One of our clients asked about the security of their CMS after having problems with a Wordpress site. I did a little research and found very few mentions of Symphony security vulnerabilities. Back in v2.3 there was a XSS problem, but little else. I looked through the release notes and found very few security patches.

On the other hand, Wordpress pushes out security patches every few weeks.

My assumption is that Symphony is inherently more secure than Wordpress. Is that true? And if so, why? Is there a structural reason? Or is it "security through obscurity?"

My assumption is that Symphony is inherently more secure than Wordpress. Is that true?

No, unfortunately it’s not. We try our best, but the ageing codebase is way behind industry standard in terms of coding- and security best practices, to be honest. Just my personal opinion, not sure if others would agree. I think it’s definitely not worse than WordPress, though.

Or is it “security through obscurity?”

Exactly. Symphony isn’t a worthwhile target such as WordPress, so you’ll have less issues with automated attacks.

Thank you! I've come to enjoy working with Symphony. Hopefully we can convince the client to stick with it.

I've come to enjoy working with Symphony.

That’s a common problem around here... ;)

Just to provide another perspective. I echo the above comments, but it's worthwhile mentioning that several of the larger Symphony projects I worked on have had penetration testing by third party companies. This process did catch several vulnerabilities that were patched and released to the community as quickly as possible. Even now, I still occasionally receive emails from security testers and what not reporting issues and gaps :)

I'm not saying the codebase is 100% secure, but I'm sure that the team will continue to co-operate and respond to security reports as soon as possible when we are made aware of issues.

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details