I've used Wordpress and Joomla to build a couple of small websites, and done some hacking about to get them running exactly as I want. But both of these, and probably many other PHP CMSs, are subject to a constant barrage of security fixes. I don't have to time to test the fixes, make sure my customizations are still working, and roll them out before anyone attacks the site, then do the same thing again a month later - I'll never get anything else done with that kind of overhead.
So my question is: Is there a (preferably PHP) content management system that somehow successfully avoids the constant barrage of security updates and resulting testing/sysadmin work? So I can just work on it when I have time, not keep racing to patch the latest attacks?
Bonus points for having a sane plugin model to make it easier to code against. More bonus points if it provides an easy method to import data from Joomla and/or wordpress.
Thanks
EDIT: As rightly pointed out, avoiding updates entirely is not a sensible goal. Rather, I want to minimize the pain of updates. So what I'm really looking for is:
Easy to adapt and theme in a way that is guaranteed not break during updates
Simple update process
there is no cms (no software, for that matter) so secure you never have to update. developers make mistakes, and new exploits appear. so every cms should be "subject to a constant barrage of security fixes". if it is not, you should ask yourself about the security policy of the project and the security of your site. see The Open Security Model, Drupal and ExpressionEngine on Security for a related read.
so unless you don't care about the security of your site, you are asking the wrong question. i think it should actually be: is there a cms that is customizable without modifying core files so that security updates don't break my customizations? or: how can i customize a cms so that security updates don't break my customizations? security updates usually don't break a (even customized) site - unless the customizations are done the wrong way.
my answer to that new question would be Drupal (including bonus points).
The last versions of WordPress (2.7 branch) have auto update for core and plugins making it really easy to upgrade when a fix is available. The api is also awesome - I've done quite a few WordPress based sites and rarely (if at all) needed to hack the core.
As long as you customize through plugins or themes, and use auto update when a new version is available, you shouldn't have any problem at all.
I like CMS Made Simple, which is written in PHP.
In term of security, stability & flexible maintenance I suggest Symfony framework
(see:http://www.symfony-project.org/). It has a lot of plugins, support towards wordpress, joomla and whatever you need.
See also PHPcake at http://cakephp.org
I really like ExpressionEngine, made by EllisLab, its based on their open source framework CodeIgniter, (which I think is one of the best PHP MVC frameworks).
There is a free version of ExpressionEngine for non-commercial use, which is all I've used, but the paid addons + modules look pretty slick.
As for actually really free, ModX is alright, but has a frankly wierd plugin system, that said, Ive built a couple of sites on it, and been happy with the results.
Related
Here's the thing. I love Ruby and I've been using it for the past couple of years. I love everything about the language and the community.
But I have this soon-to-be-large WordPress site, where I have to implement a lot of additional functinality. The problem is, I really hate customizing WordPress beyond simple theme design.
Examples of things I need to do:
add some additional information to profiles, like karma/points/reputation system
offer users to create their own page after they're allowed to do it
pulling data from some external API and displaying it on the user's profile
I got really used to the whole agile BDD workflow, where I go from Cucumber features to RSpec to implementing the stuff, and the whole WordPress architecture looks to me like ok I'm just gonna have to pray this works.
I'm not sure if it's even wise to try to write some part of the app in Ruby and try to make it work together with WordPress, or if I should just take WordPress as the only thing I've got and make the most of it's strenghts and weaknesses.
The main issue for me is that everything I'm going to write in PHP will take about 5 times as long than if I do it in Ruby, and it will probably also be more secure and robust, since I don't have as much experience with complex PHP stuff. I mean I've done a lot of PHP in the past, but I always felt like the whole thing is going to fall apart at one point.
I know there is probably no definite answer on how to approach this, but any suggestions are welcome.
