Security Grudge Match: WordPress vs. Kentico vs. Drupal vs. Umbraco vs. Django

Working in the web development field, you get hands-on experience with products called content management systems, usually abbreviated as CMSs. They are handy applications that give the administrators and editors of websites easy ways to publish content and manage users. These systems all have their own strengths and weakness, especially when it comes to the big, important and potentially expensive topic: security.

Thankfully, most CMSs come stocked with ways to help cut development time on the security of a site, helping reduce cost and keep your data safe. Each does this in its own way, and it can be hard to tell which might fit your needs best.

Being web security enthusiasts, we often find ourselves comparing one to another in terms of vulnerabilities and past exploits. It's high time someone sat down and looked at what some of the biggest and upcoming CMSs offer in terms of security bang for the buck. Well, hey, we’re here. Let’s go!

The Contenders and Criteria

We’ll examine four juggernaut CMSs and one popular up-and-comer to see where they stand. Here are our contenders:

• WordPress – You most likely know this one. WordPress is everywhere.
• Kentico – One of the biggest for the ASP.net framework.
• Drupal – Modular, free and PHP.
• Umbraco – Also for ASP.net. Very different in terms of interface and offerings, and its free.
• Django – It’s in Python? What?! Yes, minimal but powerful.

We are looking for value here, and, in development, time equals money. So, for the scope of this comparison, let's stick to three of the most common developmental time sinks when securing a website:

• SSL integration
• Spam protection
• Payment Card Industry Data Security Standard compliance

SSLs

If you have a website or are planning one, an SSL (Secure Sockets Layer) certificate should be on your list of considerations. SSLs do a lot of work for websites. They add a layer of encryption over the information sent to and from your site (HTTPS). This layer of encryption is so important that all major web browsers tell users whether or not a site is using an SSL and Google gives higher ratings to sites with SSLs in their search algorithms.

Needless to say, the easier a CMS makes integrating an SSL, the better it is for your site and bottom line—more traffic equals more conversions. Keep in mind, no matter what features a CMS offers, you will need someone with the know-how to install the SSL certificate on your web server.

WordPress
WordPress has been around the block and knows SSLs are important to its customers. While having minimal core features to help with the SSL integration, there are free and easy-to-install plugins that help with this and can be used with very little coding knowledge.

Kentico
Configuring Kentico for an SSL is as easy as clicking a checkbox and checking for any mixed content warnings in the web browser. Minimal developer time is needed for this task, so more time can be used to get that SSL working to improve your search engine optimization.

Drupal
A little bit of code goes a long way here. This is a bit more involved than WordPress but not much. Your developer will just need to edit a file, check the content and flip the switch.

Umbraco
Here the SSL cannot be configured from the administration interface. While the code involved is simple, the developer will also have to write a redirect for the site to use the SSL consistently.

Django
The process of configuring Django for an SSL is a bit tricky. A developer will need to spend some time digging through settings, configuring how the site uses cookies and doing a lot of testing. Also, since Django uses a separate server for its media and other files needed for the front end of your website, the other server also needs to be able to serve its files with HTTPS.

Spam Protection

If you plan to have forms for your users to fill out on your website, you will get spammed. It’ll happen. Bots roam the internet day and night looking for vulnerable web pages to compromise with spam. They can even use your web form to spam other people! There is no foolproof protection against this kind of action (known as form injection), but we do have measures we can put in place.

WordPress
The strength of WordPress lies in its customization. You can grab a form plugin that already has spam protection built in and build a basic form in minutes. You will need to make sure your plugins are kept updated and working but most are free. Further, the paid plugins tend to be extremely secure.

Kentico
Kentico comes with a visual form builder if you purchase the right license, and it comes with its own layers of protection. Aside from doing the basic stuff for your developer like escaping characters and further sanitizing input, the form builder comes with Google reCaptcha right out of the box.

Drupal
The form modules for Drupal are minimal in terms of their security. They do what forms need to do. Some forms offer basic protections, but more development would be needed to make your Drupal form solid.

Umbraco
Umbraco has its own form builder interface as well, and, while forms are easy to create, some development time is needed if you want your forms to be secure. You will need some kind of validation checking written, though it does help your developer with the basics.

Django
At this point, Django does not have any pre-built form apps that have been tested enough to trust. Your developer will have to install a forms package and go from there.

Payment Card Industry Data Security Standard Compliance

One of the most sensitive and targeted categories of information making its way over the internet is credit card information. The Payment Card Industry Data Security Standard (PCI DSS) sets a bar for websites when it comes to handling user payment data. If you want your customers to be able to complete credit card transactions on your site, you must meet these guidelines. The most trusted way to do so is to incorporate third-party services. The easier a CMS makes it to integrate one of these services, the faster your users are shopping on your site.

WordPress
WordPress does not incorporate any payment services in the CMS itself, but there are, again, a variety of plugins that do. This can involve a moderate amount of development time depending on the service that is being used.

Kentico
Authorize.Net is the payment handling service that comes baked right into Kentico if you purchase the Base license. You can also choose to invest more time in developing a custom solution to use a different one, but Kentico isn’t free. Why not use what you pay for?

Drupal
There are many existing solutions for e-commerce with Drupal. Supported Modules and APIs help developers create PCI DSS compliant e-commerce shops using a variety of third-party payment services. Not unlike WordPress, you are spoiled for choice.

Umbraco
Here you will have to pay for one of the available CMS extensions or develop a custom solution to handle transactions through your site. Umbraco itself does not offer any support here.

Django
Since it is still a new CMS, choices for existing e-commerce solutions with Django are few but free. You will still need to pay for the PCI DSS third-party service, but the prebuilt solutions with Django will help you save some time and money getting a shop running online.

In our experience, CMSs can be a buy now or pay later investment. The more you pay upfront for the license, the more features the developer has at his or her disposal to expedite the development of a secure website.

Which one would you choose? Already have a favorite? Comment below, or let our team know if you need some help choosing.