Question 1: What does “free to download” really mean?
One of the seemingly attractive features of an open source web content management system (CMS) is the initial sticker price: it’s free to download. While a free download can be appealing, especially to developers, it’s important to consider the real costs of a mission-critical, enterprise software package that’s responsible for something as important as your public website.
The total cost of ownership equation for any enterprise software package (open source or commercial) includes the costs of licensing, configuration, customization, implementation, testing, training, software maintenance, upgrades, custom development, and technical support. The amount of time and knowledge needed to learn an open source CMS, then customize and configure it yourself is difficult to calculate, and typically underestimated by technologists who propose the use of open source products.
Drupal™ and WordPress are two of the more widely known open source development platforms. Dedicated web developers can customize these systems to meet unique needs. Workflow, multiple platform sites, calendars, and other modules can be added by building the required functionality.
Like a bucket of LEGO® toys, Drupal comes in assorted building blocks of all shapes and sizes. This is good news if you want a highly complex, customized CMS and your development team has the time and technical expertise needed to support it. Yet Drupal is often overly complicated for many users.
WordPress is ready to use right off the shelf, but it was created as a blogging platform, not a content management system. Development resources must be invested to transform it into a more technology-centric platform that can manage complex sites with multifaceted functionality. This means adding multiple plugins to the core program, which can only be done after appropriate coding and testing. Again, this may seem like an attractive option, but after extensive modification, the original simplicity of WordPress is often lost and desired functionality is lacking.
An open source CMS like Drupal or WordPress can always be outsourced to third-party service providers who specialize in custom development. These consultants can also train your staff. In theory, the dollars saved on licensing fees are transformed into custom development dollars, but these customization costs can be difficult to quantify up front and challenging to control over time. Additionally, if one of your main goals is to decentralize site management throughout campus, then a more user-friendly commercial solution designed for the needs of higher education should be a higher priority. Separate studies on the usability of Drupal for first-time users conducted by Google,1 the University of Minnesota,2 and the University of Baltimore3 have highlighted the frustrating learning curve for new users—even after Drupal made improvements. The Google study cited “new users feeling confused, overwhelmed, uncertain, and unaware of Drupal’s capabilities.”
Jason Cash, Director of Web Communications at Hope College in Holland, Michigan, experienced some of these same frustrations at his institution. “We expected someone who is an office manager to know how to edit a website using an open source system that is not user-friendly,” said Cash. “It had none of what we would consider the ‘modern day’ conveniences of a CMS. Additionally, our IT folks had a really hard time keeping up with the number of people who needed to be taught how to use it.”
We had no resources at the time to do a complete top-down redesign of the site and implement a new CMS, so the interim option for our redesign was to use a free open source product, which, of course, ended up not being free at all.
Significant resources must be invested in an open source CMS implementation so that it works for your institution. Consequently, time is needed up front, before you even acquire the framework, to map out the functionality required. Considering only development time and cost, a commercial CMS could be more cost-efficient in the long term.
So is open source free?
No, open source is only free to download. Lifetime costs add up, with variables that might not be evident up front. Before committing long term to the added costs of an open source CMS, consider whether open source’s benefits outweigh the need for these additional resources.
Question 2: What risks are associated with its extensibility?
As open source software, Drupal and WordPress source code is available to anyone to customize. In fact, Drupal has over 39,000 modules and WordPress has over 53,000 plugins available for extending functionality.4,5 This combination of code and thousands of custom add-ons (including any that you write yourself) contributes to open source’s extensibility and scalability. In fact, add-ons are more than just convenient options—they are essential to functionality required for basic usability.
Believe it or not, core Drupal doesn't come with a WYSIWYG editor, image handling capabilities, or even a dashboard; these are modules that must be plugged in. Anywhere from five to ten modules must be added to Drupal in order to get the base functionality required for a typical website,6 which is necessary if non-technical users will be using the system. Drupal modules might not have plug-and-play characteristics; often a user must configure them to function as desired by creating new modules or modifying existing code.
Unfortunately, customization becomes problematic when upgrading to the latest version. Drupal changes the API every release and adds new features that can be incompatible with previous versions. This presents a quandary to institutions that have invested time and money into manipulating the source code and plugging in (and even tweaking) various modules to create their custom CMS, because modules that worked in one version will not necessarily work in the new version.7 To update older, preferred modules so that they function in the new version, a new round of custom coding is required. Additionally, since many open source modules are developed by a wide variety of third parties, it is hard to know whether they intend to upgrade and maintain their modules. And even if you build your own modules, do you have the time to modify code to ensure that nothing breaks in the new version?
Finally, it is likely that the new version may require greater memory and CPU requirements than previous iterations. Again, some of this work can be outsourced. Many useful Drupal and WordPress add-ons are developed or maintained by technology firms that recognize the profitability in developing and maintaining in-demand modules and plugins. As such, purchase and upgrade fees should be figured into your technology budget.
For these reasons, using an open source CMS may not be appropriate for institutions that aren’t willing to allocate long-term resources for custom coding to deal with updates and changes to the core system. It’s likely they won’t be able to rely on the development community or commercial support for help with their one-of-a-kind open source creations.
