Why should we use your CMS?
A common question Dojono's commercial team are often asked is, "Why have you created your own CMS when you could just use WordPress?", to which they respond, "We're so glad you asked!". There are quite a number of good reasons we created our own CMS, all of which result from many years experience using WordPress, Drupal, Magento, Joomla and the like.
The friendly technology trap
Unlike most business tasks and activities, technology, in the form of phones, laptops, email, websites and the like cross into our personal lives. This breaks down the barrier in our perception about the complexity of the technology and the skill required to use it. Some spectators suggest that about 235 billion emails are sent each year, broadly split 50/50 between commercial and domestic user, which is roughly 2/month for every man woman and child on the planet - ubiquitous, by any definition. A user friendly technology capable of being used by anyone, but how many of those users would be able to set up a secure email server or tell you what SPF records are or even what DCIM or MTA even stand for?
False sense of security
Most businesses use third parties to provide excellence in areas they are not equipped to deal with. They employ haulage companies to deliver their goods, utility companies to provide their power, mobile phone and broadband providers for their connectivity, fleet management companies to provide and manage vehicles for commercial and domestic use, deferring expertise in these areas to others who are subject matter experts, capable of benefitting from singular focus, accumulated expertise and economies of scale.
So why do companies DIY their digital presence?
Lots of companies and individuals make use of technologies such as Wordpress, either in self hosted environments are by purchasing packages from a plethora of suppliers across the globe.
The language of technology
Perversely, the language used to describe the digital marketing technologies and activities leads most normal people to think they can actively engage with and manage the necessary technologies, especially when they are branded as user friendly, secure and "easy to use". It isn't, however, feasible for all businesses to be security experts, SEO gurus and digital marketing aficionados as well as excelling in their own disciplines... and "ease of use" is generally a misnomer used to gloss over the real, often very necessary, complexities of the technology.
When technologies are sold as secure, extensible and easy to use, the vendor is doing this predicated on competent use. This means the people administering and using the system are qualified to do so, in much the same way as people driving cars are expected to learn the basics or people scuba diving go on courses... but not so with most people setting up their own websites. By way of example, it is estimated the 25% of the internet is run on Wordpress (yay!). It is also reported that 90% of all hacked websites in the world are Wordpress (boo!), which is up 7% on last year [†]. This means there are a lot of people out there who want to use the technology but are not equipped to deal with the ramifications. Hacked websites are used directly or indirectly for crime and their owners are generally affected by being added to blacklists or worse, negatively affecting their web presence for weeks, months or even years.
With all this in mind, Dojono has created a technology hardened to many of the problems usually associated with mainstream CMS. Our CMS has been built on the following principles;
We wanted a fully version controlled CMS that could securely deploy an SEO friendly website to the Cloud in 30 minutes without any technical expertise, dealing with the website (HTML, AMP, CSS, media, etc), DNS, SSL certificates and email, all from the click of a button or a single Slack command and all using commodity systems with widespread adoption.
To understand the principles we have chosen a little more, we thought we would discuss them in detail.
Security is one of the most complex and potentially most critical parts of any online presence. As discussed previously, CMS, especially Open Source ones, are particularly susceptible to malicious intent. Security issues stem from a number of sources;
Whilst Open Source development has revolutionised the world for the better, it does come with a number of inherent issues, one of which is to breach a key security principle, that of security through obscurity. This makes systems more secure because the prospective attacker is not entirely clear on how the system works, instead, having to repeatedly attack systems owned by others or possibly to own one in order to breach it.
Open source systems, however, are by design, open to anyone to look at, modify and more importantly - in this case, to install, configure and test any attack in the privacy of the attackers own network. This allows them to devise attacks and launch them once they are perfected, reducing the chance of the target, the software vendor or the security community being able to detect and counter the attack until after it has been launched.
