Need a simple CMS. Should I customise an existing CMS or build from scratch?

I’m building a VERY simple web hosting service that will cater to the ma and pa type small business.

Now my dilemma is whether I should built it from scratch or use an existing CMS. The CMS needs to be customisable, as I wish to build my own client. I only want the user to have to put a title and content. Everything else will be hidden from the end user.

Later on I want to be able to associate my own custom built web applications to a given page, so the CMS needs to be able to cater for that.

The other requirement is that it needs to be Java based (Groovy acceptable).

Any ideas?


Even a “simple” CMS is a fairly complicated application once you start doing things like user authentication, security, scalability, etc. There are many many things you can get wrong. The major CMSes out there suffer from lots of maintenance problems and security bugs and there are a fair number of talented people working on them. If you think your CMS will be different, I suggest that it will not be. You will need to update and maintain it constantly. If you use an off-the-shelf solution you should be able to benefit from the work those other developers are doing. If you want to write your own code, consider customizing an off-the-shelf CMS or contributing new features or bug fixes.

Own CMS:

  • Total control over the features
  • Low cost
  • Easy for you to understand
  • Only you understand it and can fix it
  • No bug fixes from other developers

Off-the-shelf CMS:

  • You can simply install it, then concentrate on adding value
  • Steeper learning curve
  • Lots of hosted solutions and online help
  • Lots of people can admin it if you’re not around
  • Bug fixes and security updates are released by the vendor
  • More limited in terms of customization, etc
  • Someone needs to keep on top of the updates and install them, or else the customer might be victim to a worm such as the WordPress worms. With your own CMS it’s less likely that someone will create a worm just for you. (But your customers are still at risk of other security problems).

Consider the typical security issues that face every website faces: XSS, CSRF, SQL Injection, configuration errors, loose security, session hijacking, parameter validation errors, race conditions, etc. You need to handle all those cases, but the CMS vendors are already doing that for you.

As for your Java requirement, the Resin web server ships with a PHP interpreter which might allow you to deploy a PHP app in Java should you choose a PHP CMS. It should also be possible to port the PHP engine to another servlet container in a few hours (I think it’s GPL).

Leave a Reply

Your email address will not be published. Required fields are marked *