Website Security: Open Source vs SaaS

Nikita Walker

Which is more secure? Drupal? Squarespace? WordPress? Open source platforms allow anyone to access the source code of the platform, the good and the bad. New vulnerabilities are quickly taken advantage of, but they’re also quickly discovered and fixed by engaged members of the development community in addition to the platform’s core team.

Software-as-a-Service (SaaS) platforms keep access to their code closed off. When security vulnerabilities are discovered, they can only be fixed by the platform’s core team.

So, which is more secure? Open source or SaaS?

Open source website security

If you look at the numbers objectively, it appears as though open source platforms are more vulnerable. According to Sucuri’s 2021 Hacked Website Report, the two most infected platforms were WordPress and Joomla — both open source.

However, Sucuri does mention in their report that the popularity of these platforms plays a significant role in their data. According to a current survey, WordPress is used by 42.9% of all websites. Similarly, Joomla! reported infected website percentages of less than 5% and only makes up for around 2% of all websites.

Open source websites (especially WordPress) have a significant vulnerability: the responsibility of the website owner. According to the same Sucuri report, the main causes of hacked websites were site owners not updating their websites, neglecting extensions, or not being aware of baseline website security practices. Credit card skimming and SEO spam are on the rise as well.

Unlike proprietary websites, which own the security of their own platform and update beneath you, open source platforms require constant and deliberate updates on the part of the owner. 

This includes:

  • Deploying new system patches
  • Updating extensions, plugins, and APIs
  • Migrating off of unsupported platform versions
  • Site permissions and administrator management
  • As secure as the platform technology itself is, if the administrator doesn't provide the proper maintenance it can become vulnerable very quickly.
A graph showing CMS infections/
CMS infections in 2021. Source: Sucuri Report

Which open-source platforms are most secure?

Both open-source and SaaS platforms are supported by a core team of developers. The core team is responsible for supporting the platform by releasing patches that keep the platform optimized and update any exposed security vulnerabilities. If a platform’s core team is regularly releasing patches, it’s a good indicator of the strength of the website’s security.

Open-source platforms that are supported by a large, active, development community are generally more secure. By allowing everyone to access the code, the number of developers working on a vulnerability will be much wider than on a proprietary platform.

Here are a few open-source CMS platforms supported by large development communities:

  • Drupal
  • Joomla!
  • WordPress
SaaS website security

SaaS platforms manage their own security with platform updates. These happen underneath you regularly, and if you’re using a SaaS platform right now it’s likely that you’ve never noticed them. Because SaaS platforms manage their own security updates, which can include system patches, hosting, and extension updates, the responsibility for maintaining security rests with their team — not yours. While this means less conscious monitoring, for some websites the lack of control can be a detriment.

Generally, SaaS platforms don’t know the specifics of your website. They need to be able to blindly apply system upgrades and update components without potentially breaking your site. That means they need to know exactly what components are installed and in use, so they control the core and most extensions. You might only get to adapt your website via API or their tools. This is why they have much more limited ability to integrate and customize.

Building a more secure website

Website security is a major risk area for most companies. You are liable for the site you manage, it impacts SEO, your user’s experience, and the overall performance of your website. No one wants to be vulnerable, and the best way to protect your website is to keep it up to date and to build with reliable tools.

For more updates on website safety, subscribe to our Bear Ideas blog or reach out to us.