You can't talk about open source content management systems without talking about WordPress, the most popular CMS on the planet.
WordPress powers some of the largest websites in the world including CNN, Time magazine and Ted. According to W3tech, WordPress powers 23 percent of the top 10 million websites in the world.
But being big is not without its problems — and all is not copacetic in WordPress-land, said Nimrod Luria, CTO of Sentrix. Every year, hundreds of thousands of WordPress websites are attacked due to the immense popularity of the platform combined with the lack of expertise that some of its many plugin developers have in the realm of security.
Easy to Exploit
"There are approximately 30,000 plus plugins and 2,000 plus themes listed on the WordPress.org site. As we observed in 2014, some of the most well-known, widespread attacks took advantage of third party plugins. Many plugins are sensitive to cross-site scripting (XSS), SQL injection and other attacks. The fact that WordPress is run on PHP, one of the most popular open source development languages, makes it easy for attackers to exploit bug-riddled PHP code, along with theme and plugin files," he said.
Luria noted that the WordPress community consists of hundreds of contributing developers. They continuously develop the platform along with its themes and plugins.
Although WordPress administrators are notified about plugin version updates on their dashboards, not all follow the best practice of keeping their platforms up to date. In addition, for WordPress sites that are hosted on a shared environment, the hosting provider will not always guarantee timely patching, frequently leaving site owners exposed to attacks, he warned.
What to Do
There are a range of options for hosting a WordPress-based website, from on-premises all the way to completely managed platforms such as WPengine. Besides flexibility and ease of management, one of the main considerations when evaluating WordPress hosting solutions is security.
"With on-premises and other simple hosting solutions such as VPS or 'dedicated,' as the site owner, it is your responsibility to secure and update your site, and ensure performance and availability," he said. "However, you also need to consider that hosting your website with a third party hosting company does not guarantee security. Due to the shared environment, if any site on a server is hacked, other sites on the same server may also be compromised."
Admin Access and Authentication
Brute-forcing account credentials is the most common attack on WordPress sites. Other ways passwords can be compromised include sniffing credentials over an HTTP login session or even retrieving them directly from WordPress administrator workstations.
In addition, plugin authentication failures might allow attackers to gain administrative privileges and perform AJAX functions that are designed to be used exclusively by website operators. "Obviously, gaining admin or server management account access provides attackers with complete access to affiliated WordPress instances," he added.
Uploaded User Content
The WordPress platform enables users to upload their own content as writers or editors. "This security risk could result in untrusted users uploading HTML or JS files in order to launch attacks, such as XSS, against users that will visit that site. By executing an XSS attack a hacker can silently gain control of user credentials," Luria explained.
Share your own experience with WordPress and other open source CMS platforms in the comments below.
And now, a look at what else is new in open source CMS world this month.
The Composite C1 team introduced the Mercury starter site, a modern and animated mobile-first website. It has a portfolio, a form builder, contents search, employee profile page and more. It is built on:
- ASP.NET Razor using Razor Web Pages for page templates
- Bootstrap, one of the most popular front-end framework for developing responsive, mobile-first web projects
- LESS, the extension to the CSS language that supports variables, mix-ins, functions and many other techniques in your stylesheets
The Mercury starter site comes with a number of pre-installed add-ons and supports theming. You can also directly customize its appearance.
You can quickly personalize the website by changing its colors, updating links in the page footer, and adding your own logo, more Jumbotron slides, additional projects with photos and videos to your portfolio, and new page blocks.
Danish Composite C1 community members have started a Facebook user group about the CMS.
It's been a busy month for Enonic, which released XP 5.2. It contains page contributions — components added to a page that can automatically contribute markup to header and footer of the page — and a new library for localizing application phrases, among other things.
This month, it's releasing version 6 of Enonic XP. Features include:
- Improved cropping: Editors can set focal points in images
- A publishing wizard: Cherry pick and publish selected changes
- OpenID connect plugin: Powerful and standardized integration with third party ID and SSO servers
Enonic is also doing its first meetup in San Francisco on June 24.
Hippo has been popping some champagne at its headquarters. And while no one can talk about what's next on the agenda just yet, the release of Hippo CMS 10 and debut of its Content Performance Platform have been major milestones.
The Hippo team calls CMS 10 its “most groundbreaking release to date.” Going beyond a productivity tool, Hippo CMS adapts principles from marketing automation, redefining the WCMS as an intelligent marketing technology software used to optimize and personalize the customer journey from its earliest stages all the way through, actively turning visitors into leads from the very first touchpoint, the team boasted.
“By learning about and responding to the individual visitors’ preferences, interests and intent in-real time, Hippo CMS 10 takes the guesswork out of content strategy,” stated Hippo CEO Jeroen Verberg. “This release transforms the CMS into a data-driven intelligent marketing technology that measures real-time content performance against the online goals of the enterprise attracting visitors, improving engagement and increasing conversion.”
Jahia will hold its international user conference, JahiaOne, on June 11 and 12 in Paris. Developers will have the opportunity to take a free certification exam to validate their skills and knowledge on Digital Factory 7.
In addition, a new tech partner strategy offers off the shelf integration with third party software to let you build your own UXP, fully integrated with selected key products you already use or love. Some of those tech partners will be present at the conference.
Customers on the speaker roster include:
- Ginger Troncone, business relationship manager at Delta Faucet, will explain the value of the technology partnership program.
- Kevin Hastings, web manager at the National Governors Association, will explain how the organization is running Digital Factory from the Cloud.