We've integrated a Rails app into a TYPO3 installation. It worked out pretty well. The key point is to use Rails' support for adapting models to tables of a legacy app. An important point is to handle authentication which we handle by passing the TYPO3 session key to the Rails app in a hidden way (using PHP as the web-client and passing appropriate headers) and looking it up in the session table (respecting the session timeouts). The Rails app itself is mapped into a sub directory using passenger. Performance is very good, it's even amazing compared to our previous implementation trying to use Extbase.
So, in conclusion: If you do it right and the interfaces between the two apps are well planned such an approach can offer great benefits and the best of two worlds. If not done right or you don't understand some implications of Wordpress (like security) you will create a big mess prone to security breaches.
BTW: We reached feature parity with the Extbase (MVC framework in TYPO3) solution after 4 days of using Rails. The Extbase solution took 6 weeeks and caused a lot of headache and trouble. So your time factor may be even better than 5:1.
Why not learn how to to Behavior Driven Development in PHP for WordPress? In fact, this is one of the great opportunities for developers in 2017. We now how full blown BDD frameworks in WP-Codeception, so that you can even automate Gherkin feature files, just like in Cucumber. Check out WordPress-BDD.com for some usefull info.
I almost feel dumb/ignorant for asking but I have never used Wordpress in my life. My primary skill of recent has been developing secure internet/intranet applications in PHP for healthcare companies. Every now and then I get asked to do some personal work for friends or coworkers but don't have the time or willingness to learn something new with my busy schedule.
Recently, I was approached to develop a site for a non-profit education group in which the group would need to update content on a regular basis. Simple CMS system should do the trick and while I've never used it, what if I built the site for them on Wordpress? It would give a few of the employees the ability add and update blog posts and keep new content fresh on the site. The site would also need to maintain a member 'log in' area with security being a top concern which I have no idea if Wordpress is capable of on its own. I have no problem building the latter in straight PHP but I am curious, is it possible to truly integrate the two?
I would like to build something like this site:
http://tf.dtbaker.com.au/template/child_care/index.html
but add in the security/member only area features they mentioned while keeping the ability for 'blogging'. I recently came across a few hosted CMS providers (such as Surreal CMS http://surrealcms.com/) as a method to manage the CMS aspects but if there are better solutions, I am all ears.
Note: Using WP solely as a subdomain for any blogging aspects is not an option.
Thank you ahead of time.
WordPress is extendable using PHP and their Plugin system. WP has a basic level of user authentication and permission level to handle site management and maintenance. There are plugins available which allow you to implement member only features. Google search for WordPress membership plugin shows up quite a few hits.
Regarding security of WordPress, we have 3 websites running on WordPress for the last 5 years. Security has improved since version 3.x of WP compared to the earlier versions. There are plugins that help from doing things like scan the system for security holes (wrong permissions on files etc.) as well as plugins that claim to make your site more secure. But the best security is really understanding the WordPress system, how it works, and ensuring that the plugins you install are properly tested and vetted before being installed in production.
HTH
It's hard to make a recommendation without knowing the specifics, but if the majority of the functionality of the site has nothing to do with blogging, you'll probably end up spending a lot of time writing plugins to modify the way Wordpress works, and then you'll have to potentially maintain those plugins as the API changes as new versions of Wordpress are released. Since you're dealing with health care companies and a need for security, not upgrading when a new version of Wordpress comes out could potentially be a security risk. You'll probably also find that Wordpress's "blog-centricness" will start to get in your way.
From what you've said in your question, my inclination would be to use a CMS to build the site if I were in your shoes.
That's not to say that you can't use custom themes and plugins to add CMS-like functionality to Wordpress and end up with some nice looking sites. The folks at WooThemes (http://www.woothemes.com/) are doing a darn good job at that from what I've seen, and there are other folks doing the same thing. I just wouldn't go that route if I were you.
I'm thinking about rebuilding my website from scratch, but this time, using a CMS. Everywhere I turn people tell me to use a cms, but it's only now I'm really considering it. My site isn't too complicated. Is this a good idea in terms of workflow? I'm the only person who will edit the site, so if it's just a matter of workflow and efficiency, should I just convert now before it gets really big?