Vibrant plug-in market
A lot of Open (and for that matter Closed) Source CMS use plug-ins or installable packages to extend their functionality through connectivity to one or more websites, or marketplaces. The mechanism is popular because it enhances the value of the CMS, allowing CMS operators to customise and extend functionality. The problem with open marketplaces, however, is that unless this mechanism was envisaged and designed into the CMS by way of robust security models (such as those exist in Android) or appropriate economics to allow plug-ins to be properly policed (such as those in the Apple Marketplace) then a security exposure exists. Wordpress, for example, uses community feedback to police, rate and verify plug-ins.
- Few or no rules exist about what plug-ins are allowed and not allowed to do.
- No checks are done by anyone in the ecosystem, relying instead, on community feedback.
- No warranties are provided, through or by the marketplace.
- No rights model exists. Plug-ins have access to all the facilities on the server;
- sending email,
- reading database tables,
- reading files on disk,
- connecting to other entities on the web.
- A substantial number of issues have arisen over the years as a result of unscrupulous plug-in producers providing a plug-in for free (accelerating adoption) with ulterior motives in mind. Some of the malicious activities Plug-ins have been used for include;
- creating links to other sites for SEO backlink building purposes without the site owners permission,
- data breaches by reading customer, credit/debit card and other PII/sensitive data and exporting this to the plug-in producers servers,
- DDoS attacks,
- promoting other websites and products by stealthily creating pages on the target website for search engines like Google, Yahoo, etc to see, often with devastating effects on the target website's ranking on those Search Engines[‡].
The problem is of such magnitude that an entire industry exists securing Wordpress[⊕] and other CMS.
An estimated 25% of the internet is powered by Wordpress - this equates to large rewards for unscrupulous hackers finding security holes and other vulnerabilities, knowing that they can attack millions of websites at a time to meet their ends.
CMS like Drupal, Joomla and Wordpress use PHP. PHP is a general-purpose programming language originally designed for web development, famous as the language used by the original versions (and probably still is) of Facebook (being replaced by a language, questionably, called Hack), big CMS like Wordpress, how easy it is to learn. PHP is often used by hackers and unqualified developers and is generally seen as one of the least secure languages in mainstream use[⊗].
The result of not following Secure By Design is that all applications and libraries written in PhP can inherit a number of security vulnerabilities, hereafter referred to as “By-Default Vulnerabilities”. It also means that defending against key types of attacks is undermined by PhP not offering sufficient native functionality and I’ll refer to these as “Flawed Assumptions”. Combining the two sets of shortcomings, we can establish PHP as existing in an environment where security is being compromise by delegating too much security responsibility to end programmers.
Complex systems that are actively developed generally have a comprehensive dependency system. This mechanism is used to control which versions of software, libraries and data files are compatible with each other, ensuring that upgrades do not result in breakages. This is commonly used by operating systems such as Linux, Windows or Mac where adding new features, security updates and the like are paramount and often happen without the user being aware, making it imperative that software installed on the system isn't compromised or, indeed, that the software installed by the user doesn't compromises the update being applied. No such system exists in WordPress and has only recently been added to the latest major versions of Magento and Drupal. Some of the problems caused by a lack of dependency control, often called dependency injection, are;
- plug-ins can stop working if the CMS is upgraded,
- the CMS can stop working if a plug-in is upgraded,
- other plug-ins can stop working if any given plug-in is upgraded.
This issue is potentially why so many Wordpress sites are hacked every year. Website owners are caught in a difficult position. They want to upgrade but they can't because their theme or plug-in will break... but if they leave it at the current version they are very likely to be hacked.
Wordpress is old and outdated.
Click bait - sorry!... or am I!? We've chosen WordPress because it's the biggest, but these allegations can be levelled in whole or in part at the rest of the Open Source and paid for CMS community....
- Wordpress was launched in 2003 as a fork of another community project - it was never designed from scratch for the purpose it is currently used.
