The major open-source content management systems – Wordpress, Drupal, and Joomla – have lowered the barrier to entry in web development in a way that can make pretty much anyone a “web administrator” with only about a half-hour worth of effort. At the same time, they have been proven scalable and "industrial-strength" enough that they are trusted by President Obama, The New York Times, and The Economist.
However, there is minor quibble with these systems – security. Wordpress sites, in particular, get hit with attacks at a frightening pace. Thanks to the fact that Wordpress and other CMS platforms have dedicated, hard-working development communities, security flaws are usually patched very quickly after identification. However, we still must contend with the fact that they happen at all. The security vulnerabilities invite us to open a potential can of worms and ask a difficult question: should we keep propagating CMS-based sites that are based on PHP?
One caveat: we have to be fair to PHP as a language. As one commentator has noted, calling a programming language insecure is sort of like “saying English, as a language, is less trustworthy.” However, the defense of PHP linked here also points out two of the major reasons why having PHP in the guts of a CMS might make the system inviting for attackers:
1) Ubiquity
It does stand to reason that if a language is used to process most of the web’s traffic, that language will experience the most attacks. However, from the perspective of an attacker, there is also no reason to invest time in learning the tricks for compromising a technology that only a handful of entities use. Not only, that, but PHP hacking technique are well documented due to the sheer volume of web-facing code that has been written in the language, and unfortunately not every person who writes in PHP has caught up with secure practices (or is too excited getting a feature up and running quickly to care).
2) PHP is forgiving
PHP and JavaScript are probably tied for the most instances of being “My First Web Language,” but in the case of PHP we are talking server-side. PHP is very easy to learn – and copy-and-paste – with good results. However, some of the questionable habits of an inexperienced coder may make their way onto production systems without the developer even being aware that they are questionable. Also, we can’t help but wonder if the legacy of PHP’s father language – Perl – come into play, with the context driven quirks in which one misplaced “@” or “$” might create a completely different behavior. PHP is generally much tighter than Perl in this regard, but it still maintains some of the looseness that can have a developer walking on egg shells with syntax.
We certainly should not sell short the hard-working communities that maintain Wordpress, Drupal, Joomla, and PHP itself. After all, they perform full security reviews with each check-in and care very much about the safety of the data of their platform users. However, perhaps we could use a little variety in the world of CMS and begin to popularize offerings that have a very different foundation that are developed with a security-first mindset.
