A Comparative Study of Web Content Management Systems
Abstract
:1. Introduction
2. Related Work
3. Web Content Management System under Study
4. Creating a Website with Joomla!, Drupal, and WordPress
- A homepage slider or banner, based on JavaScript.
- A login module, allowing user registration and creating private areas on the website.
- Social network integration; Twitter and Facebook.
- A multi-language module, content translation based on Google Translator.
- A search module, to find indexed content in the website.
- A contact form.
- Videos.
- Maps.
- A downloads section, customized multi-user downloads.
- A newsletter, so users are aware of recent news by mail
- Events, as a way to place important news into the website homepage.
- Hire a hosting provider service (e.g., 1and1.com) that includes a database (e.g., MySQL).
- Create the WCMS database.
- Download the WCMS installation package from the official website and extract the files into the virtual directory given by the hosting provider.
- Install the WCMS using the installation wizard, which links with the database.
5. Basic Security Analysis
- Data manipulation: violating data integrity, e.g., Structured Query Language (SQL) injection and parameter manipulation.
- Confidential data: when an unauthorized person has access to sorted data, e.g., SQL injection and Cross-Site Scripting (XSS).
- Phishing: a special confidential data-gathering method using forms and spam mails.
- Spam: using email addresses published on the website.
- Execution of code, run scripts, or programs on a web-server using WCMS vulnerabilities.
- Reflected XSS attack: This attack uses other routes to reach the victims, such as email messages with crafted links or other websites, which reflect the attack back to the user’s web-browser. The script is executed by the web-browser because it comes from a “trusted server”. This type of attack is also known as Non-Persistent or Type-II XSS [45].
- Stored XSS attack: The malicious script is stored somewhere on the web-server (e.g., a database, a forum message, logs, comments, etc.) and is sent to the victim when it requests the query. This attack type is also called Persistent or Type-I XSS [45].
- DOM-Based (Document Object Model) attack: In contrast to previous types, in this one, the injection is performed by the user into the web-page when the server script processes user data and injects it back into the website [46].
- Make regular WCMS backups (files and database).
- Hire professional hosting providers, which are safer against SQL injection attacks.
- Use the most recent versions of WCMS and plugins.
- Employ specific security plugins, such as JHackGuard for Joomla!, that provide extra security.
- Limit the access to administration files and folders.
- Remove the installation script (install.php on Drupal and installation folder on Joomla!).
- Modify default passwords and define safe user roles.
- Enable captcha for unregistered users avoiding spam.
- Hide email addresses to avoid unsolicited spam.
- Activate URLs-friendly.
- Change the default global website parameters configuration.
- Change the default database prefix during the installation process (if possible).
- Avoid showing sensitive information about the WCMS in the front-end.
6. Conclusions
Acknowledgments
Author Contributions
Conflicts of Interest
References
- Netcraft. Available online: https://www.netcraft.com/ (accessed on 14 December 2017).
- World Internet Users Statistics. Available online: http://www.internetworldstats.com/stats.htm (accessed on 14 December 2017).
- How Very Small Businesses Are Utilizing the Internet Today and Future Future Expectations; GoDaddy LLC & Redshift: Scottsdale, AZ, USA, 2015.
- Cody, W.F.; Kreulen, J.T.; Krishna, V.; Spangler, W.S. The Integration of Business Intelligence and Knowledge Management. IBM Syst. J. 2002, 41, 697–713. [Google Scholar] [CrossRef]
- Bergstedt, S.; Wiegreffe, S.; Wittmann, J.; Moller, D. Content Management Systems and E-Learning Systems -a Symbiosis? In Proceedings of the 3rd IEEE International Conference on Advanced Technologies, Athens, Greece, 9–11 July 2003; pp. 155–159. [Google Scholar]
- McDaniel, R.; Fanfarelli, J.R.; Lindgren, R. Creative Content Management: Importance, Novelty, and Affect as Design Heuristics for Learning Management Systems. IEEE Trans. Prof. Commun. 2017, 60, 183–200. [Google Scholar] [CrossRef]
- Wan, S.; Li, D.; Gao, J. Exploring the Advantages of Content Management Systems for Managing Engineering Knowledge in Product-Service Systems. Procedia CIRP 2016, 56, 446–450. [Google Scholar] [CrossRef]
- Bianco, F.; Michelino, F. The Role of Content Management Systems in Publishing Firms. Int. J. Inf. Manag. 2010, 30, 117–124. [Google Scholar] [CrossRef]
- Shteiman, B. Why CMS Platforms Are Breeding Security Vulnerabilities. Netw. Secur. 2014, 2014, 7–9. [Google Scholar] [CrossRef]
- Internet Users and Penetration Worldwide. 2016-2021—Emarketer. Available online: http://www.emarketer.com/Chart/Internet-Users-Penetration-Worldwide-2016-2021-billions-of-population-change/206259 (accessed on 14 December 2017).