- Due to performance and security issues, Wordpress has repeatedly struggled to upgrade its technology a number of times over the last 4 or more years, always without success. In 2016 Matt Mullenweg, the CEO of Automattic (the parent corporation of WordPress) announced they would migrate to Node.js - the technology used by the Dojono build. This project, called Calypso, is still a work in progress and does not replace the WordPress Core with of its associated issues.
- Wordpress is struggling to manage the size of the community. Wordpress has had to abandon and/or rewrite parts of their projects (including Calypso) repeatedly due to technical and legal issues[∴].
Website performance is an important part of user satisfaction and, increasingly, of SEO performance. Websites that are slow to load or websites that cause mobiles and laptops to run slowly or hot or to excessively consume battery power once they have loaded, all result in unsatisfactory outcomes. Dojono's CMS has been designed to load and render incredibly quickly, performing better than 99% of websites on the internet. This achievement is all the more significant as Dojono's CMS produces, by default, fully AMP compliant pages, a technology that comes with its own performance challenges.
Independent analysis[†‡] of Dojono website performance shows some some outstanding results. We are proud to outperform mainstream websites like Wordpress', the commercial version of Wordpress operated by Automattic[††]. Automattic operate substantial infrastructure, bespoke (i.e. not available in the community edition) enhancements to the Wordpress software and, obviously, apply their not inconsiderable knowledge base to plug-n and theme production to achieve such impressive results.
Compliance is one of Dojono's more prominent quoins. We take the view that scraping the internet is hard enough without making the task more complicated by not sticking to the rules. We are firmly of the opinion that every page a search engines reads is a page we want understood and committed to the index. A good way to do this is to reduce the Bots need to do unnecessarily complex processing, error correction and, well, more work than it needs to.
As a result, the Dojono CMS build (publishing) process ensures that every page it creates is both technically compliant with the relevant standards but it also applies a set of SEO best practice rules. This covers all aspects of the page including media management, asset compression, structured data and more.
Ever arrived at a web page and wondered why the image looks so small or low quality? This common problem is caused by changing technologies. When the page was first created the image was probably large and loaded at moderate, although acceptable, speeds. As time has passed bandwidth has increased, devices have become more sophisticated with higher and higher resolutions and our collective expectations have increased too, leaving that poor page looking old and unloved. Our CMS, on the other hand will never let this happen. Our CMS allows you to load a single, fabulously large image from which it produces all the images needed to satisfy current requirements. If a new image size, format or optimisation is required in due course, our CMS will automatically produce it and update the page the next time the site is published.
Alternatively, have you perhaps noticed that an image on some pages load normally on your laptop but really slowly on your mobile device? This is likely because the website owner has used a single, large image, changing its rendered size to suit different screen sizes, rather than changing the image itself. Our CMS ensures this never happens by delivering the optimal image for the screen resolution and bandwidth. Your website will deliver high resolution images for 4G connected OLED devices and low resolution, more highly compressed, images to standard resolution devices on a 3G network, without the need for you to do anything.
This same approach is applied to every aspect of your website, be it meta data and structured data, monitoring internal and outbound link integrity, CSS updates, HTML compression ratios and much, much more.
Our CMS build process is highly modular, processing each part of the creation process in order. At any stage in this process it is possible to add a hook. Hooks allow additional processing to take place. This allows a website owner to carry out particular processing at the appropriate stage in the build process independent of Dojono's activities - providing complete freedom and autonomy for anyone using our CMS.
Dojono uses Amazon Web Services and github to host and store its websites. If you prefer Google Cloud or maybe BitBucket or SourceForge then that's fine, we appreciate people have their preferences and we're happy to accommodate them. We aim to allow you to work with the tools you are most familiar with. We don't want to limit your creativity or make you work with a supplier who doesn't suit you.
† Securi.net infected website platforms report - 2018
‡ Wordpress Redirect Hack
⊕ PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?
∴ On React and WordPress †† Automattic
†‡ Page Speed Insights results for Wordpress.com