Guide and Comparison: Enterprise vs Open Source PHP Content Management Systems (CMS), Security, Performance Statistics

The differences between Drupal, Joomla, WordPress, and Comentum CMS, and their advantages and disadvantages in a nutshell

by Joseph Montanez

Terminology

Knowing what to search for is the first key to success, so before we start this article lets get you up to speed with common terms used in Content Manage Software.

• CMS - Content Management System
• ECM - Enterprise Content Manager
• Assets - Pictures, Images, Style Sheets, Javascript
• LAMP - Bits of software that talk to each other and are used to run most CMS applications
  

Where to Start?

There are tons of content management systems available. Many of which are developed in PHP. The reason PHP is chosen most often is due to the fact that it has the highest install base. A bigger install base means a much wider adoption rate for software built on top of it.

Because content comes in so many different forms it is very hard to say what type of content is defined as editable. For example, an html page is a document. In a CMS (Content Management System) you can style the text, give it special formatting, and add pictures, videos, etc., however those pictures and videos are content as well, yet you'll never be able to edit a video or manage those types of content with a CMS. Videos and images are usually referred to as "Assets," so when you look for a CMS you will want to know what content and assets you have and what you will be able to edit.

What Does a CMS Do?

Most of the time a CMS just consists of "pages," that you can edit, but a CMS can come with a wide range of applications you can add on to the base system. For example, if you have events and need to add, delete and edit their content on a page you may want to look for a CMS that comes with a calendar application that you can add on.

What is the Benefit of a CMS?

CMS applications make it easier for anyone with very little experinece in computer programs to update a site without training or knowledge in HTML, CSS or Web Development.

CMS applications saves businesses overhead by creating a user-friendly editing environment for anyone in the company to manage their business website.

What is Enterprise?

The definition of Enterprise is a purposeful or industrious undertaking correct? Well not in this case. "Enterprise," when referring to Content Management has more to do with the quality of the CMS and the higher level of care you receive.

When you want someone on the phone the second you have a problem, is that considered enterprise? Yes, a high level of support is considered an Enterprise level of support. Businesses love instant support and require it in many cases. People want a number to call, not an email, and defiantly not an AOL username to instant message. Here are three core enterprise requirements in a content management system:

1. Security
2. Support
3. Performance
   

Security

As a business owner you need to make sure your content, private or public, is secure. The last thing you would want is to get black listed from search engines, desktop security scanners and other security software, just because your website is server malware.

Now I'll go back to the example of PHP, the language most content systems run on. PHP allows an agile development technique and a low barrier to entry. However, because of this it is very open to many security problems on the web. One classic example is using the LAMP stack (Linux, Apache, MySQL, PHP) to run your software. Apache, the web server, has a module that can auto-detect the types of files and execute them so that if someone uploads a file such as "How-to-Success.php.pdf" and inside that file is malicious PHP code, then something magical happens. When a user tries to download that file, instead of a standard, innocent PDF, they are executing code on your web server that could delete all of your data or gain access at the administrative level. This can happen when the developer of the CMS only checked the filename for the type of file, rather than the mime type.

It is important to work with a developer that has experience in all aspects of building, supporting and maintaining a CMS.

Security: Plug-ins Are The Anti-Security

Most plug-ins are developed by third-party developers. A third-party plug-in is very often the cause of a security breech on an enterprise system. Third-party plug-ins can open holes and the software platform has no way of protecting you from this, so when looking for add-ons, plug-ins, add-ins, modules, etc., make sure they are verified by the content management vendor before adding them into your content manager.

If security is the most important aspect, then it is wise to find a CMS that provides as much as you need from the beginning, rather than adding in third-party plug-ins later. For example, if you need more than just a page editor, and would like an events calendar, memberships management, etc., then make sure the core system includes those items that you will need, or make sure that the CMS was developed directly by the vendors themselves. If security is the most important aspect, then it is wise to find a CMS that provides as much as you need from the beginning, rather than adding in third-party plug-ins later. For example, if you need more than just a page editor, and would like an events calendar, memberships management, etc., then make sure the core system includes those items that you will need, or make sure that the CMS was developed directly by the vendors themselves.

Security: Open Source vs Proprietary

Open source is all the rage, as people want more ownership over their software, but does this come at a cost? The short answer is, no, as long as you choose a well established and high-install-based content manager.

But now for the long answer. . .
Using a completely open source content manager makes your site open to attacks, much more so than a proprietary-built content manager. The reason for this is that attackers can figure out how to attack your website because the code is visible to everyone, where as with proprietary software, the code is hidden and is written uniquely, and therefore makes the attacker guess.