- Barker, D. Web Content Management: Systems, Features and Best Practices, 1st ed.; O’Reilly Media: Sebastopol, CA, USA, 2016; ISBN 9781491908129. [Google Scholar]
- McGraw, G. Software Security: Building Security in; Addison-Wesley: Boston, MA, USA, 2006; ISBN 0321356705. [Google Scholar]
- Hoglund, G.; McGraw, G. Exploiting Software: How to Break Code; Addison-Wesley: Boston, MA, USA, 2004; ISBN 0201786958. [Google Scholar]
- Symantec. Available online: https://www.symantec.com/security-center/threat-report (accessed on 3 December 2017).
- Jonsson, E. Towards an Integrated Conceptual Model of Security and Dependability. In Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06), Vienna, Austria, 20–22 April 2006. [Google Scholar]
- Meike, M.; Sametinger, J.; Wiesauer, A. Security in Open Source Web Content Management Systems. IEEE Secur. Priv. Mag. 2009, 7, 44–51. [Google Scholar] [CrossRef]
- Aledo-Hernández, A.J.; Guillen-Pérez, A.; Martínez-Caro, J.-M.; Sánchez-Iborra, R.; Cano, M.-D. Sistemas de Gestión de Contenidos Web: Uso Y Estudio Comparativo de Su Seguridad. In Proceedings of the XIII Jornadas de Ingeniería Telemática (JITEL 2017), Valencia, Spain, 27–29 September 2017. (In Spanish). [Google Scholar]
- Usage Statistics and Market Share of Content Management Systems for Websites, January 2018. Available online: https://w3techs.com/technologies/overview/content_management/all (accessed on 8 January 2018).
- Historical Yearly Trends in the Usage of Content Management Systems, January 2018. Available online: https://w3techs.com/technologies/history_overview/content_management/all/y (accessed on 11 January 2018).
- Patel, S.K.; Rathod, V.; Prajapati, J.B. Performance Analysis of Content Management Systems—Joomla, Drupal, and WordPress. Int. J. Comput. Appl. 2011, 21, 39–43. [Google Scholar] [CrossRef]
- Mirdha, A.; Jain, A.; Shah, K. Comparative Analysis of Open Source Content Management Systems. In Proceedings of the 2014 IEEE International Conference on Computational Intelligence and Computing Research, Coimbatore, India, 18–20 December 2014; pp. 1–4. [Google Scholar]
- WorPress. Available online: http://www.wordpress.com (accessed on 1 December 2017).
- Joomla. Available online: http://www.joomla.org (accessed on 1 December 2017).
- Drupal. Available online: http://www.drupal.org (accessed on 1 December 2017).
- W3Techs. Web Technology Surveys. Available online: https://w3techs.com/technologies/overview/content_management/all (accessed on 1 December 2017).
- Patel, S.K.; Rathod, V.R.; Parikh, S. Joomla, Drupal and WordPress—A Statistical Comparison of Open Source CMS. In Proceedings of the 2011 3rd International Conference on Trendz in Information Sciences and Computing (TISC), Chennai, India, 8–9 December 2011; pp. 182–187. [Google Scholar] [CrossRef]
- Jerkovic, H.; Vranesic, P.; Dadic, S. Securing Web Content and Services in Open Source Content Management Systems. In Proceedings of the 2016 39th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia, 30 May–3 June 2016; pp. 1402–1407. [Google Scholar]
- Proyecto Webscarab OWASP. Available online: https://www.owasp.org/index.php/Proyecto_WebScarab_OWASP (accessed on 1 December 2017).
- Tamper Data: The Firefox Add-on. Available online: https://www.lifewire.com/firefox-addon-that-hackers-dont-want-you-to-know-about-2487289 (accessed on 1 December 2017).
