WordPress is the world's largest open source CMS. So it's really not surprising that it's also a prime target for hackers worldwide.
Just this week, the US FBI issued an alert about the potential danger of individuals sympathetic to Islamic State (ISIS) terrorists abusing vulnerabilities in the WordPress platform.
"Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation," the alert explains.
The FBI noted that the perpetrators of the attacks against WordPress are not terrorists themselves. Rather, they are hackers "using relatively unsophisticated methods to exploit technical vulnerabilities" in the name of the terrorist group "to gain more notoriety than the underlying attack would have otherwise garnered," the FBI maintains.
In any event, the FBI recommends any site running WordPress use some reasonable precautions:
- Review and follow WordPress guidelines
- Identify WordPress vulnerabilities using free available tools such as http://www.securityfocus.com/bid, http://cve.mitre.org/index.html and https://www.us-cert.gov
- Update WordPress by patching vulnerable plug-ins
- Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack
- Confirm that the operating system and all applications are running the most updated versions
Now let's move on to more pleasant open source CMS news.
Just as with pages, now you can schedule data items of both dynamic and static data types to get published and unpublished at the date and time specified.
The users who run the C1 Console in Arabic or another RTL (right-to-left) UI language now get a complete native RTL UI experience. The whole C1 Console is now mirrored compared to LTR (left-to-right) languages, and this also includes editing RTL content.
Composite C1 now has the native support for password expiration, password complexity rules, auto lockout and history requirements where a new password may not be identical to a specific number of last used passwords. Passwords are stored using a salted SHA 256 hash. You can learn more about the new password policy on this page.
The “cold start” setup and developer experience in the C1 Console has improved in terms of performance. Situations where you would wait a bit for pages and C1 Functions previews to be generated and rendered have been eliminated or dramatically improved. A new C1HtmlHelper has been added to support resizing options for media URLs in C1 Razor functions and templates.
Normally, it was impossible to use ASP.NET Full Page Caching with pages delivering differentiated content based on a user’s login, web client and the like. Now they can be safely cached by hooking into the cache key generation.
The Roslyn compiler is now used "under the hood." This improves startup time and the C1 Console's warm-up time.
The Composite C1 Azure Scale Out add-on helps scale out Composite C1 SQL-based websites deployed on Microsoft Azure. Now Composite C1 is fully compatible with this add-on.
The Composite team has also released the Snap Shop add-on that creates a simple one-page online shop and the Subsite Manager add-on that allows a global administrator to create subsites and associated users, thus enabling a third party to maintain their own subsite, without having permissions to other subsites or global features.
The second quarter of 2015 is going to be a big one for the Drupal project, the team reports.
In late March, the Drupal Association launched a Drupal 8 Acceleration fundraiser, a donation-matching project where funds raised by individual Drupal users are matched by larger companies.
The Drupal 8 Acceleration initiative aims to speed the release of Drupal 8 by awarding grants to applicants who are willing and able to organize sprints or who are able to help move the software beyond beta to release candidate, but who are financially unable to do so.
In addition, the Drupal community is gearing up for DrupalCon Los Angeles, which will take place from May 11 to 15 in sunny Los Angeles. Featuring a first-ever Drupal Higher Education summit, as well as numerous summits, training classes, sessions, sprinting opportunities and more, DrupalCon Los Angeles is set to make big contributions to both the Drupal project and the Drupal community.
To learn more about the Drupal 8 Accelerate grants, see the Drupal Association blog.
For more news about DrupalCon Los Angeles, or to register, check out events.Drupal.org.
Entando just released Entando 4.2 Technology Preview with new features, modules and updated functionality.
Customers of previous versions should update to 4.2 to take advantage of the improved platform.
The new Template Engine allows users to create, edit and manage front-end elements of an Entando project directly from the administration area. Users can now customize the default user interface (UI) provided with Entando from the administration user interface and/or restore to a default view.
Page models, fragments (single portions of the front-end interface), widgets and static resources are now more easy to create, edit and manage within the administration UI.
