When Bad Things Happen to Good Content Management Systems
I’m going to share a not-so-nice secret about some website designers. We’re creators, not maintainers. Some of us look forward to maintaining websites about as much as we look forward to a tax audit.
So, what’s a client to do? Organizations change. Information changes. Which means that websites need to be updated. How’s it going to get done?
The answer is something called a Content Management System (CMS). It will allow your clients to maintain the website without the need to call in an outsider. The clients simply log into the CMS, which looks like a cross between a browser and a word processor, make the needed changes, and then they’re done.
From the client’s perspective, this is much faster than:
- Making a list of changes that need to be made.
- Calling you, the Web Guru.
- Checking to see if you made the changes correctly.
Or, if your clients aren’t into calling you e-v-e-r-y time they need to make a change, they can dispense with the need for in-house expertise in things like HTML, FTP, and web page editing software.
Better yet, for clients who feel intimidated by all things computer-related, CMS packages have catchy names like:
- Drupal
- Joomla!
- Website Baker
- WordPress
Hey, with names like those, who wouldn’t want to have a Content Management System to play with? And using them is a lot like using a word processor! So, what’s not to like?
The answer is that there are two things to dislike:
1. Hackers. The sad truth is that the popular open-source CMS packages have all been targeted. Matter of fact, all but the latest versions of WordPress are under attack right now.
According to the WordPress blog, the attacker is a worm that “registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.”
Meanie.
The solution is to tell your clients to budget for CMS upgrades. Which means that they’ll need to have you coming around to keep the CMS up to date. If they balk, tell them that this is a lot cheaper than having you come in to clean up the damage after a hack-attack.
2. Obsolescence. Not only can CMS software get old and vulnerable to attack, the software that your CMS needs to run can leave your website in the dark. If you’re using a CMS like Drupal, you’ll need to have PHP and MySQL running on your server. Your client’s website host probably handles this, and here’s where the fun comes in.
Let’s say that you haven’t upgraded your client’s Drupal for a while, but you’ve managed to avoid the wormy hackers mentioned above. Lucky you.
Then your client’s host comes along and upgrades to the latest versions of PHP and MySQL. Which doesn’t work with the elderly version of Drupal you’ve been running. The not-so-nice consequence is that your client’s site visitors will be greeted by a very cryptic error message. And no one will be happy with you.
In short, launching your client sites into the world of CMS doesn’t mean that you can “set it and forget it.” You’ll need to stay on top of the upgrades. And not just for the CMS. If your CMS installations require plugins to handle things like navigation, slideshows, photo galleries, and search engine optimization, you’ll need to keep up with the latest versions.
You’ll also need to test everything before you re-launch the client’s site. (You did make a backup before you started doing the upgrade, didn’t you?)
And, after the site is re-launched, you may need to provide a refresher course to the people who will maintain it. Reason: New CMS interfaces can look vastly different from what they’ve been used to, and it’s helpful to show them around their new work space.
I hope that the above doesn’t scare you and your clients away from Content Management Systems. They do have a lot to offer. But they’re not “set it and forget it” propositions. They need ongoing attention.
The alternative for designers — even if you are using a CMS — is to partner with a Web management company. They’ll work with the client to keep everything functioning as it should be, make updates and changes, and even provide tech support should there be any issues.
Very good post, I think you are right on when you say “set it and forget it” is a bad approach. As great as a CMS is I find I get more calls from clients with CMS than I do with regular sites, because if they have to contact me to do the updates they budget accordingly and with a CMS they view it as they are doing the updates themselves but they can talk with me on the phone for an hour while I explain how to do basic wordpress operations (after training of course) with not cost involved. Great post!
This is a dilemma I’ve been discussing with my brother for a while now…
I’ve developed several versions of my home cooked CMS with more than 30 modules designed for specific or general needs, the thing is. Most customers will never ever use it, and even if I charge them for using the CMS myself they happilly pay me for it… Still there’s some clients that manage content themselves, but is usually when there’s some PR or marketing staff available to do so.
