we've had , HB Gary, Sony, and a couple of others get hacked by sql injection or poorly configured web facing CMS systems.
Is it really that hard to figure out that if you're a target that is a stupid way to do things?
Put your CMS inside your firewall and "publish" it by generating a copy of your website as write only output.
Its not up to me of course. Sure put your open FTP server up there, maybe turn on anonymous access. Its like leaving the keys in your car in the long term parking lot, sure its convenient when you get back from your trip but are you really surprised when your car is stolen? Really?
In this day of drive-by malware injection by JPG or Flash zero-day vulnerabilities every single web site in the frickin' universe is fair game to get 0wned. Used to be if you ran some off the beaten path blog or enthusiast site it was pretty much too small to worry about. Not any more. Put up a machine with a web server and watch them come at you, Brazil, Argentina, the Ukraine. Blam, Blam, blam, test after test. IIS exploits? Apache Exploits? Got a CGI in there? Can you do local page execution? All your .htaccess files correct? Odd UIDs have logins?
I believe that there are better (and by that I mean less prone to being compromised) ways to manage the content on a web site of the OP's caliber than connecting it to a database.
Maybe I should sponsor a CMS version of the Pwn2Own contest.
Uh, yeah. Every time we want a new website we should absolutely hand-code every user login system, online calendar, forum, feed parser, 3rd party integration, content templating system.....
Contemplate all possible interpretations of "technical debt" until enlightenment is achieved.
