Security and Quality Assurance in Craft CMS and Craft Commerce
How Secure Is Craft CMS?
The security of websites and content management systems is a top priority for many companies. Below, we’ll take a closer look at the security aspects of Craft CMS — the most popular CMS among developers at craft unit, primarily because of its flexibility, user-friendliness, and powerful features.
When working with larger organizations and enterprises, especially those that collaborate with government agencies, system security is often one of the most critical factors when evaluating a new CMS. Fortunately, Craft CMS is committed to securing the websites it powers and prioritizes quality over quantity in its software ecosystem.
As with any software used to manage sensitive data, security is a key concern for website owners and administrators.
Craft CMS places great emphasis on security and provides a solid foundation for your website. It includes a built-in security system designed to protect against common web vulnerabilities such as cross-site scripting (XSS) attacks. XSS attacks are one of the most common types of web attacks, where an attacker attempts to inject malicious code into a website to steal sensitive information or hijack user sessions. Craft CMS has built-in protection against XSS by automatically escaping user-generated content and filtering out potentially harmful code.
SQL injection attacks are also prevented, ensuring that attackers cannot gain access to the database. Regular updates and patches are released to eliminate potential security risks and maintain the integrity of your website.
Another key security feature of Craft CMS is protection against cross-site request forgery (CSRF) attacks. CSRF attacks attempt to trick users into performing actions on a website without their knowledge or consent. Craft CMS protects against CSRF by generating and verifying unique tokens for each user session.
Additionally, Craft CMS uses a secure authentication system that protects user passwords with the Blowfish algorithm and the PHP crypt() method. This ensures that even if an attacker gains access to the website’s database, they cannot retrieve user passwords in a usable form.
In summary, Craft CMS addresses the most common security vulnerabilities and attack methods. It also provides thoughtful data and cookie protection, user verification, and password security measures. The system offers a wide range of tools that allow administrators to configure additional security settings on their websites. This gives businesses and organizations peace of mind when choosing Craft CMS — both for their website and the protection of their data.
(Not a) Fun Fact: WordPress has reported nearly five times as many security vulnerabilities as Craft CMS in the past six years.
Configuring Security-Related Settings
In addition to these built-in protections, Craft CMS also provides a range of configuration options that allow administrators to further enhance their site’s security. For example, administrators can configure Craft CMS to use secure HTTP headers, disable certain PHP functions known to be unsafe, and enable two-factor authentication (2FA) or alternatively Passkey for user accounts. Requiring strong passwords helps prevent brute-force and other password-based attacks.
User Management Features
Security also includes the ability to assign users specific roles and permissions, allowing administrators to restrict access to certain areas of the site. For example, an administrator might grant an editor permission to create and edit content but not to access site settings.
With Craft CMS, administrators can also enable two-factor authentication for user accounts. This adds an additional layer of protection by requiring users to enter a code in addition to their username and password when logging in. 2FA helps prevent unauthorized access even if an attacker obtains a user’s password.
Another useful feature of Craft CMS’s user management system is the ability to restrict access based on IP addresses. This means administrators can configure Craft CMS so that access to certain parts of the site is only possible from specific IP addresses. For example, the control panel could be restricted to an office IP address, preventing access by anyone else, even if they have valid credentials.
Overall, Craft CMS gives administrators powerful tools to control access to their sites. By assigning roles and permissions, enabling two-factor authentication, and limiting access by IP address, administrators can ensure their site remains secure and accessible only to authorized users.
Encryption via SSL/TLS
Craft CMS uses encryption to protect data during transmission. This means that all data transferred between the website and the user’s device is encrypted via SSL/TLS, ensuring that it cannot be intercepted or read by third parties.
Management of Updates and Patches
A key security practice of Craft CMS is the regular patching of known vulnerabilities. The Craft CMS development team frequently releases updates to fix security issues and other bugs. Through a standardized release cycle that includes regular maintenance versions, Craft CMS ensures that the platform always runs the most secure version available. While most commercial CMS platforms release updates only a few times per year, Craft typically publishes several releases each month. These updates are easy to install through the integrated updater, allowing website owners and administrators to keep their installations up to date with minimal effort.
In addition to regular updates, the Craft CMS team provides resources and documentation to help maintain website security. This includes best-practice guides for securing Craft installations and web server configuration tips to maximize protection.
Plugin Store, Developer Forums & Quality Assurance
The Craft CMS development team is deeply committed to supporting its user community. Over the past 10 years, a strong and steadily growing community has formed around the platform. There are several forums and platforms where users can exchange ideas and support each other. Pixel & Tonic also regularly offers webinars, newsletters, blog posts, and online workshops to help users build and manage their websites.
The customer support for Craft CMS is also known for being responsive and solution-oriented, available via email, forums, and social media. The team actively participates in community discussions, providing direct guidance and assistance (try getting that from a WordPress or Typo3 developer). The result is a helpful and collaborative community where you can always find support when you need it.
The following resources are especially useful for Craft CMS developers:
Craft CMS Stack Exchange - https://craftcms.stackexchange.com/
GitHub - https://github.com/craftcms/cms/discussions
Discord - https://discord.com/invite/uuDFCTX
Craft Documentation - https://craftcms.com/docs/