That being said, open source does have some security advantages. For example, if a new content manage system came out and became open source, you would want to be the last person to use it. Why? Because new software always has bugs and this is a hacker's breeding ground. Over time the bugs and security flaws are corrected but you do no want to be using a CMS that is still a part of this cycle. If anything, as a person that cares about your company or online business, you want to choose a longstanding content management system; one that has gone into maturity and whose bugs have been removed and are not a security issue.

Support

Below is a comparison of support via phone call.

WordPress Call-in Support
WordPress charges $80,000. USD per year for their "VIP Support," phone support with their Platinum Level. With that support package you are provided up to three (3) hours of phone support per year, and 12 hours turn around for support issues. Their Black Level costs $120,000. USD and has up to five (5) hours of phone support per year. A person can go a low as $5,000 USD for a one-time fee, for one request. All of their VIP Support levels include unlimited email support tickets.

Joomla Call-in Support
Not Available.
Joomla is practically anti-enterprise when it comes to call-in support. There are companies that provide call-in support for Joomla, but they are very limited. Due to the complexity of the program, the hours you would need for help are far more that what a third-party company would provide per month. Their costs range from $400. USD to $3,000. USD per year with limited support, not including additional costs.

Drupal Call-in Support
Drupal charges $8,000. USD per year and currently provides certified third-party support via Acquia. Their call-in support starts at $8,000 USD. They do have 8am to 8pm support services and a 24x7 line for emergencies, but there is no guarantee that you will receive the level of support your need. Charges also include ten (10) hours of Drupal-related jargon to help with optimizations, and security.

Comentum Call-in Support
Comentum does not charge for senior-level technical support for Comentum CMS. Comentum offers 8:30am to 5:30pm call lines, an additional 24/7 emergency line, and 24/7 emergency email support.

Now for the Challenge . . .

Round 1: Which CMS has the Best Performance?

Generally most content management systems don't budge in performance when you add a ton of pages to them. In fact, none of the CMS applications we tested changed how fast they served up a page. In this test, WordPress, Joomla, Drupal and Comentum went head to head to see how fast each could serve up an application of 10K page requests. (The larger the number of page requests an application can handle, the better the application).

WordPress CMS after 10,000 Pages: 32 requests per second

Wordpress is a complicated beast with over 1000 hooks into their system. They boast over 10,000 plug-ins, which makes Wordpress one of the most extensible content management systems available. All those hooks, however, are ultimately the downfall of its performance.

Joomla CMS after 10,000 Pages: 40 requests per second

Joomla has roots in Mambo, and thus, its downfall. Due to its support for older versions of PHP as well as its age, Joomla has become a hog when it comes to resources.

Drupal CMS after 10,000 Pages: 73 requests per second

Drupal is newer on the market and has been better architected from its start.

Comentum CMS after 10,000 Pages: 374 requests per second

Comentum has been building content management systems for over 10 years, so we know our stuff. The Comentum CMS has been architected to be light on its feet while leaving room to make the system powerful and scalable. Although our numbers sweep Drupal, Joomla and poor WordPress off their feet, we haven't put as much emphasis into the marketing of our CMS as we have with the advanced development of it, especially in the area of security.

Best Performance Winner: Comentum CMS can deliver your pages faster.

Round 2: How do the CMS Applications Rank on Security?

As stated above, CMS security is essential. The tests we ran on the four CMS applications were against XSS - cross-site scripting. Cross-site scripting is basically a tool to run very bad code on another website. Imagine if someone figured out a way to inject their own code into Yahoo's Mail interface, which could allow them to gain access to your computer. Our security test was fairly basic and targeted the log-in forms of the four content manage systems below. We used "XSS Me," provided by Security Compass to help with the testing.

Security: WordPress - Passed with Warnings

WordPress is similar to Drupal when it comes to security issues. They do take it seriously as there have been many issues with their security in the past.

Security: Joomla - Passed

Because Joomla has been around for a while, it has had more time to be tested beyond most software and has a very strong security measurement. That being said, we found that their search bar has a few open security issues, although very minor.

Security: Drupal - Passed with Warnings

Drupal did have minor security issues, less than Joomla's search bar. Drupal does take care of their community and goes out of their way to fix user-contributed modules that have security issues. Therefore, I would suggest utilizing Drupal if you want more secure modules.

Security: Comentum CMS - Passed

Bulletproof security is impossible, but at Comentum, we like impossible. We take security seriously and our commitment to developing secure applications goes towards pushing the boundaries of our CMS. We have had the advantage of over 10 years of experience to refine and perfect Comentum CMS.

Comentum has been featured on Channel 5 News as an expert on the subject of network and web application security to discuss the issues and importance of security in enterprise, education and government systems.

Security Winners: Joomla and Comentum CMS passed while WordPress and Drupal passed with warnings.

The above research was completed July 2010; Pricing and other data may change.