In the end we keep using our CMSs but for interal use, which is easier for me, because i don’t have to build them so damned fool proof.
The other reason is that by not giving them full control over their site the client follow up is more natural.
One has to learn when to use CMS and when to give access to the client.
This was a good read. I’m just now starting to use CMSs. It’s good to know what to look out for than to find out later what I screwed up. =D
Important advice, and something that freelancers definitely need to discuss with their clients.
In terms of a positive client relationship I still think that the widely accepted open source CMSs are usually the best option. So long as they are kept up to date they remain pretty secure. More importantly, I think it’s important that as a freelance web designer/developer you should be providing your client with not only a good service, but also a flexible one.
One of the major advantages of a widely accepted open source CMS is that it doesn’t tie a client to a particular provider. While I understand that a design company might want to get a client to sign up to their proprietary CMS to ensure a “lock” to the relationship (if the client has problems then they *have* to use that freelancer), that’s not providing the best service. Client and designer relationships end, and even when that happens I want my clients to be in the best position possible to move forward. That means them having a CMS that’s widely known, which means that they’ll always be able to find a designer or developer that’s comfortable working with it.
I like your post very much because you touch on the good things and the issues of specializing in CMS-based sites.
I’m a huge proponent of Open Source and especially Joomla! or WordPress (it is a matter of how large a site and how much traffic it’ll get). Joomla!’s community is extremely active and catch security holes as rapidly as Symantec. Yes, there are hackers, but as long as you convince your client to properly set up PHP and follow good Linux protocols you will be secure.
My biggest issue with my clients is that they have purchased space on a host like GoDaddy that is not optimized for Apache/PHP/MySQL (which most Open Source CMS run on) and you can’t get to the server. It is really frustrating to try and convince clients that they should change Hosts to one that knows how to optimize and secure their servers.
The other issue is exactly what you write about, namely although CMS is supposed to be user-friendly, it takes flipping one’s brain upside down to understand that there aren’t “pages” and that content is placed on a page dynamically based on a list of keywords called a taxonomy. One of our jobs is to set up navigation by carefully choosing primary and secondary keywords that allow articles to be re-used in different areas of the site. It is difficult to explain how this works. In addition, I tend to edit the Editor to turn off fonts, sizes, styles, etc. because otherwise, users refuse to use the styles and formats (Heading 1, Heading 2, Paragraph) and the articles look horrible. In addition, there is HTML required to clean up Word files and to tweak layouts. So, you are right, a designer’s work isn’t done. I offer a monthly fee to do the updates just to avoid having those telephone conversations.
Oh, and there are two worlds of CMS’ that don’t mix well: proprietary systems that run mostly on Windows servers and Open Source systems that run on Linux servers. The .Net CMS and Sharepoint CMS are so different in their capabilities to create good looking sites but a lot of enterprise size websites are running on Windows with .Net because it is expedient. That lock in is a huge issue vs. the modular off-the-shelf nature of Open Source products.
There are also some hosted CSM Packages that you pay a monthly fee for. Two that I have compared were:
SurrealCMS & CushyCMS
We ended up going with Surreal, because they had a few features that fit us better than the other (One was the ability for the client to maintain their own meta data).
Here is my shameless affiliate link:
http://surrealcms.com/aff-1029
We use other full blown content Management systems, but they great things about SurrealCMS, is there is no need to update the software. It is dead simple for the clients to use. It is free, if you want to maintain 3 or less websites, with Surreal’s Branding, or you can brand it with your own logo, and maintain as many sites as you want for a small monthly fee.
And the best thing – it is totally simple to implement. You just have to add an “editable” class to any div or tag on the page you want the client to have access to.
This comes pretty close to set & forget, as they do keep a backup of changes your client makes in the last 30 days. However we do keep a local backup of their websites – and it is easier to backup than a PHP/MySQL driven site. Just download the site from your favourite FTP program as usual.
Sorry about the sales pitch, but I would really recommend checking either of these 2 options out.
