I had a conversation with a potential client regarding the value of a custom built Content Management System (CMS) as opposed to one available commercially “Off the Shelf” (COTS). They had been told their needs were unique and only a Custom application would work. It would cost more in time and money, but they were worth it!
We went over their requirements for the site and they were fairly standard, but it made me reflect on how much of my business over the years had actually come from organizations who had purchased custom CMS solutions in the past and needed to extract themselves from them.
This is the gist of what I said…
In the early days of the Internet, all CMSs were custom. There weren’t good applications available. I recognize that as developers, just like artists and carpenters, etc., we all have tools that we feel most comfortable with. That’s just human nature. But it’s important to have multiple tools in your toolbox, because no one CMS fits all. From my perspective, there are basic sites that work great within WordPress, and larger sites that require more scalable data tables like ExpressionEngine, and really large complex sites that are better served with OpenText or Drupal. There may also be application requirements that require .net code, so you look at a tool like Umbraco. All of these are excellent COTS or Open Source solutions and one or more of them would be perfect for your site.
Any perceived benefit to having a custom CMS written just for you, will come with hidden issues that only a costly experience will reveal.
Vendor Lock-in: This is such a big issue, I could write an article just on this topic. It’s just the worst thing to do to a client. I’d like my clients to retain me because of the value, expertise and service I provide, not because I’m the only person who can update their site or add new features to their CMS. I’ve come across encrypted code, where you can’t tell what a page is actually doing (or who it’s communicating with). Seen sites full of code with no comments or documentation (or the documentation is not available publicly). All of this makes it nearly impossible to modify the code or add new functionality. It’s unfortunate, but you will be tied to that vendor until you change CMSs. Then the concern is if you can get your data out of the system. I’ve never seen a custom CMS with an export feature!
Custom Functionality: Every widely used COTS CMS comes standard with a community, and an ecosystem of developers who support the tool. This makes it relatively easy and cost effective to add new functionality, often with a plugin or module. Many are also built on modern frameworks permitting rapid development of atypical functional requirements.
Vendor Durability: With a custom CMS, you are tied to that particular vendor and you need to hope that they don’t close up shop or that their developer team doesn’t leave. I’ve seen both scenarios play out and the results weren’t pretty for their clients left behind.
Select a widely used CMS and you have your pick of developers to work on your site. And most CMSs update regularly with new features and capabilities on a regular basis.
Cost: You don’t pay to license an application like WordPress or Drupal, it’s free. ExpressionEngine is $300. A minimal cost in the scheme of things. If you built a custom CMS (an investment of many hundreds of hours at least), you would need to recoup that investment. Even if the vender doesn’t directly charge for their custom CMS, as a client, you will be paying for it. (See Vendor Lock-In).
But wait, my site will be more secure if I use a custom CMS!
Errr, no. That’s called “Security By Obscurity” It doesn’t work.
Let’s pick on WordPress. In full disclosure, there was a period where I would not use WordPress for a commercial client. The older code was not up to snuff, and it had too many vulnerabilities. But times change.
According to Builtwith, WordPress now supports over 47% of the websites on the Internet. A lot of them are business sites. So is it a target for folks who want to break into your website? Sure.
WordPress went through a ground up re-write that focused on security and as a result, it’s one of the tools I recommend for small (<1,000 pages) sites. Vulnerabilities are recognized quickly and updates are rapidly issued. There are also best practices for hardening and protecting you CMS install (WordPress included) that help prevent unknown issues from getting out of hand.
A custom CMS is only as secure as the framework it was written in and the developer(s) that wrote it. I’ve seen tons of poorly written custom code and cleaned up sites that were pwnd as a result of it.
It’s a fact that a typical website will be probed many times a day by scripts (bots) that are looking for old or poorly written software. Site security is an active endeavor that’s more costly when it’s ignored.
I hope it was helpful to that prospective client to make an informed choice and to you, if you are considering using a custom built CMS for you website. Please let me know if you have any other questions.