This post is the beginning of a series that will focus on different aspects of a content management system and how they are implemented in Bear CMS. We will share our thoughts on design and usability, performance, customizations, etc. and today we start with security.
We've highlighted it on our home page, but I would like to make it clear that Bear CMS is not a self-hosted website software and it's not an online website hosting service (both of these are very popular nowadays). Bear CMS is a service (that we host and manage) that seamlessly integrates with your self-hosted website to provide the CMS tools only when you need them. When you access https://your-domain.com/admin your server connects to the Bear CMS service and requests the code needed to log you in as an administrator. When you go back to https://your-domain.com/ (after successful login) you'll have the ability to add text, upload images, create pages, etc. The editing UI will appear "magically" and will help you make the desired modifications (even on your mobile device). The How Bear CMS works? article is a nice place to visit if you are interested in the details.
Now, let's talk about the security-related benefits that Bear CMS brings over your average self-hosted or managed content management system.
Less code needed to run the website
Typically when installing a self-hosted CMS you download a zip file, extract it on your server and run some kind of setup process. In the files extracted, you will find PHP code (if that's the language the CMS was written on), JS and CSS files, and some images. Some of them are needed to render the website for your visitors and others are needed only when you are logged in as an administrator (the administrator panel). Here are some real numbers from the Bear CMS source code (because here it's really easy to know where each file is used):
Files needed to render the website:
- PHP / 1.23 MB / 1,295,118 bytes
- JavaScript / 0.18 MB / 192,406 bytes
Files needed for content management (the administrator panel):
- PHP / 4.11 MB / 4,309,530 bytes
- JavaScript / 0.74 MB / 776,102 bytes
- Images / 0.03 MB / 32,439 bytes
The server code (PHP in this example) and the client code (JavaScript) can both be targeted in an attack, so I'd like to focus on them. As you can see the size of those files for the CMS part is around 4 times bigger than the size of the code needed to render the website to visitors. I'm not sure what is the ratio on other content management systems, but it's pretty safe to assume that the code needed to run a CMS is bigger than the code needed to render a modern, responsive website with a couple of animations.
Most developers learn early on that less code is easier to maintain and support, easier to test and easier to secure. So we only give you the minimum code needed to run your website and to connect to our services. We also keed high standards for the content management part of Bear CMS with the added benefit of it being hidden behind an HTTPS endpoint.
We give you less code to run so ...
Fewer updates are needed
It's common these days for a software team to push updates regularly (even a couple of times a day). This is also true for an actively developed product like Bear CMS. Let's see the most popular reasons for a new release:
- An awesome new feature is developed.
- A bug is found and fixed.
- A new market opportunity requires translating the UI.
Unfortunately, rapid development not always means rapid delivery to users. Most products get a new version once a quarter or once a year. That's the case for Windows, Android, and iOS. That's the case for Chrome and Firefox. That's even the case for some of the popular CMSes that we are comparing Bear CMS with. Instead of doing this, we've decided to not ship the CMS code at all. This means fewer updates on the code that runs on your machine and fewer opportunities for things to break.
Keeping the CMS code on our servers allows ...
Faster CMS related updates
Providing the CMS as a service means that we can push updates regularly (even multiple times a day). If we detect a problem with some browser on some fancy new mobile device we can fix it and provide the fix to you in a couple of hours. If we make improvements to the theme customization UI you can get them today ( no need to wait for the fall :P ). You got the point.
You can see some of the improvements we've made in the last month that require no or minimum update on the client software (the software that runs on your machine).
Let's continue with ...
Administrators accounts
The security of the content management part of a website is not an area that compromises are allowed. It must be available reliably only to the right people. Here are some things that must be done right:
- Password hashing (no plain text password in the database, please).
- Secure and reliable account creation.
- Safe way to access your account in case of a lost password.
- Reliable access control (what functionality can each administrator access).
In Bear CMS the administrators account data is stored on your server, but it's managed only with the UI tools provided by our service. This allows us to validate the email addresses, hash the passwords and send confirmation emails. We help authentication too and you will learn below how we do this in a secure way.
No (private) information is stored or logged
A managed website service takes the burden of hosting a website yourself. It stores and manages your data, but can also track your personal information (IP address for example), your actions and your visitors. Convenience may come at a cost. The privacy topic is getting extra popular recently and this can be a motivation for hosting your website on your own infrastructure. We get that.
There are clear benefits and drawbacks when using a managed service, and there are clear benefits and drawbacks when using a self-hosted service. We like them both, but we like something else the most - a managed service designed for privacy. And that's how we've made our CMS tools. When updating your website on your home computer:
- Your device connects to your own server (and not us). Then your server contacts our services to help him do its job. This means that we do not know your IP address and we cannot even distinguish your actions from the actions of your fellow administrators.
- Some of your website data (list of created pages for example) is transferred to our servers when you need to view or modify it (in the CMS UI). This data is never saved and is only needed to show you the UI you are interested in (the "new page" form for example).
And sure, the communication with our servers is over HTTPS.
Thanks for reaching this far. We hope you too take security seriously. We'll be happy to answer your questions in the comments below. Security is a topic that deserves attention.