Similar to the Template Engine, the new Component Installer allows users to install, edit and manage components directly from the admin area without having to configure a POM file. Components are divided into:
- Basic Plug-ins, which contain an application service
- UI Bundles, which contain the application part and a view service
- Applications, which contain both the application and a view interface
With the component installer, Entando provides an abstraction of the plug-in service layer, allowing users to more easily add and manage services added to an Entando installation.
The Widget Creator module allows users to simplify widget development within Entando. This module provides a user-friendly, web-based editor for widget development. Using the Widget Creator, administrators can quickly and easily create a widget from a generic data source.
Activiti is an open source project providing a light-weight Business Process Management (BPM) platform.
The Activiti BPM Module allows projects built with Entando to add workflow and process management capabilities to their websites and portals.
The Content Publisher Widget allows administrators to publish content of different types within a widget. With simple graphical setup and management, the widget expands on the functionality of the List Content Publisher widget.
The new authorization system allows administrators to create a specific relation between group and role, to allow a more granular control of a user’s rights. Administrators can now add a different role and/or group to each user.
With the release of Entando 4.2, the Entando GitHub repository is now reorganized to better match the new product structure for Entando:
- Entando Core: is the basis of the Entando Platform. It provides the basic structure, tools and functionality to build an instance of Entando portal.
- Entando Components: extend the functionality of Entando. These can add functionality to the Entando engine, admin-console and portal-UI (apps components), or extend the functionality of the Entando engine, and admin-console (plug-ins components), or extend the functionality of the portal-UI (bundles components).
- Entando UX-Packages: are complete use-case based solutions using Entando.
- Entando Archetypes: provides a sample project to kickstart your standard/basic Entando portal development and all components.
This month, eZ Systems is excited to announce that Robin Muilwijk, opensource.com ambassador and long-time community project board member, will be stepping in as the new community manager for the eZ community. Muilwijk hopes to foster growth and communication within the community. To learn more about him and his new role, read his interview on the eZ blog.
Hippo has some great blogs, webinars and events to share this month, starting with a webinar on "3 Reasons Why You Need a New Web Content Management System."
In this webinar, Mark Arbour, EMC’s Director of Product Management, reviews the top three reasons you need a new CMS and discusses why EMC selected Hippo CMS as the only Web Content Management System in the Select Tier of EMC's Technology Connect Track. Watch the webinar here.
In the most recent episode of CMS-Connected, Scott Liewehr and Sunny Lendarduzzi discuss Hippo CMS’s vision on content performance, the company’s recent partnerships and growth. Watch the review here.
With Hippo Labs, you can hack Hippo’s architecture or explore integrations with Hippo CMS and other systems. Here are two recent labs from Hippo and the Hippo community:
- Setting Up Spring Security in Hippo CMS: Finalist’s Brian Snijders explains how to leverage a powerful security framework to easily extend Hippo CMS with Spring Security.
- Integrating Hippo CMS with Cloudinary Imaging Services: Michiel Rop, Solutions Architect at Hippo, explores how to add advanced image manipulation possibilities in Hippo CMS. Hippo's pluggable architecture makes it possible to integrate external image manipulation tools. Michiel’s lab describes how to extend the Gallery Processor and how to let Cloudinary transform your images in Hippo CMS.
Hippo and German-based partners Seitenbau will be sponsoring Swiss Online Marketing, exploring the latest trends in Swiss digital marketing. Join Hippo there on April 15 and 16.
Hippo will also be sponsoring EMC World from May 4 to 7 in Las Vegas. EMC World is the place where all the EMC Communities come together. Hippo announced its partnership with EMC, and its entry into the EMC Technology Connect Track at the Select Level this past February.
The Jahia team is gearing up for JahiaOne, its annual User conference. It will be held in Paris from June 10 to June 12.
As part of the OASIS CXS TC, a standard aiming at allowing truly personalized web and digital experience, breaking existing silos, Jahia is proposing an open source reference implementation under Apache License, called UNOMI. The code is available here.
Take a bow, Joomla Project — and your Production Leadership Team, too.
The community just released Joomla! 3.4.1. This is a maintenance release for the 3.x series of Joomla and addresses issues introduced in 3.4.0, which affects the installation of certain extensions and content languages access.
