

The first thing to look at is the robustness of the code itself. WordPress scores extremely highly compared to most CMS’s here because it has a huge developer community and a very fast turnaround on security updates, meaning that as soon as any potential weakness is identified it gets shut down and the updates made available to all WordPress users rapidly.

Niche CMS’s inherently don’t have the same level of scrutiny and available developer resources to test and refine the code to the extent possible with a large scale open source system.

One thing worth noting here however is that all open source systems are by definition open for anyone to access the code, so if there is a weakness in the code then it is easier for hackers to access and study the code than it is for commercially licensed systems.

Is it a target for hackers?

The second important thing to think about is the desirability of attacking a particular platform. While it is fair to say that WordPress is technically more secure than most CMS’s (especially more niche systems), it is also true that it is more of a target. This is simply because it is the world’s most popular CMS, so if you are a hacker looking to make a big impact, it makes sense to try and target popular systems. We saw this recently with the worldwide botnet attack and also in attacks targeted at the open source image resizing script TimThumb in the past.

This is only relevant for large scale automated attacks, not for individual hacks that target specific companies.

What are the risks with an open source CMS like WordPress?

The majority of successful hacks on WordPress sites exploit one of the following areas:

  • They can automatically detect that the site is powered by WordPress and so know the location of the login form, core file directories and in many cases even the admin username. These hackers play on the fact that most people use the default settings, so an experienced security consultant can quite easily change these to eliminate the risk.
  • WordPress and installed plugins are out of date. Security updates are rolled out frequently to keep people’s sites secure, so if you don’t upgrade then you are obviously exposing yourself to a known risk.
  • Loopholes in the theme and plugin code – it is important that any custom code written for the website is security audited if security is a big concern. This is true of all CMS’s, not just WordPress.

Other than that, the other big risk to all websites is insecure hosting, which obviously isn’t affected as much by the CMS.  Some people argue that Linux servers are inherently safer than Windows servers (most people run WordPress on Linux), but in practice it largely comes down to how the server is configured and the risks are probably pretty similar in both cases.

So what is more secure?

In summary, there is no objective way of knowing which will be more secure because you don’t know who might try to attack it, why or how.

If hardened by a security specialist then WordPress gives you the most secure technical setup overall, but a niche CMS like Dynamicweb could also keep you secure by virtue of the fact that it isn’t as well known and so there is less knowledge of it in the hacker community, even though it’s code and hosting is likely to be less secure.