Blog
5 reasons why Bear CMS is more secure than your average CMS
Bear CMS Blog
This post is the beginning of a series that will focus on different aspects of a content management system and how they are implemented in Bear CMS. We will share our thoughts on design and usability, performance, customizations, etc. and today we start with security.

We've highlighted it on our home page, but I would like to make it clear that Bear CMS is not a self-hosted website software and it's not an online website hosting service (both of these are very popular nowadays). Bear CMS is a service (that we host and manage) that seamlessly integrates with your self-hosted website to provide the CMS tools only when you need them. When you access https://your-domain.com/admin your server connects to the Bear CMS service and requests the code needed to log you in as an administrator. When you go back to https://your-domain.com/ (after successful login) you'll have the ability to add text, upload images, create pages, etc. The editing UI will appear "magically" and will help you make the desired modifications (even on your mobile device). The How Bear CMS works? article is a nice place to visit if you are interested in the details.

Now, let's talk about the security-related benefits that Bear CMS brings over your average self-hosted or managed content management system.

Less code needed to run the website

Typically when installing a self-hosted CMS you download a zip file, extract it on your server and run some kind of setup process. In the files extracted, you will find PHP code (if that's the language the CMS was written on), JS and CSS files, and some images. Some of them are needed to render the website for your visitors and others are needed only when you are logged in as an administrator (the administrator panel). Here are some real numbers from the Bear CMS source code (because here it's really easy to know where each file is used):
Files needed to render the website:
- PHP / 1.23 MB / 1,295,118 bytes
- JavaScript / 0.18 MB / 192,406 bytes
Files needed for content management (the administrator panel):
- PHP / 4.11 MB / 4,309,530 bytes
- JavaScript / 0.74 MB / 776,102 bytes
- Images / 0.03 MB / 32,439 bytes

The server code (PHP in this example) and the client code (JavaScript) can both be targeted in an attack, so I'd like to focus on them. As you can see the size of those files for the CMS part is around 4 times bigger than the size of the code needed to render the website to visitors. I'm not sure what is the ratio on other content management systems, but it's pretty safe to assume that the code needed to run a CMS is bigger than the code needed to render a modern, responsive website with a couple of animations.

Most developers learn early on that less code is easier to maintain and support, easier to test and easier to secure. So we only give you the minimum code needed to run your website and to connect to our services. We also keed high standards for the content management part of Bear CMS with the added benefit of it being hidden behind an HTTPS endpoint.

We give you less code to run so ...

Fewer updates are needed

It's common these days for a software team to push updates regularly (even a couple of times a day). This is also true for an actively developed product like Bear CMS. Let's see the most popular reasons for a new release:
- An awesome new feature is developed.
- A bug is found and fixed.
- A new market opportunity requires translating the UI.

Unfortunately, rapid development not always means rapid delivery to users. Most products get a new version once a quarter or once a year. That's the case for Windows, Android, and iOS. That's the case for Chrome and Firefox. That's even the case for some of the popular CMSes that we are comparing Bear CMS with. Instead of doing this, we've decided to not ship the CMS code at all. This means fewer updates on the code that runs on your machine and fewer opportunities for things to break.

Keeping the CMS code on our servers allows ...

Faster CMS related updates

Providing the CMS as a service means that we can push updates regularly (even multiple times a day). If we detect a problem with some browser on some fancy new mobile device we can fix it and provide the fix to you in a couple of hours. If we make improvements to the theme customization UI you can get them today ( no need to wait for the fall :P ). You got the point.

You can see some of the improvements we've made in the last month that require no or minimum update on the client software (the software that runs on your machine).

Let's continue with ... 

Administrators accounts

The security of the content management part of a website is not an area that compromises are allowed. It must be available reliably only to the right people. Here are some things that must be done right:
- Password hashing (no plain text password in the database, please).
- Secure and reliable account creation.
- Safe way to access your account in case of a lost password.
- Reliable access control (what functionality can each administrator access).

In Bear CMS the administrators account data is stored on your server, but it's managed only with the UI tools provided by our service. This allows us to validate the email addresses, hash the passwords and send confirmation emails. We help authentication too and you will learn below how we do this in a secure way.

No (private) information is stored or logged

A managed website service takes the burden of hosting a website yourself. It stores and manages your data, but can also track your personal information (IP address for example), your actions and your visitors. Convenience may come at a cost. The privacy topic is getting extra popular recently and this can be a motivation for hosting your website on your own infrastructure. We get that.

