In the summer of 2008, Drupal, Joomla! and Wordpress--the three most popular free, open source online publishing engines--made it onto IBM's top 10 security vulnerability list.

IBM's report noted that:

...a commonality between these three vendors is that they are all written in PHP. If we look back over last year's disclosures and apply the new CPE [Common Platform Enumeration] methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendors.

[Source: IBM Internet Security Systems X-Force® 2008 Mid-Year Trend Statistics]

This report may sound as if it is suggesting there might be something inherently wrong with Drupal, Joomla, Wordpress, or PHP, but any networked system can be exploited. It is mainly Drupal, Joomla, Wordpress, and PHP's popularity under open source licensing that has made them security-risk peers of major web software vendors such as IBM itself, Microsoft, Apple, Oracle and others on IBM's list.

Drupal, Joomla, and Wordpress use other underlying (server-side) open source technologies: PHP, mySQL, often Apache, and often a Linux or other *nix variant. Known as the LAMP stack, these systems drive the majority of the world's webservers due to their quality, popularity with programmers, and free, open source status--which drives their quality and popularity. Wide implementation of these tools and easy access to them makes for a lot of targets.

In the open source world, security problems, like program bugs, are not hidden--they are wide open to the world. They are also rapidly, intentionally, and directly exposed to the public so that security solutions can be found and quickly disseminated. People who miss an alert to upgrade or patch a newly discovered vulnerability are probably the majority of those who fall victim to attackers.

This document explains some essential ways to keep your PHP/mySQL applications safe, but the fundamental rule in a nutshell is: keep your software up to date.