The 3.4 release introduces new features into the CMS such as improved front end module editing, decoupling of weblinks and composer integration.
It also includes Google new reCaptcha and security improvements by implementing UploadShield code that can detect most malicious uploads by examining their filenames and file contents.
If you're excited about the release, maybe you'd like to jump in and volunteer.
The team said 2014 was an amazing year for the Joomla Certification Project: it's gathered leaders and team members from across the world, launched a successful pilot program at the Joomla World Conference, cultivated serious discussions with the Joomla community and moved closer than ever to a viable, live professional certification for Joomla Administrators.
"We need great developers, awesome communicators and excited Joomla enthusiasts to help us reach our goal of launching a live, public Joomla Certified Administrator exam in 2015. We’ve laid a solid foundation, now we need you to help us finish it off," explained Jessica Dunbar, a member of the Joomla marketing group.
To stay informed and join the conversation or get involved, check in on the team's Facebook page. You can also submit an application to join a team. "We look for all levels of experience within the Joomla community," Dunbar added.
The Joomla project strives to empower more volunteers to effectively contribute by increasing transparency, communication and trust. Over the past several years, a majority of the leadership has supported the review and study of governance, convinced that our current organizational structure and methodology are not optimal to move our community forward.
Last October the Structural Team, entrusted by the joint Joomla leadership to produce a proposal for a new leadership structure for the Joomla project, shared their work with the combined project Working Groups for their feedback.
This version of the proposal is the result of that feedback.
Now it's seeking feedback from the community on the proposal for a new organizational structure and methodology. You can read the proposal here: New Structure & Methodology [Proposal] -- Google Doc.
Previously only available for iOS, Liferay Screens Beta 3 is now available for both Android and iOS.
Liferay Screens is a collection of visual components for mobile developers consuming Liferay APIs from native mobile apps. Especially helpful for those developers less familiar with Liferay, Liferay Screens translates back-end programming to a slick easy-to-use visual interface. Learn more about this version's updates and improvements in this blog post.
Liferay released a beta of the new version of Liferay Sync, the popular document sharing add-on for Liferay. Learn more about the latest features in this blog post and test it out for yourself.
Liferay Connected Services is a new online platform that offers a set of tools and services designed to help customers succeed on their Liferay projects. Previously called Liferay Cloud Services, the newly renamed Liferay Connected Services is currently in public beta.
Congrats to Liferay's in-house design team, whose Bikes for Burma project was chosen as a merit winner in HOW Design's In-House Design Awards.
April is a busy month for Liferay:
- Liferay is attending intra.NET Reloaded in Boston today and tomorrow. Visit Liferay and Veriday at their booth and World Café session as they discuss Liferay as a modern intranet and social collaboration tool.
- Liferay will be attending HIMMS conference for the first time this year. Join Liferay and more than 35,000 healthcare IT professionals for four days of education, innovation and professional networking from April 12 to 16 in Chicago.
- Visit the Liferay team at Net Finance on April 27 and 29 in Miami to learn more about digital innovation in the financial services industry.
Magnolia is expanding its conference into the Americas. The full program for Silicon Valley is now on its site. It plans to have speakers from Atlassian, VSP Global, Barclays Bank Delaware, IBM, Sharecare and others. Tickets are still available.
On the European conference side, it has confirmed Virgin Holidays among the speakers.
The team published a travel industry success story. Tour operator Jahn Reisen, part of the travel business DER Touristik Köln, used Magnolia to relaunch its online portal jahnreisen.de.
It's substantially expanded its partner network in France. AlizNet Digital, Digitas, ekino, OpenWide, SQLI and TBSCG joined the program.
And there is good news for Magnolia's Spanish-speaking followers: it's launched its first subset of documentation in Español!
Nuxeo, provider of the Nuxeo Platform, a highly customizable and extensible content management platform for building business applications, announced the availability of the Nuxeo Platform Fast Track 7.2.
This latest release provides several improvements including Server-Side Automation Scripting, new developer capabilities and a major release of Nuxeo Drive. You can find details about this release here.