Regrettably, this could create an unintended risk for your institution: exclusive technical knowledge of your CMS resting in the hands of one or a few individuals who customized it. What happens if they leave? Can your administrators understand and manage the proprietary database format where your CMS is stored?
“Very little of our experience [using open source] was good,” said Cash at Hope College. “I had one web designer/developer who was very tech-savvy and a great coder—but he was not an open source expert. We could force the system to do what we wanted, but because we didn’t have that expertise in house, it was difficult for us to balance what we needed with everything else we were trying to do at that time.”
Question 3: Is open source software secure?
Drupal and WordPress core code has volunteer security teams that monitor the code for problems. Since anyone can identify and report a security issue to the team, vulnerabilities are eventually noticed, reported, reviewed, and eliminated.
While the core code is monitored, there are many contributed modules and plugins required for smooth functionality in Drupal and especially in WordPress that are not monitored for security issues.
In Drupal, modules with only development or beta releases are not as stable as those with a supported stable release (e.g., 1.0, 2.1, 3.14). Your team would need to ask the Drupal module’s third-party developer to create a stable, supported x.0 release if you are using the module for critical applications.
With more than 53,000 plugins available for WordPress, it is inevitable that some will contain security vulnerabilities that can be exploited by hackers. According to a report by wpscan.org, 52% of the 3,972 WordPress security vulnerabilities are from plugins.8 The Sucuri Report found that WordPress, Joomla, Magento, and Drupal were the most common hacking targets in 2016;9 and another report by SecurityWeek found that WordPress is attacked 24.1% more than sites running on all other CMS platforms combined—making it the most targeted CMS.10 Care should be taken to use only trusted plugins. Can you monitor and control who adds functionality to your CMS?
Likewise, as a database-backed platform using server-side scripts in PHP, WordPress is vulnerable to SQL injection and URL hacking.11 A thorough set of access rules on your web server can make up for this shortcoming. There are other security issues typical to sites managed by WordPress that are well known to hackers. Your web team must keep up with and follow best practices to ensure your site is secure—yet another drain on your resources.
“Security was always a concern,” said Troy Knickerbocker, Director of Web Development at the University of the Incarnate Word in San Antonio, Texas. “When you have folks who help you manage your website under a decentralized content management model, you really have to be careful about what access you give them in an open source system. You have users who want to add all of these wonderful widgets and plugins that are developed by third parties, and they would want to install them. This created additional overhead on our department and additional security concerns. So, keeping all of that reigned in with the vetting process of what we would allow on the sites became very time consuming.”
Additionally, if the security of your open source CMS is compromised and your CMS goes down, you run the risk of your website going down as well since open source systems like Drupal and WordPress have a coupled architecture out of the box that requires these platforms to be operational.
Question 4: Does the developer support satisfy all our needs?
A common argument in favor of open source CMS products is that they have collaborative developer communities that support each platform. This heavy developer focus can lead to innovation for new modules and plugins. The open source community can be a resource for your web team, assuming you are able to connect with experts who can help you with your problems.
While the developer communities exist, they are not focused on higher education and may not understand your problems. Furthermore, there are no guarantees that anyone will actually be available when you need them. Your institution’s time and resources will come into play, as you may need to wait to find someone who can help you with your specific problem. Do you have the time and resources to burn while waiting to find someone to help you?
Third-party support may be available for hire from the open source community, but a commercial solution provider (especially one that assists you with the initial implementation) will not only have ongoing support, but comprehensive knowledge of your CMS solution and website garnered from time spent working with your web team and end users.
“When we were using open source and something stopped working, I literally had no one to talk to,” said Cash at Hope College. “There was no 800 number, there was no support team, and I had no expertise in house. We just had to figure it out, and that was really challenging.”
Having a customer support specialist who knows your situation and with whom you have an established relationship can save you time. Having dedicated customer service behind your CMS means that you have someone available when you need them—not when they log into a forum.
Sources
1 Checkley, Garin. “Drupal Usability Test Conclusions: A Missing Conceptual Foundation.” Google Open Source Blog, 21 March 2012.
2 “University of Minnesota 2015.” Drupal, 21 September 2016.
3 Lal, Kieran. “Drupal Usability Tests from the University of Baltimore with Community Solutions.” Drupal, 27 June 2008.
4 “Download and Extend.” Drupal, 27 November 2017.
5 “Plugins.” WordPress, 27 November 2017.
6 Gooding, Sarah. “Important Factors to Consider in the WordPress vs. Drupal Debate.” WPMU, 14 October 2010.
7 Peebles, Aleksi. “Does Drupal Have a Minor Upgrade Problem?” aleksip.net, 25 April 2017.
8 Wright, Kristen. “5 Common WordPress Security Issues.” iThemes, 16 January 2017.
9 “WordPress Had the Most Hacked Websites in 2016.” ScriptableSolutions.com, 6 December 2017.
10 Kovacs, Eduard. “WordPress Is the Most Attacked CMS: Report.” SecurityWeek, 12 October 2014.
11 Weiss, Aaron. “WordPress Plugin Used by 300,000+ Sites Found Vulnerable to SQL Injection Attack.” The Hacker News, 30 June 2017.
Tackle your biggest challenges