I’ts a very good observation and I’ll keep it in mind for further development.
For us, in the few cases where the client has migrated from us, we’ve given full support to the new designer or team, as well as our source code, and if needed we can “export” to any popular CMS. But that has been very rare, usually a new designer will come with the “tabula rasa” attitude (same way as we usually step in).
On the other hand I have nothing against popular CMSs and I prefer using them, but for most projects they are a bit of an over or undershot for our customers. I like to keep it simple for them, beacuse the learning curve for Joomla or WordPress has proven a bit steep for many clients. Our approach is <>
… it read the tags and deleted text …
Out approach is:
We’ll handle everything for you even if we “break up”
But as I was saying, never thought of it as you put it, and I’ll keep it in mind.
Thanks.
That makes sense, and you’re right that there’s no sense in trying to force a square peg into a round hole in terms of a CMS. That can be a potential problem if you’re wedded to an open source CMS, so it’s important to be comfortable with several options (I work with WordPress, Joomla, Drupal and ExpressionEngine as my “big 4″ and that seems to cover most bases).
Anyone ever checked out LightCMS? It is extremely easy for your clients to use. I am currently building a couple of sites for it. It does hosting billing, etc, and is completely brandable to yourself or to your company. Check it out: http://www.speaklight.com/ It is at least good to start out with and easy to manage from a business stand point.
I do use CMSs quite a lot, sometimes homegrown, sometimes modified from an open-source CMS (although never worpress etc).
A lot of the time I end up updating content for my clients. They pay me to do it so why not, but with a CMS in place it takes me no time at all, everyone is a winner.
Good article
Unless you pass them onto an associate who offers maintenance contracts to deal with that sort of thing.
I currently do this for a few designer friends – they do the site and then cross-sell my services in maintaining the site, anything from copywriting to plugin installations to fixing that text your client pasted in from Word that’s broken the layout. I charge a monthly maintenance fee (hoping to offer ‘one off’ services in future) and if any design work crops up, I pass it back to the original designer as a lead.
It’s a mutally beneficial relationship and may well suit some designers: lose the hassle of maintenance without losing the benefit of an ongoing relationship.
I allways wonder why on pictures like above, the Apple logo is shopped of something what is clearly a macbook pro… Its like, we don’t wan’t people to know an Apple looks good in this picture, but we couldn’t find a better laptop for this picture.. so lets shop the logo off…
Choosing A CMS or creating your own can definitely be a tough when thinking about security.
If it’s Custom then less people know your product and your a small fish in a large ocean of CMSs; however, you (and maybe some colleagues) have to do your own security which can be taxing especially if you don’t know much about it. I had a buddy who was more of a designer than a programmer and knew little about security. He created his own CMS and unfortunately some one compromised his site (more than once I believe) and I ended up helping him lock it down a bit more.
For WordPress and the like there’s more people looking at it which can be negative or positive. Hackers can use the same code to break many sites BUT if your up to date with the latest updates (providing updates are readily avail) you can stay on top of it… providing your not one of the people who were compromised. (Thinking WordPress hacking that is mentioned in the article)
My thoughts, I don’t have a whole lot of time so I stick with a CMS like WordPress or Joomla. It’s quicker to make sites, easy to update, and with more eyes looking at it I feel safer using it; not to mention I do my best to alter just enough to make it not worth someones time to hack.
I found out something weird today at an interview: the Government won’t certify Open Source CMS just exactly for the reason they are so good: lots of programmers form a community that watch dogs. They are afraid that a hacker will place malicious code into the core and so you cannot install a Joomla site on a Government server. That’s why you see such old HTML-driven sites or proprietary CMS sites on Government domains.
It’s something so often forgotten about in a good proposal. This reminds me to upgrade my proposal to outline this requirement – in my first year of freelance I forgot it!
I’m not sure why this article and the subsequent discussion seem to be equating “CMS” with “open source CMS”.