There are clear benefits and drawbacks when using a managed service, and there are clear benefits and drawbacks when using a self-hosted service. We like them both, but we like something else the most - a managed service designed for privacy. And that's how we've made our CMS tools. When updating your website on your home computer:
- Your device connects to your own server (and not us). Then your server contacts our services to help him do its job. This means that we do not know your IP address and we cannot even distinguish your actions from the actions of your fellow administrators.
- Some of your website data (list of created pages for example) is transferred to our servers when you need to view or modify it (in the CMS UI). This data is never saved and is only needed to show you the UI you are interested in (the "new page" form for example). 

And sure, the communication with our servers is over HTTPS.

Thanks for reaching this far. We hope you too take security seriously. We'll be happy to answer your questions in the comments below. Security is a topic that deserves attention.
Bear CMS highlights (June 2019)
Bear CMS Blog
June 2019 has passed and in this article, we would like to highlight the improvements we've made in the last 30 days.

Let's start with the biggest one. We've added support for uploading documents and other files that you can share with your visitors. In the announcement blog post you can learn the details.

Your websites now can have multiple different images for an icon. The icon is visible in the browser tab, when bookmarked, when saved to the home screen on mobile devices and when shared on social networks. Which one of the uploaded images will be shown in different contexts depends on the context dimensions and sizes of the images. We recommend uploading multiple images sized at 32x32, 128x128 and 600x600 pixels to cover all of the cases. You can do this in the Settings window of your websites.

A new "og:image" metatag has been added to improve the look of your pages when shared on Facebook and Twitter. The image shown here is taken from the page content. If no image is added then the website icon will be used.

The forum posts are now visible in the sitemap.xml file of your website. There is also a "show replies count" option in the "Forum posts" element. 

URLs in forum posts and comment are now automatically converted into links.

These were some of the most visible changes we've made in the last 30 days. There we also some bugfixes and minor tweaks. We hope you'll find them useful.
New feature: Upload documents and other files
Bear CMS Blog
Sometimes we want to provide a document or an archive for our visitors to download. Now you can host these files on your website. Log in to your website's admin UI and you will find a new button (called "Files") in the main menu. This is the place to upload files. For any file that is marked as "published" a preview URL and a download URL will be available. You can use them to create links or share them in messaging apps.

This feature is now being pushed to all websites running the standalone package.
Recent Bear CMS improvements (May 2019)
Let's see what's new about Bear CMS this month.

Improved client loading times.

One of the biggest reasons for a website to appear slow is when a large number of resources are required by the browser to render it. Since day 1 Bear CMS has done a good job optimizing resources and now we've made a major internal update that brings big improvements in this area. We've started using our own, custom built package manager for client code (JavaScript and CSS). Embedding and lazy loading client functionality are now effortless and reliable and that has enabled us to remove all external blocking JavaScript code.

Added support for comments in blog posts.

Publishing a blog post brings excitement and receiving feedback is thrilling. Now we've added the ability to enable comments for your blog post and gather feedback easier and faster. This option is enabled by default for new websites and can be enabled/disabled from the settings window.

UI improvements.

There are some small touches in the user profile settings screen and the image gallery windows. There is a nice animation and a new loading indicator when opening a modal. The fields in the user form now look better. The image gallery has new arrows.

The SEO fields in the pages form and the blog post settings are now collapsed by default. Rarely used fields in some elements (embed, image, video) are also collapsed for a cleaner look.

Favicon optimizations.

Previously an icon request returned a redirect to the image file (that had a cache header with big max-age). Now the cache header is moved to the icon request (with lower max-age) and the image content is returned instead of the redirect URL. This improves performance and can save a lot of requests.

Thanks

All of these improvements are now being pushed to websites running the standalone package and available for others to download.
Bear CMS for developers
Bear CMS is perfect for your clients and friends, but if you have some PHP skills you can take your Bear CMS websites to the next level.

Today we'd like to point your attention to three support articles we've published recently:
  1. Make a theme will show you how to create your own themes.
  2. Access the data presents the Data API you can use to access the pages, blog posts, settings, etc. created by the site administrators.
  3. Use custom elements can help you define a custom presentation while making the content editable from the UI.

Developing for Bear CMS is currently available only for the Bear Framework addon package. The standalone package (that supports auto updates) is currently not supported.

Happy coding, and feel free to contact us if you need help or more information.