Evaluation of Open Source CMS

Published on: 19/06/2013
Last update: 25/02/2014

How secure are Open Source CMS? To answer this question, the German Federal Office for Information Security (BSI) investigated the five most widely used CMS - Drupal, Joomla!, Plone, TYPO3 and WordPress. The results were published as a security study on content management systems.

Websites built on content management systems (CMS) are still popular targets for hackers. Just one security flaw is a latent danger for hundreds or thousands of websites. In order to help IT managers to better assess the security of their CMS, the Federal Office for Information Security conducted a study into the security of CMS last year.

As part of the study, security specialists from ]init[ Digital Communication and the Fraunhofer Institute for Secure Information Technology SIT studied the strengths and weaknesses of CMS, the reactions to security risks, and the effort involved in securely operating these CMS. The study summarizes the results in terms of four typical usage scenarios: a private event site, a website for a municipal office or small community, a small town’s open government site, and a website for a medium-sized company with several locations.

The most important finding is that Drupal, Joomla!, Plone, TYPO3 and WordPress have solid security processes. Their IT security processes have a high technical level, with release schedules and transparent error communication, which many commercial software packages fail to reach. This doesn’t mean that the systems studied should be used “as-is”, or by technical novices. The number and frequency of published weaknesses requires an estimated budget of around 15 minutes per day for each website, checking for patches, making backups, and applying fixes.

Nature of documentation: Official reports and studies


Type of document