Personally, I use ExpressionEngine exclusively for all my contracts. It’s not open source, but there’s an API available that allows for a vibrant community of add-on developers to extend its features. They’ve had something like four major security fixes in the past five years – one of the benefits of it not being open source – unlike many of the referenced open source CMSs, which you have to update almost daily.
Some people assume that if it’s no open source, then you have to “rent” the software from the provider, but this simply not true: Although it’s not open-source, ExpressionEngine’s licensing model only requires a one-time purchase – and a modest one, at that – not an ongoing subscription.
The other thing people complain about is that non-open-source options aren’t free, to which I say, if a $300-CMS is breaking your bank, then you need to charge your clients more (assuming you’re worth it).
Incidentally, EllisLab just announced that ExpressionEngine v.2.0 will be released on December 1. I highly recommend checking it out. I realize that this is sounding like an ad, but that just goes to show how satisfied I am with this software.
Nice article.
I would add this concept:
there are many freelancers that learn to use just one CMS and then they work only with that.
I mean not specialize but learn exclusively one CMS, that could be Joomla, Drupal, WordPress or another system. Maybe they don’t even know much about programming or design, but they offer this kind of service and they use always the same system, for all kinds of projects.
The problem then is that maybe that system is not really good for each kind of project and then the result is crap.
I can use very well Joomla and i would say enough Worpress and Drupal, but i wouldn’t use always one or the other.
I wouldn’t use WordPress for something that is much more than a blog and i wouldn’t use Joomla for something that require a massively custom behavior and functional customizzation – same for Drupal.
I don’t really think these systems are perfect and they can be used in every kind of project.
I heard many times the proposal to build something with Joomla or Drupal due to a low budget and then if the concept works to develop something custom with some more advanced framework (Symfony, Django or Ruby on Rails for example), but when i did that in the end i had to charge more to build custom behaviors that in the end made me though that building something directly with the proper system would have been a better and more seriours choice.
So, the juice of this comment is that I believe that professional web designers / web developers should chose the best system that would meet the client’s goals and sometimes these CMSes are not the right answer.
If you’re using WordPress there’s an “Automatic Upgrade” plugin that will upgrade the version of WordPress everytime one comes out. All you need to do is click on the text links, which I’m sure is easy enough to show the client how to do it. The most cases of hacking into WordPress results either from the password being too obvious, or an outdated version of the software. Should be easy enough to resolve both of those.
Another thing to watch out for is using so called “user-contributed” or “community contributed” plugins for those off-the-shelf CMS systems. Sure you can update a CMS, but many times the security holes are in the user-contributed plugin that was installed. Yes, keep the core CMS software updated, but make sure to keep those user-contributed plugins updated too.
Don’t forget that all this extends to those open source shopping cart systems as well – Magento, ZenCart, OsCommerce, etc.
Personally I’m done with open source CMS. They’re difficult to customize and the source is open for hackers to scrutinize. Instead of putting time and effort into learning an open source CMS, why not just learn to build it yourself? It sure is a lot more fun and rewarding than struggling with CMS systems. Plus the end result is customized to your client’s needs.
Ed, it’s a lot more fun if you are a programmer and can create your own CMS. I wish I knew how to write code as complex as what is under the hood of a good CMS. But I don’t, so like others, I’ve learned a lot of the products because of scalability. I’m seeing a lot more websites built around WordPress but it really is a blog and linear in nature and you have to bend it out of its purpose, thus it is time to apply a true CMS to the site and I happen to like Joomla, but there are other such as PHPNuke, Xaraya, WebPress, and so forth. Drupal is the big guns that can handle custom interactivity but agains needs a programmer to understand how to use it to its full capability.
I’m learning Expression Engine and my only problem with it is the insertion of calls to the database straight from the HTML pages when standards are calling for separating all the layout elements giving separate files to CSS, Javascript, PHP, HTML, etc. Otherwise it really is a nice package.
Rita, can you elaborate on that? EE doesn’t make any calls to the database unless you code your templates that way. They’re completely blank until you add something. Web standards only call for separation of content (HTML, PHP, etc.) from presentation (CSS) from behaviour (JS), and EE is fully capable of all that if you code your templates thus.
