Gov 2.0 guide to Plone

Register or Login to like
Register or Login to like
Pull to open here

Plone is a secure and flexible open source content management system (CMS) for building all types of web sites and web applications. Supported by a vibrant developer community that is ranked in the top 2% of open source projects worldwide, a large number of domestic and international public sector organizations, including the Federal Bureau of Investigation, rely on Plone to power their digital communications. Plone’s widespread adoption by high-profile users is due in no small measure to the project's open source codebase and unrivaled security record. These attributes continue to differentiate Plone from other CMS solutions. Given the increased importance of cyber security for all levels of government, one can expect to see continued (if not increased) adoption of Plone in the public sector despite strong competition from other open source and proprietary rivals.


According to the Common Vulnerabilities and Exposures Database maintained by MITRE Corporation, the security record of Plone is unrivaled. In fact, the number of high severity, publicly known vulnerabilities for Plone is orders of magnitude lower than all three of its main open source rivals:

Source: Common Vulnerabilities and Exposures List, MITRE Corporation

For many government organizations, Plone’s proven security track-record is the most important feature highlighted during CMS selection.

Note: "While one cannot directly derive the security of a product from the CVE DB (i.e. a CMS with one vulnerability for every three in another is not necessarily three times more secure), it provides an illustrative approach to approximate the relative security of products in the absence of full security audits."


While security often takes center stage when one mentions Plone, the vibrancy and size of its developer and user community are themselves important features of the solution. Despite periods of increased and decreased interest in the project over its ten year life cycle, Plone maintains one of the strongest open source developer communities. At present, Plone’s community is massively global, with over 300 solution providers in 57 countries. There also are dozens of official local user groups and hundreds of unofficial ones thanks to Plone’s ongoing support of 40 languages. Finally, the project has strong ties to the wider Python and JavaScript (including the JQuery Javascript Framework) communities due to its heavy reliance on these languages.

Other Features

The release of the latest version of Plone in 2010 provided a major reinvigoration for the project. While continuing to emphasize security and usability, Plone 4 delivered big improvements in raw speed and scalability. These features help Plone better respond to the needs of complex web site and web application uers – the segment of the CMS market where Plone excels.

Real-World Implementations

Perhaps no better driver exists for the adoption of an emerging software solution than real-world examples of successful implementations for comparable requirements. Since its release almost a decade ago, Plone has secured a number of high-profile public sector organizations. These implementations demonstrate its ability to meet even the most complex functional and security requirements. Plone also has been adopted by thousands of local and state governments, nonprofits, and other public sector organizations. These implementations illustrate how organizations big and small can leverage Plone to build beautiful websites that meet a broad spectrum of user needs and security considerations.

Read more about real-world implementations including Brazilian Government, Federal Bureau of Investigation, U.S. Department of Energy, European Environment Agency, Unites Nations and others, on

Michael Walsh is a well known writer and speaker on open source and proprietary software. In addition to working at Microsoft and in Open Source Communities, Michael previously served as a regular contributor to TechNet Magazine. Presently, Michael is completing Post-MA classwork at The Johns Hopkins University SAIS.


As far as Plone as a CMS is concerned, I have utmost respect for it, and I personally think it has already surpassed Joomla! as one of the "top 3".

But, with all due respect, I do not understand the purpose of this article. It would have made a lot more sense if the focus was on the case study instead of the product alone.

As the quoted note implies, the security graphic doesn't really hold much merit. Since WordPress powers about 10% of the web it's only natural that a much larger amount of vulnerabilities would be discovered, but they are also promptly fixed without fail. A believe a fair comparison would exhaust the scope of the average article, which is why an in depth case study would be more appropriate.

While I'd agree with the above poster that something such as Wordpress that's used for more simple web publishing needs (not as much for true 'CMS' requirements such as fine-grained permissions, workflow, audit trail, version comparisons and rollback, etc.) is likely to be a more frequent target of hacks, there are still some things about the way Plone is designed the build security in. I think this page covers many such details quite well:

I can also just mention that from experience, some of the federal agencies we work with that have strict security requirements have said that other CMS tools have not passed their Certification and Accreditation process, while Plone has quite easily.

Ken Wasetis
President & CMS Solution Architect
Contextual Corp.
twitter: ctxlken

Ken made a good point above, highlighting that WP is probably a target of attack as a result of its market share.

However, I think it's also important to further distinguish the technical ramifications of this obscurity, since anyone new to Plone, or CMS in general, may not know how drastically distinct the above four systems actually are.

Drupal, Joomla, and Wordpress are vastly different systems to an end user, but to a developer who is initially configuring a system, they all work relatively well behind a standard (read: inexpensive) server stack consisting of Apache 2 Http server, PHP, MySQL - and probably on Linux. Plone sits atop Zope and relies on Python.

To enhance the security through obscurity argument a little, review <a href="">builtWith trends</a> and <a href="">w3 tech surveys</a>, where you see that Apache and PHP hold substantial market share, and within that share, Drupal/Joomla/Wordpress make up a substantial portion of the sites. Also notice that Python/Zope/Plone make no appearance.

This is not to imply anything about Plone/Zope as a solution. Rather, I mean highlight that one can not consider the security table as the sole decision maker, and that anyone unfamiliar with these systems must consider the less apparent cost distinctions that result from the different technologies and requirements.

The Zope/Plone stack is quality software, but it costs more to run and develop. The following is debatable, but I would also propose that it is much cheaper and easier to find talented PHP devs interested in supporting gov't projects, as compared to Python devs. However, the TCO investigation is a post of its own, with more to consider than I will investigate here.

So anyone who finds themselves here to investigate CMS and security should know that Plone is worth investigation, but that the mentioned systems for comparison are quite distinct beneath the surface - and these distinctions will have substantial ramifications on the project.

This article was written by Michael Walsh on and reposted with his permission.