All networked systems can, in theory, be penetrated and compromised by unauthorized agents, and public-facing web-based applications are exposed to the whole world, which includes a lot of bad people. Popular, widely deployed web applications present the biggest, most rewarding targets for a wide variety of attackers who are always looking for new exploits or simply following scripts to exploit already known vulnerabilities.

Undoubtedly as a consequence of their popularity and use of extremely common open source server software (such as PHP and mySQL), the leading open source content management systems--Drupal, Joomla, and Wordpress--entered IBM's top ten list of vendors with the most reported vulnerabilities with "public exploits" (known ways to exploit the vulnerabilities for evil purposes) in the summer of 2008. Others on the list include Apple, IBM, Cisco, and Microsoft.

Vulnerabilities, once known, are usualy fixed in the open source community with rapidly developed security releases to update the vulnerable software. Well-tended software has plenty of good guys trying to stay ahead of the bad guys by finding vulnerabilities themselves--and patches to secure them. Sites that get cracked are typically ones where a security update for a known vulnerability was never made. For Drupal, Joomla, and Wordpress, the vast majority of exploits do not concern vulnerabilities in the core CMS itself but rather third-party software extensions that have been added to the core CMS. Poor server security often abets the work of the bad guys.

To maximize security, it's important to 1) use a good host and lock down your server environment, 2) be selective in the software and any extensions to it that you install, and 3) monitor development and security releases that update your core applications and any extensions installed in them. Additionally there are security tools and software shields available to enhance protection from within Drupal, Joomla, and Wordpress.