Sure, a few come to mind.
Deployment complexity. Many CMSes require a database, which means running a database process somewhere, and backing that up, as well as the rest of the code and assets for the site.
More space will be required to hold the CMS code for the manager, framework, libraries, etc.
Bloat could come into play, the CMS may, and likely would, implement features you have no use for.
Additionally any CMS will have some kind of limitations, some things will be more tricky to do than others when compared to a mostly static site.
Just read the code. That's often all the arguments you need. (If your needs are really simple and you don't need plugins and you don't need to write any code yourself I'd still use a CMS, though)
If your site is mainly a design showcase, and doesn't have real content in it, then a CMS will only get in your way and make things harder.
Otherwise, it will mostly be of help.
Along with everyone else's statements. If it's just a small site you don't necessarily need a CMS, but if you are wanting to use a CMS for client projects in the future, why not start now.
Deployment. If you're doing some big changes to your site or testing something, you'll probably want to try it out locally with a development copy of the database. Once you're done, how do you get everything to the live site without overwriting, say, comments that were made on the live site since you created a development copy?
Specialization. CMS's are great for some things, but they're bad at others. What if you want to add more complex functionality to your site? It might be a plugin or module at first, but soon you're writing all this code and you realize you should have just used a framework and built the CMS part yourself.
If it's a simple static site with a single editor and without any aspirations of using complicated functionality and you feel confident enough in your web language of choice, then go for it. Even if you don't feel confident enough, it should be a good challenge.
Write some minor templating so that you can separate your code from your design, have some simple way of adding articles or blog posts or whatever - it could be as simple as including text files from a directory.
Using a CMS, even in their modern and quite usable state will require more resources, hardware-wise. and will probably have a steep learning curve. It will also require maintenance and dilligent security patch application as new vulnerabilities appear. On the other hand a CMS can get you up and running with a basic site quickly, and grow with your needs if you feel like enriching it, as you get to use its large variety of ready made plugins and extensions. You want blog comments with users logging in via OAuth? No problem. RSS? There's an extension for that.
Bottom line is, if this is a simple static site with a single editor as you describe it, it should be trivial to set up some code to run it. You'll spend as much time on its template design as you would on customizing a CMS's template, avoid the initial learning curve a CMS requires, and not worry too much about the resources and maintenance a modern CMS requires. You will, however, be limited in functionality and future ideas by what you can write or integrate yourself.
It depends somewhat on the purpose of the site.
If it is a means to an end of getting information posted on the web, then adopting something like WordPress will quickly get you going, and provide lots of extra functionality that would take a fair amount of time to build in - e.g. stats, feeds, remote publishing etc. There are a few basic steps you'll need to go through setting up self-hosting on a shared web-hosting package e.g. creating the DB and unzipping the files etc but fairly straightforward really. And the time you save administering your website can be focussed on other things where you're making a difference or doing something different to everyone else.
However if your purpose is in part the learning experience of developing the functionality or you have unusual requirements that aren't in a standard CMS, then there is an argument for developing your own.
The deeper I get with Drupal the more I have to make changes to code within other people's modules. These are usually small changes, and so far it doesn't make sense to rewrite the module's functionality for my own needs.
I'm trying not to make any modifications to Drupal core since that just seems like asking for trouble.
But sooner than later, I'm going to need to update these modules with new releases and then repatch my changes back in. How do you stay organized when making these changes, upgrading modules, and re-applying your changes back?
I'm taking as many notes as I can but the spiderweb is growing around me!
Another key is to maintain explicit .patch files for any changes you make, and include documentation with them. If you have to upgrade to a new version of a module, install the clean copy and re-apply the patch. If it doesn't re-apply cleanly, you know you've got a problem.
That's where maintianing your own source tree in SVN/git/etc can be handy.
Do you change the module in a way other people may benefit?