- Hawkins, B.; Demsky, B. ZenIDS: Introspective Intrusion Detection for PHP Applications. In Proceedings of the 39th International Conference on Software Engineering, Buenos Aires, Argentina, 20–28 May 2017; pp. 232–243. [Google Scholar] [CrossRef]
- Vasek, M.; Wadleigh, J.; Moore, T. Hacking Is Not Random: A Case-Control Study of Webserver Compromise Risk. IEEE Trans. Dependable Secur. Comput. 2015, 13, 206–219. [Google Scholar] [CrossRef]
- Shivakumar, S.K. Enterprise Content and Search Management for Building Digital Platforms; John Wiley & Sons: Hoboken, NJ, USA, 2016; ISBN 1119206812. [Google Scholar]
- Artisteer. Available online: http://www.artisteer.com (accessed on 1 December 2017).
- Vinaora Nivo Slider—Joomla! Extension. Available online: https://extensions.joomla.org/extension/vinaora-nivo-slider/ (accessed on 3 December 2017).
- Social Media Buttons and Management—LinksAlpha.com. Available online: https://www.linksalpha.com/ (accessed on 3 December 2017).
- ITP Social Buttons—Joomla! Extension Directory. Available online: https://extensions.joomla.org/extension/itpsocial-buttons/ (accessed on 3 December 2017).
- Google Translate. Available online: https://translate.google.com/ (accessed on 3 December 2017).
- jDownloads! Download Manager for Joomla! Available online: http://www.jdownloads.com/ (accessed on 3 December 2017).
- Mailchimp. Available online: http://www.mailchimp.com (accessed on 1 November 2017).
- Newman, R.C. Cybercrime, Identity Theft, and Fraud. In Proceedings of the 3rd Annual Conference on Information Security Curriculum Development, Kennesaw, Georgia, 22–23 September 2006; ACM Press: New York, NY, USA, 2006; p. 68. [Google Scholar]
- Tanenbaum, A.S.; van Steen, M. Distributed Systems: Principles and Paradigms; Prentice-Hall: Upper Saddle River, NJ, USA, 2002. [Google Scholar]
- 2016 Vulnerability Statistics Report; EdgescanTM Portal: Dublin, Ireland, 2016.
- Apache. Available online: https://www.apache.org/ (accessed on 14 December 2017).
- Yusof, I.; Pathan, A.-S.K. Mitigating Cross-Site Scripting Attacks with a Content Security Policy. Computer 2016, 49, 56–63. [Google Scholar] [CrossRef]
- Cross-Site Scripting (XSS)—OWASP. Available online: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) (accessed on 3 December 2017).
- CWE—CWE-79: Improper Neutralization of Input During Web Page Generation (’Cross-site Scripting’) (3.0). Available online: http://cwe.mitre.org/data/definitions/79.html (accessed on 3 December 2017).
- SQL Injection—OWASP. Available online: https://www.owasp.org/index.php/SQL_Injection (accessed on 3 December 2017).
- SQL Injection (SQLi)—Acunetix. Available online: https://www.acunetix.com/websitesecurity/sql-injection/ (accessed on 3 December 2017).
- Shar, L.K.; Tan, H.B.K. Defeating SQL Injection. Computer 2013, 46, 69–77. [Google Scholar] [CrossRef]
- National Institute of Standars and Technology. Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. NIST Spec. Publ. 800-53A 2014, 4, 1–487. [Google Scholar] [CrossRef]
- Acunetix. Available online: https://www.acunetix.com/ (accessed on 3 December 2017).