I barely know EE and am maybe misjudging the product. I was talking about altering the template/layout seems odd to me to put EE tags within the index page rather than use PHP and XML to identify separate files and database tables. I probably am all wet.
Yeah, I never recommend altering the example site template that’s provided. That’s another reason I like EE: you don’t have to back-engineer an existing “theme”, you can start from scratch.
I’m not much of a programmer, but I believe what you’re describing is essentially what EE tags do…basically you identify separate files and database tables using EE’s taxonomy.
You fail to mention the incresingly popular alternative: Software-as-a-Service also known as rented/hosted solutions or the current buzz word “cloud computing” which I can best describe as a Win-Win-Win solution: Clients can manage their own website, web designers can concentrate on design and leave it to the Software Service Provider to keep the servers running, install the latest patches, upgrade to new versions etc.
In this category it is worth mentioning Web CMS services like:
* CushyCMS – http://www.cushycms.com/
* LightCMS – http://www.speaklight.com/
* eSuiteOne – http://www.esuiteone.com/
None of these requires any programming or messing with servers, databases, security updates etc. and the latter even includes email marketing, CRM and lots of other stuf.
Many of these services has partner programs that offers discounts and ongoing commissions.
I do not understand the the Open Source obsession among freelancers and small web design businesses. I allways hear arguments like: “you own the code” or “it’s free” – bah humbug!!
Sure once you’ve downloaded the code, you own it , but in most cases it’s outdated in 12-18 months and when you own the code – you also own all the problems that comes with it – there are NO software developers to hold accountable when it doesn’t work – other than you!
Open Source may be free to download, but then comes all the time consuming setup, updates, upgrades and ongoing maintenance just to keep the site running and secure – time that would be better spent finding more clients!
Let someone else deal with the boring stuf so you can do what you love – being creative!
As a Drupal Freelancer, I can see you points and they are valid.
But I would say this is true with anything. If you have a website, then you need a server with an operating system and a web server (apache?) installed on it. They should always be regularly upgraded because hackers will target the OS and the web server software as well. The community at large needs to take maintenance (upgrading software) very seriously (even if it’s as fun as tax audits).
Automatic updates or update notifications are very helpful.
There is also some work being done to simplify upgrading your Drupal. There is a group working on Aegir Hosting System, a Drupal module/distribution/whatnot which allow you to upgrade all your modules and drupal core with a single button.
Good professionals usually uses their own CMS, so they can manage the risk.
This has some pretty good advantage. Their CMS are not used by millions of people and nobody can access to the source code just by download it, so its much harder (if even possible) to gain any security misstakes to disuse.
Somebody says, that its expensive to develop own CMS, but if some hacker would jack websites of your clients, it could be muuuuch more expensive…
Petr, there is an interesting dichotomy going on in this discussion. CMS is a strange animal: part developer’s tool and part designer’s tool with both parties’ goal to create something that is relatively easy for our client’s to run by themselves.
As a content specialist and graphic artist more than I am a developer, the idea of making my own CMS is beyond daunting. I never imagined anyone would do that. I customize Off the shelf Open Source because I do know enough to read PHP code to move modules around and so forth, but I am by no means a coder.
So, it is easy for a developer to say “roll your own because it is safer” but from my perspective I’d rather have millions of programmers, testers, systems analysts, and other specialists pouring over the code than to trust that something hand written would do what I want and stay clean. I think the difference in perspective between someone focused on the underside of a CMS (its coding) and someone focused on the user’s experience (a content manager or designer) is very telling on which CMS we choose. This goes for choosing a proprietary .NET-based CMS that requires programmers to customize vs. Open Source where you can find the fork you want already for prime time.
Hi
I’m a far stretch from an internet guru but my boyfriend (who is an IT guru) insists on empowerment so he designed my website so that I can pretty much do everything I want – content, images, ads etc. wherever I like. He’s even got me up and running with some basic (very basic) html.