Nuxeo hosted a luncheon for software developers to learn about efficient and modern document management solutions on April 7 in Washington, DC. The US Navy and Aderas joined Nuxeo to discuss the growing initiatives in document management and process improvement.
A new Executive Brief on Digital Asset Management and CMIS was recently published and is now available to download. This exec brief reviews how organizations use CMIS for effective collaboration, the common use cases for digital asset management (DAM) in today’s organizations, and how to extend CMIS capabilities to improve DAM.
Orchard 1.9 is almost out. It adds some exciting new features, such as the new visual layout editor that makes it easy to build complex pages without writing a line of HTML or CSS.
SilverStripe has released a security update (version 3.1.12 stable).
SilverStripe is also continuing to release lessons to help developers learning their framework. The latest installment is Controller Actions / Data Objects as Pages. Also released is a video from its London launch events in February including CEO Sam Minnée explaining "How SilverStripe Empowers Great Web Teams" and CTO Hamish Friedlander presenting their new managed platform product "SilverStripe Platform."
And looking ahead, SilverStripe is one of the sponsors of the first Open Source/Open Society Conference in Wellington, New Zealand. You can read about the conference on this blog.
SeoToaster has published a new web-based development platform, SeoToaster FlexKit, and its been working on its next release, SeoToaster 2.4.
SeoToaster FlexKit is a new development platform, featuring a self-intuitive and powerful CSS framework to help developers create flash-like and elegant themes for SeoToaster:
- CSS Framework: key elements of <FlexKit/> infrastructure to create the most high-quality, fast and powerful web applications
- Components: typography, icons Icomoon, panels, as well as additional tabs, dialogs, tooltips and many others
It's next release, SeoToaster CMS and e-commerce 2.4, which you can expect soon, will contain several fixes as well as some cool additional features:
- SeoToaster 2.4 will be upgraded with several security and functional fixes
- Indonesian language pack will be added to the 10 languages already available
- SeoToaster e-commerce 2.4 release will include a new free PayPal payment gateway to let users build complete B2B and e-commerce store for free
- SeoToaster e-commerce 2.4 will natively support dynamic multi-location order pickup, ideal for brick & mortar brands but also any store using retail shipping distribution networks
- SeoToaster’s improved membership system (also found natively in SeoToaster CMS edition) will feature single sign-on with Facebook, Google + and LinkedIN to facilitate sign-up and access to membership websites
- Upon installation of SeoToaster 2.4, users will be presented with a new, full-featured launch theme that serves as a user-friendly interactive on-site help reference
In the last few months, Sense/Net made new Integrator Partners and Customers from around the world: X-Center based in the Czech Republic will be servicing Czech and BeNeLux clients, while MyServices and EA Link will be responsible to spread Sense/Net in Malaysia and the whole of South-East Asia.
Sense/Net has also welcomed the world’s biggest NGO, BRAC among its customers — and hopes to contribute in the development efforts around the world.
Sense/Net ECM’s new TreeLock feature further enhances the stability of the system by eliminating the possibility of concurrent actions to conflict.
The community wants, so the community gets: Sense/Net ECM now allows custom text extractors to be added voluntarily. A lot of community members asked for the feature which will allow full text search in their custom content types as well.
With the new upload mechanism, you can now resume the large file you uploaded just before you lost the connection.
C# developers frowned upon using Visual Basic expressions when creating workflow. Sense/Net felt their pain and made C# expressions available in the syntax as well.
General speed enhancements: by optimizing the content save operation, SQL bandwidth consumption in Sense/Net ECM became a lot more efficient. This can even save money, if you think about all the SQL licenses you can spare.
The latest version of Tiki Wiki CMS Groupware, 14.0, is now available as a Beta release. All Tiki Community members are encouraged to download and test the beta.
The TYPO3 Project has been working on the user interface of the administration interface, the so-called TYPO3 Backend. A group of 30 people came together for a dedicated TYPO3 User Experience Week to enhance the experience for newcomers and typical editors.
Some results will be part of the initiative to create themes for TYPO3, while other functions are directly integrated in the upcoming TYPO3 version 7.2, which is scheduled for release April 28.