Version | New Features |
---|---|
1.0 | UTF-8 Built-in, Database Drivers, Official Supported Components Already in the Core, Plugin Framework, FTP Uploading of Extensions, Visible to Administrators when the Website is Offline, SQL Injection and XSS Solutions, HTTPS, Include CHANGELOG.php File for More Information, Media Manager Support for XCF, ODG, ODT, ODS, ODP File Formats and New Menu to Clear All Caches |
1.5 | Support GIF Images, LDAP Security Fix, SEO Improvement, RSS Feed, Solve XSS, DoS and SQL Injection Vulnerabilities in Back-end and Front-end Editing |
2.5 (1.6 & 1.7) | Smart Search Engine, New Database Supports, Captcha by Default, URLs and Images Fields, Admin Notification—New User Creation, Notes into Users and Menu Items, Customized Text Filter, News Feed Flexible Sequence, Translation Edition from Language Manager, Automatic Offline Website after Installation, Customized Offline Website Image, Status Bar, Online User Status, Native ZIP Support, New SEO System Plugin and New Debugging Plugin Interface |
3.6.5 | Responsive Built-in Feature, Bootstrap, Installation Process Simplified in Only 3 Steps, reCAPTCHA, Content Version Control, Extension Finder, PHP 7 Support, Article Manager—Better Organized and more Available Options, Drag-and-Drop Images, One-click Extension Installation, Update Notifications via Email, Log Folder, Two-Step Authentication and Higher Password Security, ACL into Menu, JLayout Integration, Inverse Cache, Back-end Menu Manager and Custom Fields |
Version | New Features |
---|---|
0.7 | New Administration Interface, Private Posts and Geographical Data Support |
1.0 | Multiple Categories, Comment Moderation, User Creation from Admin Page and Edit Page and Comment link |
1.2 | Plugin Architecture, Sub-Categories, Post Preview, Unlimited Update Services, Custom Fields, Directory Flexibility, Encrypted Password, Comment Management Tools and Solve Login Problems |
1.5 | Security Issues (XSS and SQL Injection), Templates, Site Customization and "Save and Continue" Button |
2.0 | Redesigned Backend, Faster Posting, Image and File Uploading, New User Roles and Capabilities, Database Versioning and Theme and Header Customization |
2.1 | AutoSave, Spell-Checking into Editor, New Search Engine, Redesigned Login Screen and More Efficient Database Code |
2.2 | New Widgets, Infinite Comment Stream and Speed Optimization |
2.3 | Native Tagging Support, New Update Notification, Canonical URLs and Pending Review Feature for Multi-Author Blogs |
2.4 | More Widgets and Cleaner, Faster and Less Cluttered Dashboard |
2.8 | Faster to Use, Ease of Installation, Redesigned Widgets Interfaces and Screen Options on Every Page |
2.9 | Built-in Image Editor, Easier Video Embeds, Global Undo/“trash” Feature and Update and Compatibility Checking |
3.0 | Lighter Interface, Contextual Help on Every Screen, 1217 Bug Fixes and Feature Enhancements |
3.1 | Redesigned Linking Workflow, Admin Bar, Post Formats Support, New WCMS Capabilities, New Network Admin and Advanced Taxonomy and Custom Fields Queries |
3.2 | Refreshed Dashboard Design, New Post Editor Design—Distraction Free and Rotating Header Images |
3.3 | Drag-and-Drop Uploader and Pointer Tips |
3.4 | Theme Customizer and Thirty-part Embedded Box |
3.5 | Re-imagined Flow for Uploading Multimedia Content and Dashboard Style Refresh (Retina Ready) |
3.6 | Revamped Revisions, Post-Locking, Augmented AutoSave, HTML Media Player and Menu Editor Easier to Understand and Use |
3.7 | Maintenance and Security Updates While Sleep, Better Global Support and Stronger Password Recommendations |
3.8 | Modern Aesthetic, Clean Typography, Refined Contrast, High Definition at High Speed, Admin Color Schemes and Smoother Widget Experience |
3.9 | Improved Visual Editing, Edit Images Easily and Gallery Previews |
4.0 | New Multimedia Management, Ease of Use of Embedded Multimedia and New Plugin Search Engine |
4.1 | Auto-Detected Language and Plugin Recommendations Section |
4.2 | Easier Way to Share Content and Extend Character Support |
4.3 | Menus in the Customizer, Formatting Shortcuts, Stronger Password Generation when New User is Generated |
4.4 | Responsive Images, Embed Everything and REST API Infrastructure |
4.5 | Live Responsive Previews, Custom Logos and Smart Image Resizing |
4.6.2 | Native Fonts, Inline Link Checker and Content Recovery |
Version | New Features |
---|---|
1.0 | Initial Release |
2.0 | FAQ Module, Multi-Lingual Website Option, Multiple Vhosts, Search Functionality in Administration Pages, Multiple Directories, Sections and Section Manager |