Wonderful to have a personal IT department isn’t it.
I recall once being part of an organisation where, if we wanted to change our personal details on the online directory it could take months! Just because there had to be enough changes to warrant contacting the website designer.
Juliet
I’m totally with Rita on the last point. Build my own CMS? No way! I’m a designer. I’ll deal with UI, typography, content, presentation, CSS and JavaScript. But who in their right mind would want me to put together the back end?
No need to reinvent the wheel. Better to let the wheel designers figure out how to use new rubber compounds and integrate the radial belt so the wheel performs better.
I’ll worry about the car paint color and “Corinthian Leather” interior.
This is a great article that outlines one of the core reasons that we developed our own CMS – XLsuite.
The thing you don’t mention here that was a huge factor for me was managing multiple websites.
Upgrading 1 wordpress install is fine. Doing it for 20 clients is a whole other pain in the ass.
To solve that our CMS has the same back end for all our users. the sites differ on the front end, but new releases happen without needing to update the client sites.
This is great for releasing new features and bug fixes, the users have nothing to do and we don’t have to update all our clients sites manually.
There’s a short video here if any of you are interested in trying out the 60 day trial.
We had so many bad experiences with open source products and their myriad of modules and plug-ins… we finally switched to a commercial product.
Our clients all wanted something different when it came to how information was organised. And of course we didn’t want to have any annoying limitations when it came to template functionality. In the end we settled on a product that’s been around since 2001 and has been quietly evolving into a platform that handles customer management, email broadcasting, analytics, ecommerce and content management on a serious scale.
it’s used by some big names, but frankly it’s been very poorly marketed so far. I’m promised that’s going to change soon – until then it’s our little well kept secret.
Here’s a site we built using it: Gadget Guy and the content management system is here.
I’ve started being more upfront with clients about the potential downsides of using a CMS and my quotes now include an annual fee for CMS maintenance and upgrades.
I had thought that when one-click upgrade became a feature of WordPress it would mean not having to do this for clients. But, in reality, they often choose not to upgrade, just like they choose to ignore their computer when it asks them to install Windows updates. They also ignore the (admittedly less obvious) warnings to upgrade plugins.
Sometimes that’s a good thing. Occasionally a WordPress plugin, especially one that’s been abandoned by its developer, will fail to upgrade or be incompatible with a new WordPress version. The client shouldn’t be expected to solve that problem.
Problems can be thorny. One one website I’m using the Shopp e-commerce plugin for WordPress in conjunction with about 20 other plugins. Recently there have been problems with MySQL tables needing to be repaired, plugins not being compatible, security certificate issues, upgrading failures… sometimes I long for the old days of static websites.
I really think that Light CMS is CRAP. It could be called CRAP CMS. Would never use that CMS for something that has to be optimizied for SEO and performance.
Don’t like at all hosted solutions. I think it’s used only by designers that don’t have a partnership with a good programmer.
This article is a must-read for me. I am learning Drupal and have had first-hand experience with the upgrade process. I’ll have to deal with it again when version 7 comes out. So I’m happy I won’t have many sites to upgrade when that time comes.
Knowing about the security risks puts me on alert that I need to add a service charge for maintenance and that I need to assume that responsibility. Thanks for that helpful post.
I hear ya’. I spent about a half a day updating all of my clients and my own WordPress sites when the news came out about the worm you mentioned. Not fun, but necessary.
The bottom line seems to be – there *will* be plenty of work to do, no matter whether you use an off the shelf product, open source, or roll your own.
Using an off the shelf CMS sounds like a big time and labor savings, and in some ways that’s true. You get out of the chute quickly.
But doing so simply substitutes *other* work – perpetual maintenance, security monitoring, and user re-training. A CMS is an appropriate solution if you’re prepared to be around to work on it in perpetuity.
I once had a blog hosted on WordPress, and the web account for that domain got hacked because I never updated that version of WordPress. So security holes were found and exploited.
