How Secure is Craft CMS?

When it comes to new web design and development projects, there are a variety of questions that we are frequently asked. Over the course of the past decade, one of the most common of those questions is what do we recommend for a user-friendly way for non-developers to add and modify the content on their website. What these inquiries are really asking about is a CMS (content management system).

We often sing the praises of Craft CMS when talking to potential clients about implementing a content management system to fit their needs. It’s our CMS of choice for a variety of reasons, not the least of which is ease of use for our clients. However, when working with larger businesses and organizations, including those that work with government agencies, security is often one of the major considerations when evaluating a new CMS. Luckily, Craft CMS is committed to securing the websites that it powers, and has a rock solid development team that has fostered an outstanding developer community that stresses quality over quantity when it comes to its software ecosystem.

WordPress has reported almost five times the number of vulnerabilities as Craft CMS in the last six years

Craft CMS: Secure From the Get-Go

Out of the box, Craft achieves high levels of security with an stable release cycle that includes regular maintenance releases. Where most commercial CMS platforms release updates and patches only a few times a year, Craft typically issues several releases each month. Such regular updates ensure your software running the most secure version of everything, which in an of itself is a security win.

Craft CMS was conceived with security in mind. Per the Common Vulnerabilities and Exposures (CVE), as of the publishing of this article, WordPress has reported almost five times the number of vulnerabilities as Craft CMS in the last six years.


Craft CMS: Additional User Security Features

Craft CMS offers easy to use, powerful user management capabilities that allow site administrators to tailor user access to the needs of the business or organization in question. Granular permissions can be set for individual users, such as the ability to access the control panel, or edit content within certain sections. Conversely, users or groups of users can be restricted from access to any part of the control panel, or sections of content.

Two-factor authentication can also be enabled for user access, providing yet an additional layer of security for logins when desired. Setting up two-factor authentication provides a safety net if for any reason a user’s login credentials were compromised for any reason.




Craft CMS: Built-in Security

Craft CMS lays out a great deal of information on security on their website, encompassing cyberattack prevention, file protection and password security measures.

Here are a few of the most important security related details they highlight:

• Craft uses CSRF token validation by default to help prevent CSRF attacks.
• Twig automatically escapes HTML entities that are dynamically output by default, helping avoid XSS attack vectors.
• Craft will use the native PHP password_hash() method if it is available, which defaults to the blowfish algorithm, arguably the most secure and reliable method of password encryption. If it is not available, it will use PHP’s native crypt() method using the blowfish algorithm with a strong, cryptographically-secure random salt.
• Craft uses time-safe methods for sensitive comparisons like checking the equality of password hashes, helping prevent timing attacks.
• Craft’s default folder structure encourages people to keep application files above the web root, and the System Report utility in the Control Panel will warn you if that appears not to be the case.

Craft CMS addresses all of the most common security exploits and attack vectors, and goes further with well thought out data and cookie protection, user verification and password security measures. Additionally, the system provides a wide range of options that allow website administrators to configure additional security related items on their site. In short: Craft CMS is a platform with a dedicated focus on cyber security and continuous updates, which offers any business or organization peace of mind when it comes to their selection of a content management system to power their website and safeguard their data.