3.0 | Book, CVS, Help, Page, Moderate, Statistics, System, Poll, Blog and Access Modules |
4.0 | Blogger API, Tracker and Weblogs Modules and Support for External SMTP Libraries |
4.1 | Throttle, Profile and Taxonomy Module and Pager Support to the Main Page and Offline Mode |
4.2 | Support for Clean URLs and Better Installation Instructions |
4.3 | Support for Configurable URLs, Multiple Sessions per User, Anonymous Session, Mass Node Operations and Optimization of Many SQL Queries |
4.4 | Automatic Disabling Module or Blocks under Heavy Load and Improve Memory and Footprint Performance |
4.5 | Reorganize the Navigation Menu, Add Recent Comment Block, Tabs and SubTabs, Possible to Track Forum Topic and Support for Uploading Documents, Database Connections and Using Multiple Inputs Formats |
4.6 | PHP 5 Compliance, Add Flow Control Mechanism and Categories to RSS Feeds, Contact Module and Security Issues (XSS, DoS, and CSRF) |
4.7 | Free Tagging Support, Auto-Complete Forms (AJAX), Resizable Text Fields (JS), IP Black-List, Customizable Result Ranking, Support for External URLs and New Security Issues |
5 | Retooled Administration Page, Web-Based Installer and New Security Issues |
6 | New, Faster and Better Menu System and Email Notification to Approved, Blocked or Delete Users |
7.54 | Support for SQLite Database Engine, Limited Login Attempts to Prevent Brute-Force Password Guessing, Drag-and-Drop Positioning for Input Format, Language and Pool Listing, Administration Role, Stronger Password Validator and Time Zone |
Feature | Joomla! | Drupal | WordPress |
---|---|---|---|
Main content type | Websites, online apps | Blog | Blog, e-commerce, online apps |
Extension availability | High | Middle | High |
Functionality range | High | Middle | High |
Extension repository | Distributed | Centralized | Distributed |
Documentation | Excellent | Good | Excellent |
User community | Very active | Limited | Very active |
Ease of use | Simple | Complex | Simple |
User role personalization | Middle | Very High | Middle |
Manual SEO positioning | Yes | Yes | Yes |
Automatic SEO positioning | Extensions | Modules | Plugins and tools |
Functionality | Joomla! | Drupal | WordPress |
---|---|---|---|
Own template developer | Artisteer | Artisteer | Artisteer |
Used template | Yoo Downtown | AT commerce | Yoo Downtown |
Header and footer | Artical module | Incorporated into template | Incorporated into template |
Picture slider | Nivo | Incorporated into template | Incorporated into template |
Social networks | ITPsocialbuttons | Linksalpha website provides social code. | Linksalpha website provides social code. |
Translation | GTranslate | GTranslate | GTranslate |
Events | JNews | Recent content section | Permanent links widget |
Download manager | Jdownloads | File Downloader | Wordpress Download Manager |
Newsletter | Mailchimp Website | Mailchimp Website | Mailchimp Website |
Contact form | CKForms | Incorporated into kernel | CformsII |
Module developer | Jumi | - | - |
Entries editor | JCE | Own | Own |
YouTube, Twitter and Maps | Inserting HTML code provided by official websites | Inserting HTML code provided by official websites | Inserting HTML code provided by official websites |
Search and login | Incorporated into kernel | Incorporated into kernel | Incorporated into kernel |
Joomla! | Drupal | |
---|---|---|
SQL injection | Total alerts: 133 | Total alerts: 78 |
Risk level: 1 or low | Risk level: 1 or low | |
XSS | Total alerts: 122 | Total alerts: 9 |
Risk level: 1 or low | Risk level: 0 |
© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Martinez-Caro, J.-M.; Aledo-Hernandez, A.-J.; Guillen-Perez, A.; Sanchez-Iborra, R.; Cano, M.-D. A Comparative Study of Web Content Management Systems. Information 2018, 9, 27. https://doi.org/10.3390/info9020027
Martinez-Caro J-M, Aledo-Hernandez A-J, Guillen-Perez A, Sanchez-Iborra R, Cano M-D. A Comparative Study of Web Content Management Systems. Information. 2018; 9(2):27. https://doi.org/10.3390/info9020027
Chicago/Turabian StyleMartinez-Caro, Jose-Manuel, Antonio-Jose Aledo-Hernandez, Antonio Guillen-Perez, Ramon Sanchez-Iborra, and Maria-Dolores Cano. 2018. "A Comparative Study of Web Content Management Systems" Information 9, no. 2: 27. https://doi.org/10.3390/info9020027
APA StyleMartinez-Caro, J. -M., Aledo-Hernandez, A. -J., Guillen-Perez, A., Sanchez-Iborra, R., & Cano, M. -D. (2018). A Comparative Study of Web Content Management Systems. Information, 9(2), 27. https://doi.org/10.3390/info9020027