Forum Moderators: open
I'm in the process of selecting a CMS for my new website, but it's all taking longer than I'd expected.
I can't seem to find the right tool for the job.
I'm looking for a CMS or Blog script with the following features:
1. It must be able to handle high traffic.
2. It must have a static html caching system. Like wordpress super cache, so that my site uses almost as few cpu resources as a static html website.
3. User must be able to post comments to some of my pages, as well as trackbacks. These functions can be either built-in, or a plugin. Doesn't matter. (same goes for number 2)
4. It must be (reasonably) secure. Not like Wordpress, where you constantly have to install security updates. I don't mind a little work at all, but it's no good coming back from a vacation, having missed a security update, and your site is hacked.
If you know of any CMS that do the above. I would greatly appreciate it if you'd let me know.
Thanks
John
#4 rules out Joomla, Drupal and Wordpress. The recent IBM XForce report on security vulnerabilities has these three as the only three web-facing applications to make the top-10 list of vendors with security problems.
Joomla was the worst, coming it at #2 between Apple and Microsoft. Considering that in the case of Apple and MS these are giant vendors with huge reach and giant product catalogs, it's a bit frightening that a single product could have more exploits reported than ALL Microsoft products combined. Of course, none of these are really "single products" as many of the exploits are in third-party add-ons.
I don't know as other CMS are necessarily more secure inherently, but by virtue of being more obscure are less likely to get targetted (caveats about security through obscurity apply). As I always say, any CMS that's designed to be friendly to plugins, has many third-party contributions and the ability to post from anywhere is going to likely be pretty wide open. But the wide reach of these three make them more likely to get targetted.
That said, balancing the advantages of highly active projects versus security through obscurity, there are some huge sites running all three of these.
As for #1-3. I think #2 pretty much implies #1 unless you're gonig to have an active forum or something that will make caching less powerful.
So if you exclude the big three, that leaves 1000 or so CMS ;-) - Typo3, Moveable Type, Expression Engine, or you could go with Python (Plone) or even Ruby (Radiant, which definitely has caching). I'm not sure how any of these correspond to your criteria though.
Or build your own with Django or Cake PHP or....
Movable Type is one CMS I was interested in, but there were a few things that prevented me from actually trying it out.
I heard a lot of stories from people of problems with the MT comments option. Particulary if you use static html (which is what I would use) as your pages. It would take visitors to long to post comments. There are ways to speed the process up, but according to some recent MT forum posts, this may not be enough.
I have to look into your other suggestions, although I exclude typo3 as I find it somewhat complicated.
Thanks again for your help.
...and if anyone else has any more suggestions that meet my needs, they are very welcome!
One regular here swears by DotNetnuke as well, which is free and open source, but runs on a Windows platform rather than the common LAMP platform.
I should say that personally, I like Drupal and find that though it has tons of security alerts, the vast majority are for third-party "community" features which, by their very nature are wide open because they allow regular users to do a lot of stuff. Not many of the security exploits are for core, the ones that are for core are usually revealed and patched before there are any known cases of exploits in the wild. And it has some powerful caching plugins (and has a lot of caching built in, but not truly static pages).
I suppose the issue that MT has with static pages and comments is that you need to regenerate the page and flush the cache (i.e. overwrite the cached file) for that page every time a comment gets added.
Finally, the ones I listed are not recommendations per se. I've never used Radiant. I just know that it does have caching built in and, whether wide open or locked down, it's obscure enough that the zillion bots that go around looking for Wordpress are not going to attack you at least.
I'm not sure it's representative of anything, and applications with recent major rewrites will be over-represented on the "Last three months" search, while apps that haven't had a major-version upgrade in a year will be underrepresented perhaps. And it seems to me that for some CMS, plugin exploits get reported as exploits for that CMS and in other cases they don't. Still... fairly interesting.
I personally always use secunia.com to search for vulnerabilites, but this one seems to bring up more results. Thanks for that.
I know this is not really the place to ask, but do you know if some of the rebuilding comments issues of movable type can be solved by only adding the new comments after moderation?
Okay, I don't have an answer or a contract. Sorry.
[edit: I think I'm overdue for lunch or something!]
ergophobe, thank you so much for your help!
You didn't have to reply, and still you did...
Thanks for that!
Johndem wrote:2. It must have a static html caching system. Like wordpress super cache, so that my site uses almost as few cpu resources as a static html website.
For this (really great speed and performance), Drupal has the Boost module (static page caching for non-logged in visitors), similar to WP Super Cache.
The current Boost version is for Drupal 5, however you can find a working upgrade patch for Drupal 6 in the module issues.
About other features, you might use cmsmatrix for feature comparison.
[edited by: Juan_G at 9:28 pm (utc) on Oct. 12, 2008]
