Open Source CMS in PHP with Security facts!

I have a experience on Joomla, Drupa开发者_如何学Pythonl, wordpress and small cms configuration. But one of my client is asking about the security level in the above cms. I never thought about the security risks and it's really very new to me. On which basis i can choose which is best CMS when considering about the security level and minimum risks? And what kind of security we can provide to the server make the application highly secured?

All the big CMS products you mentioned should be okay. Look at who else is using them; this is a great way to judge how good the product really is. For example, Drupal is used by the White House. This fact gives me a lot of confidence in Drupal.

The important thing is to make certain that you keep up-to-date with any security fixes that are released.

The vast majority of security problems in all these products come from non-core modules that you might install. If you're really worried about security, I suggest keeping the number of modules you use to an absolute minimum.

Where you do need to use an external module, do thorough investigations to find out how good it is: how often is it updated? are there any known bugs with it which may be security issues? how widely used is it? And as I mentioned above with the core CMS, who is using it?

You should also ensure that your web server is secure. It's not just your CMS that will provide routes in for a hacker. Close all un-necessary ports and services. Make sure that everything possible is encrypted (use SFTP, definitely not FTP). If you're using a PHP-based CMS such as Drupal, use a security-hardened PHP version (Suhosin) rather than the basic version.

Finally, you should accept that no matter how good your software and no matter how vigilant you are, you could still get hacked. Worse, you could get hacked without even knowing about it. Even the best software has flaws which can be exploited. For this reason, you should aim to have several layers of security before anyone can get to any genuinely sensitive data.