Then send the patch to the module maintainer, so everybody benefits and you don't have the trouble to stay organised.
There is a good discussion in this question.
I particularly like Nick Sergeants article describing a method where you checkout the Drupal sources via CVS and then control your changes and the CVS records using SVN.
You only have the two already mentioned Options.
1.) If your changes can benefit the community then give back and hopefully it will become Part of the next release.
2.) If your changes are to specific and fit only your needs than your only chance to stay organized is setting up your own VCS (e.g. Subversion) and learn to use it properly.. ;)
There are some good infos on using Subversion with drupal on the Drupal.org site.
There is also a new Module available that allow you to capture some features into your own modules (e.g. features (http://drupal.org/project/features)). I have not much experience with it but maybe this is also a solution for you.
The way that Eaton describes above tends to be how we handle the situation for relatively large sites. If you keep a running log of patches, you can always re-create changes.
One of the aspects that seems to be missed in a lot of the "submit back to the community" posts is that just because you submit it back to the community doesn't mean it'll ever get applied. The way we handle this scenario is by keeping an explicit patch file with an indication of what D.O. issue it's related to. In the case where the patch is eventually integrated, you can remove your patch and pat yourself on the back. In the scenario where your patch is never accepted, at least you still have your log.
The book Leveraging Drupal: Getting Your Site Done Right (Wrox Programmer to Programmer) describes workflow and developing sites with cvs/svn from the beginning.
It's only $32 free shipping at amazon right now (as low as $24 used but remember $4 shipping you might as well get it new. I recommend checking your library for it, if they don't have it try inter-library loan. But this book describes exactly what you are seeking, step by step.
I'm interested in using a CMS instead of building a website from scratch. However, as a software engineer, if I'm going to be using open-source tools, I'm going to use them to their full extent, including the possibility of developing plugins/extensions/modules and maybe even contributing core code.
I'm currently looking at WordPress, Drupal, and Joomla!. They all appear to have the features I need, either as core features or plugins. However, I'm curious how hard it is to learn the system and then develop for it.
Does anyone have experience with this? When using and developing WordPress, Drupal, and/or Joomla!, what were your experiences like?
I avoid Joomla like the plague. It is highly difficult to extend, especially if your use case isn't one of the ones their devs specifically designed the CMS for. Great if you want to do a small business brochure site, but if you're looking to heavily customise... ditch it. The pay-to-play nature of much of the dev community is a turnoff, too.
WordPress is very heavily specialised in the blogging direction. If that fits your needs, go for it - it's a slick, well supported, system. If you're looking for something that's a bit more complex in a CMS, though, go with...
Drupal. My favourite PHP CMS, hands down, with the exception of blogging. Functions like hook_nodeapi, hook_user, hook_form_alter, etc. make it essentially effortless to heavily tweak the function of nearly everything in the system. If I want to replace the password field in the user login form with an upload field and MD5() the uploaded file to verify the user, I can do that - without hacking core code, and in a few lines of form alteration and validation code. Pretty astounding the first couple times you do something slightly nutty like that.
I haven't used Joomla much and have never really needed to tweak Wordpress outside the design but have used Drupal quite extensively. Drupal seems to be becoming the standard for PHP CMS' which I think is quite a shame given how much is wrong with it. I won't try to tell you why you should use it, or shouldn't, but here's a few things that I find really annoying with it.
Complete lack of OOP. Ok, in Drupal 7 they're finally doing some OOP with the Abstraction Layer but the community as a whole still shuns the entire concept of OOP as it applies to the CMS as a whole. And given their dependence on modules and third party code doing a decent OOP setup would help keep the code more organized. Currently to avoid naming conflicts you need to prefix all functions and constants with your module name which can lead to some very long function names which can lead to some very long lines of code which can make things a little less readable than doing something like $node->parent()->parent()->title;
Drupal content is completely unorganized. When doing an information heavy site it's imperative that you have well organized content and Drupal simply doesn't allow this. Drupal's content management is just one large list of nodes with a few filters you can apply. There are ways you can use Drupal's taxonomy system and other modules to setup relationships but I've never found any that actually make the interface easier to navigate and make it easy to manage the content on the templates. At work I've created a module that allows this but it's required dumping weeks worth of development time into it a simple feature that any good CMS should come with out of the box.
