Your CMS Education Station
A content management system (CMS) is a tool that allows non-technical persons to add to and update a site’s content. Blogging tools like WordPress and Blogger are CMS’s, as are larger systems like Joomla!, Drupal and ExpressionEngine. Some developers build custom content management systems for clients. Many websites use no CMS at all, and you'd probably never know it. Ultimately, no CMS is perfect, and not every site needs one. Do you?
(Some) Benefits of a Content Management System
- Flexibility: You can often add features and tools quite easily through plugins and modules. With a good CMS, if you decide you need an FAQ page, or a forum, or a blog, it might be as simple as flipping a switch to have it added to a base.
- Cost: Pages can be added and updated in minutes, instead of getting a developer to do updates at an hourly rate. Without a CMS, even fixing a single typo means calling someone, getting a file updated, transferring it to the webserver.... Every web developer working today probably has their own story of the half-hour comma fix.
- Activity: Sites that are easy to update will get updated; sites that are difficult, will not. Active sites are good (which is not to say that inactive sites are bad): search engines like active sites, and so do users, who might come back if there’s a reason to.
- User experience: Users can (sometimes) add comments, search and customize a site to their needs.
(Some) Detriments of a CMS
- Portability: A website’s portability refers to how easily it could be moved to a different webhost, if necessary. A no-CMS site is the most portable of all. Any CMS will use some kind of processing language, like PHP or ASP, and almost always require some kind of database. Most webhosts will accommodate PHP and MySQL, but processing languages like ASP and ColdFusion are a little harder to come by, as are database formats like Oracle and PostgreSQL. Additionally, some files and folders often need to have their permissions set, so you can upload images and attachments.
- Performance: Using a CMS will impact performance on a webserver; whether that performance is really noticeable depends a lot on that server. For non-CMS HTML, when a visitor requests a web page, the server retrieves that file and sends it back as a response. Simple, direct and fast.
With a CMS, that request will require some pre-processor logic, one (or many, many more) database queries, then be processed into HTML that can be sent back to the visitor’s browser. Like going to a deli, and asking for a pre-wrapped sandwich or one assembled for you as you order it. Might be tastier, but takes longer.
- Security: Any CMS is inherently less secure than a non-CMS site. Any time users are able to login, or submit data, or query a database, these attack vectors need to be thought through.
- Maintenance: A CMS often means more updates, more security patches and more bug fixes than a non-CMS site, which generally requires none of these.
So if you need a CMS, what should you be looking for?
What to ask of a CMS:
- What sites have been built in it? Can you or your developer find some examples of sites completed in a particular CMS? Do they perform well: are they quick to respond, do they look too similar (“template-isis”), or have any obvious problems?
- Has it been around for a while? Is it mature, with a track record? Does it have a good developer community exchanging information?
- Is it being actively updated? Is it alive, or dormant? Is there momentum to or away from it? Will it be around five years from now?
- Is it secure? Nothing is ever 100% secure, so what is its security process? Does it provide notifications of discovered problems and fixes? Is it easy to patch or update? If so, odds are better that it might actually be updated. If updating is difficult, it probably won’t get fixed, leaving the site vulnerable.
This is a situation where a custom CMS has some advantages over pre-existing ones. When a vulnerability for WordPress, Drupal or Joomla gets discovered, an attacker: a) has a large number of sites to go after, thus adding incentive, and b) can target any given site quickly, as these CMS’s are easy to identify once you know what to look for. A custom CMS’s obscurity is its first line of defence: as it’s unique, it won’t have any known attack vectors.
On the other hand, many existing CMS’s like WordPress, Drupal, etc. are very good about alerting site owners to discovered vulnerabilities and providing fixes. Many of these are very unusual, but someone somewhere has discovered a highly unusual problem, identified what really causes it and created a patch, thus saving you and the developer potentially hours or days of work to fix it.
What does it cost?
- To get: Does it have a purchase price? What are the terms of the licensing: can you transfer the licence to another site, if necessary? Could you use the same CMS on multiple sites?
- To keep using: Are there annual licensing or hosting costs? If the site is hosted, are you locked into the CMS’s hosting arrangement, or can you move the site?
- Training: Is it easy to use? Is training available, and how much is required to manage the site as you need it? Is there help, online or in person, and documentation available? Is it useful?
- Development: Will it cost a lot to add new features or tools at a later date? Can it be visually redesigned or “reskinned” easily?
Is there vendor lock-in?
- Does the CMS use proprietary software? Can you alter the code yourself, do you own it? Some CMS’s like Blogger require your site to be hosted, so you don’t actually get to access the code, meaning you don’t get to modify it.
- How portable is it? Could you easily move it to another webhost? Another development team? If it requires proprietary tools like ColdFusion, then it’s probably not that portable.
- How flexible/extensible is it? Are new features being developed for it already? How can you customize it to your needs? The web landscape changes all the time, so things like mobile versions, SMS, Facebook and Twitter integrations become important at different times. You probably don’t even know what the next big one will be, but the problem of using it when it shows up can be mitigated by a good CMS.