The Real Truth About Open Source CMS

The debate rages and it couldn’t come at a better time for us. Here’s a sampling from Matt Sullivan at Bridgeline Digital.

open source cmsSo many years in my formative youth were spent looking at the blinking cursor of a command-line prompt as I learned computer programming. The languages varied: Pascal, C++, Lisp, PHP, etc. I quickly started carrying the flag of Open Source Software. I installed Linux on my computer; I thought Red Hat would overthrow Microsoft and that all software should be “free.” Fast-forward ten years, and I’m writing about the benefits and advantages of proprietary software applications, especially for Content Management Solutions. Who would of thought?

A Drupal-support company recently published a blog post written by a member of their sales team, where he denounced his past life as a proprietary CMS salesman, and apologized for the “lies” he told when selling against Open Source. The funny part about the post is that his new found honesty doesn’t exactly tell the whole story. Since this post has been gaining traction, I wanted to respond.

(The Bold Text is from the original article, my response is in plain text.)

Lie: Open Source CMS solutions aren’t secure because their modules and contributions come from different organizations.

Truth: The fear of attacking the security of Open Source CMS is very popular in the commercial world because it can create a great deal of fear amongst organizations. The TRUTH is that most Open Source solutions have more stringent security guidelines than their commercial counterparts. Drupal,for example, has their own Security Team comprised of 40 individuals across three continents. Oh, and the LIE about anyone being able to contribute to Open Source? Not True – there is quite a process to go through to even just submit a project before it goes through peer review. For a thorough review of the security protocols with Drupal.

The Whole Story: Open Source CMS, like Drupal, go through a stringent process of code submission, peer review, and approval before even the smallest component is added or changed to the core functionality. While that is a true statement, the add-on modules that many sites require don’t go through that process. Anyone with basic PHP knowledge can write and share a Drupal module. In fact,a module was the root cause of being hacked in 2013.




Lie: Open Source CMS solutions don’t integrate well with other commercial products that round out the digital ecosystem.

Truth: This lie couldn’t be any more wrong. The strength of the large community based open source solution is that the community and modules evolve and grow to provide that community of users exactly what they need to succeed. In doing so, modules and tested integrations to the leading third party solutions are readily available when they are needed instead of being prioritized by a commercial product’s release road map. Take the story of Pinterest for example. In February of 2012, Pinterest hit 10 million unique visitors. In March of 2012 a Drupal module was created for website users to“pin” site images to Pinterest. Within one month, 15 sites went live with the integration and today that module has been downloaded more than 1,000 times.

The Whole Story: At the end of the day, integration between software systems depends on the level of access each provides through an API or web-service. Any two software platforms can be made to talk to each other with enough time and effort. Commercial CMS providers will often build connectors for out-of-the-box integration to streamline the process, as well as preserve the integration through the upgrade path.

For instance — self promotion alert!!! — iAPPS 5.0 was released with native integration with Brightcove video hosting and Clay Tablet for translation services, and this is on-top of already existing integrations with, Perceptive Search, UPS Global Logistics, and Cybersource.

Lie: Open Source CMS solutions are great for small projects or maybe non-mission critical sites, but don’t meet the standard for large enterprise organizations.

Truth: Some of the largest and most mission critical websites in the world are now being managed with Drupal. Just a query on a tool like will reveal sites like,,, and We’ve known for a while that the White House has also been a strong proponent of Open Source CMS solutions as well. Oh, and just recently we learned that one of the largest websites in the world,, is moving to Drupal.

The Whole Story: Big or small, organizations need to evaluate the best fit for their project. There are large organizations powered by WordPress, and smaller companies that use Commercial CMS. It’s all about what solution is going to deliver a site that meets the company’s goals.

In the end, however, there is no one solution that is a perfect fit for every project, so your CMS short-list should consider many aspects all aspects: scalability,ease-of-use, support, functionality, and more. Also, it’s also about selecting the right team to implement the CMS and complete the project. Whether your project is executed in-house or by a development partner, everything should be about delivering your new site on-time, under budget, and to specification.

For the latest news and tips on Digital Marketing strategies, make sure to follow Bridgeline Digital on Twitter.

2 Responses to “The Real “Truth” About Open Source CMS”

    • Dave Scalera
    • August 10, 2013

    Matt, Thanks so much for continuing this conversation. In doing so, however, you seem to have further validated my claim. Your statement, “Anyone with basic PHP knowledge can write and share a Drupal module.”, is simply not true. Start here and take a look at the process and see what it takes to be a first time Drupal contributor – For more information on Drupal Security, go here – The Drupal Security team is 40 people strong – larger than the R&D teams of most proprietary software companies. Ben J. above already pointed out your discrepancy to the Security update in May. As impressive as your list of those six 3rd party integrations you mention your product has, the truth that I was trying to convey is the pure velocity and time to market that is experienced within the Open Source community. Commercial solutions are bound by their internal product development roadmaps (which have their place), but Open Source development moves at the speed of the web and the hundreds, if not thousands, of integrations that Drupal has is indicative of that. And finally, as much as I appreciate your CMS short-list checklist and link to your qualified partners, I don’t think we disagree at all on organizations doing appropriate due diligence to find the best solution available for them – which sometimes might be Commercial, sometimes might be Open-Source. My point was only that Open-Source is completely viable option for Enterprise engagements. Best of luck to you with your product and solutions. -Dave

    • Ben J
    • August 09, 2013

    Your statement “In fact,a module was the root cause of being hacked in 2013.” is not accurate. The page on the incident ( says “Unauthorized access was made via third-party software installed on the server infrastructure, and was not the result of a vulnerability within Drupal itself.” The key point being it wasn’t Drupal, core or modules. doesn’t just run the Drupal software.

Website Monitoring Services


Nov 2, 2012

Review: 3 Website Monitoring Services

A look at services that alert you to website slowdowns and crashes.

Illustration by Jacob Thomas

A website slowdown or outage could be disastrous for your business. Site-monitoring tools can’t prevent problems, but they can let you know when something goes wrong. We tried out three using a test site–and, as luck would have it, we experienced a crash. Below, the results, rated by stars in ascending order.

Pingdom ★

Like the other tools here, Pingdom monitors websites and servers. To get started, you register on and enter your site’s URL. You can log on to a dashboard to see historical data on uptime and speed and get alerts via text, email, Twitter, or smartphone push notification if your site crashes. Then, you can use diagnostic tools to find and fix problems. During our test, Pingdom detected a slowdown because of heavy traffic but did not register a crash when our host,, went down. Cost: Free for one site and 20 text alerts, then $9.95 a month and up

New Relic ★★

Unlike Pingdom, New Relic can monitor Web applications, including e-commerce platforms, running on a site. As with the other services here, it has a dashboard with historical data on uptime and speed, along with diagnostic tools. It can alert you to crashes and slowdowns via email, text, Twitter, Campfire, and other third-party services. New Relic sent us text alerts when our site dropped below a critical speed and more alerts when it crashed. One gripe: Setup involved adding code to our server. Cost: Free for a basic version, then $24 a month and up

Zoho Site24x7 ★★★

Our top pick, this service can monitor database programs and Web apps. Setup was easy: We simply pasted our site’s URL into a dialog box on the Zoho site. If your site crashes, you can get alerts via text, Twitter, or push notification. During our test, Zoho detected a slowdown and sent several texts when our site crashed. Cost: Free for a basic version, then starting at $1 a month per site