The admin interface is absolutely rancid. This one pretty much speaks for its self but install a copy of Drupal and click around. Then take a look at say, the Radiant interface (Radiant is Rails I know, but we're talking UI here). Another example of a good UI for the admin would be FrogCMS, a PHP port of Radiant.
No ORM, and absolutely no attempt to have one, means you better like writing lots of SQL to get the data you need. While I generally have no problems with writing my own SQL it's starting to get a bit old when most good frameworks and CMS' built on them have at least some kind of ORM for you to use. Even if it's a botched one.
Drupal loves to use non-standard file extensions (.module, .info, .install, .inc, etc) so you better make sure your htaccess and/or virtual host is setup to not allow direct access to these files or all your source code will be wide open for the world to see.
Personally I think FrogCMS looks like it's off to a good start to be an up-and-comer if the maintainers allow the community to contribute to it and allow it to grow. You'll need to do more coding as it doesn't have a big feature set out of the box and doesn't have a plugin repository like Drupal or Joomla but from a coding standpoint it's setup with a pretty well done, albeit basic, MVC implementation that will help your code be more organized and easier to maintain.
I've only developed for Joomla! and have been a user of wordpress, but Joomla! development is too clumsy if you want to completely change the layout. Writing a plugin or 'component' is fairly easy if you know the way around the code, but getting it to do exactly what you want isn't so easy because it likes to force you to use it's MVC design pattern which I find too clumsy.
I've seen both the Joomla! and Drupal code base, and I'd say that Joomla!'s code is much cleaner and better documented. It also heavily uses the MVC design pattern which can be good or bad depending on your preference and what you want to use it for. It has the most extensive use of OO programming in any php project I've seen.
I haven't developed for wordpress, but as a user, automatic updates are a godsend! plugins and themes can be found and installed through an interface in wordpress itself, so as a developer you save a bit of time in trying to promote your plugin because it gets made available to everyone right away. Heavy modifications might break some of of this though, so I wouldn't recommend it if you want to modify it a lot.
Joomla!'s plugin community is heavily monotized, but there is a huge community of plugin developers. I don't know about Drupal, and most wordpress plugins are free. So that's something to consider as well if you plan on using third party plugins.
over the years, i began hating PHP, since i had to work a lot with it until i found good alternatives, so the first question i ask you is: does it have to be PHP?
but staying with PHP i'd add the following:
most people like Drupal a lot because of it's extensibility ... that's fine, but it still has some design problems ... it's is very potent and flexible and has a huge user base -> lot of plugins, big community to ask for advice etc.
when it comes to Joomla, one has to say, that in the past, this has been a really a complete mess ... but in version 1.5 the whole thing was redesigned and is now very clean ... i always laughed down at joomla, but recently i had a talk with some other developer i had worked with on several occasion, who quite conviced me, that it has become a developer friendly software ... plus, it is soooooooo damn easy to administrate ... i know no other CMS that is so easy to use (and is a "real" CMS, not a forum or blogging engine)
you might wanna have a look at Vanilla CMS ... very sexy, still slick and powerful ...
use a CMS based on a good PHP framework ... typo3 (Flow3 (IMHO really the most funky PHP framework)), something based on symfony (can't find anything, but this should be a good start), mambo (CakePHP) or maybe something based on code igniter ... you will always need to get familiar with the framework, but a) this is always good, b) if the framework is good, the app is likely to be good and extensible, c) you yourself will have a high productivity when building extensions since the framework will do a lot for you ...
finally, you might wanna have a look at opensourcecms ... always helpful ...
good luck with your choice then ... ;)
greetz
back2dos