Zulauf, a trainee specialist for system integration in Germany, has been involved with Joomla since 2011. In 2013, he became an active Joomla Bug Squad member and code contributor. Outside of core development he is active in the German part of Joomla Land. He is a moderator in the German forum and a team member of the Joomla Bugs DE Project.
Zulauf will be maintaining the issue tracker to ensure it is up-to-date.
The JBS, a team within the Production Working Groups, is responsible for identifying and fixing bugs within Joomla. The team:
- Scans the Joomla CMS 3.x Bug Reporting Forum for reported issues and helps community members solve these issues
- Reports bugs on our New Issue Tracker
- Fixes reported bugs and resolves reported issues according to the Bug Tracking Process
The Bug Squad also helps with testing and quality assurance when a new major or minor version is developed. Generally speaking, the bug-squad is in the lead when a version switches from beta-stage to the stable-stage within the development cycle of Joomla.
Joomla is seeking a volunteer for the Joomla Vulnerable Extension List. This is a public list published by Joomla.org of reported plugins, extensions, modules and/or templates from third party developers that have known or resolved security issues with them.
Currently the information on each VEL entry is published in individual content articles with no provisions for machine-readable output. Many requests have been made to provide a machine readable output to the community to make it easier to find out if a specific extension is listed on the VEL or not.
These generally involve requests to:
- Develop a plugin that automatically sends an email to the site administrator when an installed extension gets listed
- Add a feature to the built-in installer to warn users when a listed extension should be uninstalled
- Develop a tool for web hosts that allows them to specifically search for vulnerable Joomla installations on their servers
The VEL team is looking for assistance in accomplishing these tasks. If you are interested in donating some time to help, please contact the VEL Team.
The Joomla Community Leadership Team (CLT), the Board of Directors of Open Source Matters, Inc. (OSM) and the Production Leadership Team (PLT) voted to adopt a New Structure and Methodology proposal by a vote of 19 to 9.
Since last fall, the proposal was put through several rounds of leadership, considered group and community feedback, and underwent numerous revisions before the proposal was put to a vote.
This vote gives the Joomla project one legal body to oversee and lead the project, guided by the voices of the teams doing the work. The goal of the proposal is to encourage contributors, bring together fragmented leadership teams and processes, involve more global communities, and to have a voting process where leaders are not appointed by leadership itself.
The next step will be to form a transition team that provides the guidance and processes to transition into the new structure. In the coming week, the structure team will put several options before the entire leadership for a vote on how this transition team could be formed.
Liferay Screens is now available. Liferay Screens is a collection of fully native mobile components, using all the power of your Liferay Portal as an enterprise grade mobile back-end.
Liferay 7 Milestone 5 was released, with updates on modularization, web content management, staging, AlloyEditor and collaboration suite.
Liferay Faces is updated with support for Liferay Portal 7.0 and 6.2, as well as bug fixes for 6.1/6.0/5.2.
Liferay will attend two events in June:
- The Red Hat Summit, June 23 to 26 in Boston
- The Kansas City Developer Conference, June 24 to 26 in Kansas City
Fresh off the heels of its Americas conference in Silicon Valley, the Magnolia team is gearing up for its annual European conference in Basel on June 9 through 11. The full program includes speakers from Virgin Holidays, Atlassian and Visana.
Magnolia launched its new Internet of Things apps. They enable companies to easily set up beacons in consumer and retail environments, such as shops and museums, to offer interactions including navigation, messages, coupons and product information.
Another new module worth mentioning: the Campaign Publisher module. It allows you to define campaigns consisting of pages, assets and other resources within Magnolia.
Finally, Magnolia is building a new HQ. The team recently threw a party, complete with a speech by the founders. Pictures from the event can be found here.
CMSWire and Nuxeo teamed up for a webinar about the new collaboration model and the future of workflow. Learn how to use ECM with cloud file-sharing and collaboration platforms to build enterprise capable applications with this webinar on-demand.
- An overview of industry trends in file sharing, collaboration and workflow
- How organizations can leverage new and existing technologies to improve productivity
- A demonstration of how to connect ECM and Google Drive, exploiting the best capabilities of each platform
On June 24, join guest speaker Craig Le Clair, VP and principal analyst at Forrester Research, as he discusses the current trends in application development. He will explain how to use Capability Layers to develop a roadmap that will help your organization take advantage of current technologies and best practices to prepare for agile, cloud-based, and mobile-friendly customer experience initiatives. Click here to register now.
The latest version of Nuxeo Drive was recently released. Nuxeo Drive enables bidirectional synchronization of content between the local desktop and the Nuxeo content repository, on-premises or in the cloud.
It works with all applications built on the Nuxeo Platform, including Document Management, Digital Asset Management, Case Management or a custom content-centric application. This new release includes several major enhancements:
- A new HTML5 UI
- Ability to connect to multiple servers
- A friendly systray menu to monitor synchronization
- Conflict management
- Metadata edition from the file system
- Ability to generate a report in case of problem
If you’re already using Nuxeo Drive, don’t forget to download the new version.
Nuxeo is on track to release Nuxeo Platform 7.3 on June 21. Get a sneak peak here. Enhancements will include a Google Drive integration, new branch management on Studio and more.
There's a new major release of the SilverStripe Blog module, with improved categorization, permissions and spam protection and management.
In addition, the SilverStripe Lessons section is growing. The documents and video tutorials are onboarding new community members and helping existing community members upgrade their skills.
Simpler Media Group, 2015