And training end users in something like Joomla is a sheer P.I.T.A. There are just so many options and distractions, and in most CMS you can’t hide administrative features from the user to keep them from shooting themselves in the foot.
Wow.
All this, and not a single mention of SquareSpace.
I’m shocked, but happy that the best CMS is still on an indie label.
Before long, they’ll be mainstream, topping the charts, and I’ll long for the days before their overexposure.
Forget I even said anything about SquareSpace.
These are not the droids you’re looking for…
I am always trying to not use CMS for my clients, I try to have whole control about their websites, make my money for the month and keep designing. Most websites don’t update so often and the ones who actually does, well, there u go, u need a CMS.
Of course, big clients can be attempted to be hacked but smaller companies like the ones I work with, not really.
CMS are undoubtedly great. The major hurdle I encounter though is inexperienced clients who seem to think a CMS will automatically give them the ability to magically do anything they want to a website!
Great post. This highlights the difference between designers and programmers. In most firms these roles are completely separate because well… the skill sets are completely different. Programmers are “the tech nerds” with the skills to fix or upgrade your CMS, whether homegrown or off-the-shelf like WordPress or Drupal, the moment a security vulnerability is exposed.
Granted, most designers should have the skills to upgrade a WordPress install but I don’t know many who enjoy this task or that would know what to do if things don’t go smoothly. Not bashing designers, but intimate knowledge of underlying CMS code usually isn’t their specialty.
This is why good web teams should have clear separation of these roles, whether in-house or through a partnership. Everyone is assigned the tasks they’re best at and the quality of the work is exponentially improved.
I can’t really see what the fear of a CMS is. If you make a good choice, they are well developed and maintained. Regardless if it’s hosted, open source or commercial a good CMS will fix any security issues rather quickly.
I would say a hosted CMS is not more secure than any other solution. I wouldn’t want to share my content, files etc. with a third-party business. There is nothing that say that they won’t abuse it or even shut down the service. There is no guarantee.
A custom CMS can be a good solution if you have an active development team in your business but even these will need to be updated. It will be you that is responsible for these updates. It’s not less work with a custom CMS. It’s not more secure with a custom CMS.
Using a custom CMS is bad for your clients. What if you decide it was not worth continue to develop the system or the business have to close? A open source CMS often have a big community behind it which results in you have a big support team behind the product regardless if the original developers stop maintain it.
A commercial CMS is a good solution as well, as long as it is not hosted. You have the software and there are often, just like the open source solution, a big community behind it. Some clients may even prefer a commercial solution because then they got someone to blame
As being a web developer for at least the last 10 years and now being a web designer as well I find it strange that so many think it’s so much work with helping your clients. You can easily charge them for your time. If you feel you don’t have the skills or the time, hire someone just like you would do with any other problem you can’t fix yourself.
I don’t think the CMS is the problem here, it’s just matter of releasing that in a client point of view they will not care who fixes the problems they are having as long as someone does.
In my point of view, a good web designer should have good skills in graphic design and development. At least if you are freelancing. If you are working in an agency you most likely have a design and developer teams so the requirements might be lower. But as a freelancer you should be able to provide the complete package your clients need, regardless if you hire people, to complete the package.
In the past year I’ve built over 80 sites for different clients. Probably half of my work is taking sites away from other developers/designers that were built on a “CMS” system like Joomla, Drupal or even WordPress because they’re just too difficult for the average client to understand.
They do however understand cPanel/File Manager. Believe it or not, when a client insists on “managing/maintaining the site themselves” you can’t beat a well built, well structured, tabled HTML 4.01 (and yes they will W3C validate and get great search engine rankings if you do it right can look like some of the top XHMTL/CSS sites out there)
I know what I’m saying will get a lot of negative comments, but the plain fact is my clients are more satisfied with this than any of the popular CMS systems out there. Again most of them were originally with another developer offering them a CMS system and they just couldn’t get it.
You have to remember, the average client is focused on business, not technology. They use word processing every day and if you build a well structured tabled design for the cPanel File Manager’s HTML Editor your client will be very very happy.