By Wyatt Barnett

I’ve Never Met a Boxed CMS I Like

By Wyatt Barnett

Ok, peeps, time for a short break from the Sql Server kick I have been on of late. Currently, I am helping one of our daughter organizations launch their new website. A website built on rather well-designed, mature open-source CMS. And they hate significant bits of it with a passion, while not even touching many features because they are totally unnecessary in their application. Never mind the interesting set of teething issues that cropped up when the developers merged in changes from the trunk of the project over their own customizations. Their ordeal has reminded me of one thing I figured out several years back: boxed CMS applications are nightmares best side-stepped rather than embraced.

First, let me define “boxed CMS” for clarity’s sake. It is a fully-functional, feature-rich Content Management System in a box—which might be a zip file you downloaded off sourceforge. Generally featuring such things as menuing, articles, members areas, security system, RSS feeds, image galleries and forums. 95% of the time, one just need upload the files to the server, run a database script, and add content to get a fully-functioning website. The actual source—a licensed commercial application or a downloaded open-source application is immaterial. In any case, it probably has a half-dozen more features than you need.

Now, you are probably saying “Whoa, Wyatt! Why the hell would I want to build all that plumbing when I can just download it and install it and futz with some configuration settings and templates?”—a very reasonable question, deserving some very reasonable answers.

The first issue is that the very nature of a CMS is not easily boxable, without creating an application that tries to do everything for everyone and fails at doing most things particularly well. The tasks required for content management are generic, but every organization has a far different focus when it comes to how that content should be managed and how it thinks about that content. I have lost days of meetings trying to help subject matter experts understand that an article, according to this system, is really a page. Trying to make a generic application to handle this for all comers is a very, very tricky prospect.

So, the net result is that I have yet to see an end-user actually like working with an off-the-shelf/sourceforge CMS. One is invariably implementing more than a few workarounds to make, say, a blog posting system work as an article posting system. Or using a banner ad management system to handle side-bar content. Nearly invariably, one must make a compromise between good information architecture and the way the system wants to handle things. And compromising your information architecture is never, ever a good thing.

The other major issue is that I have never seen a “boxed CMS” in a production implementation limited to changing configuration settings and/or templates. There is always some, or many, requirements which pushes serious code extension and/or modification. And once you get committed to serious modifications of the system, you get into the real nightmares.

First, messing with core components can easily break other things in the CMS itself as one delves into unknown territory. But these coding issues are surmountable in most cases. It is pretty similar to most experiences diving into someone else’s codebase—rarely fun but usually workable. Unfortunately, that is not quite the end of it.

For me, the scariest part is, after one has significantly modified this application (proverbial square peg) to fit the requirements (proverbial round hole), you have a strange hybrid application. Largely legacy code, with some mission-critical custom bits. Because those custom bits are living within the legacy system, they have significant dependencies on said system. And then the controlling party of your boxed CMS —be it a vendor or the open source project—releases an update. And, more often than not, this update breaks your changes, rendering your implementation of the application useless.

Exacerbating this nightmare, for those of us responsible for the security of the boxes we control, is the fact that many of these updates contain critical security patches, often with exploits in the wild. Meaning that your customized version of this boxed CMS is now a significant security risk to the organization because you have broken the update cycle in order to fit the requirements of the application. Which is a tricky spot to be in. You are now forced to either break your website, do a rushed patch job to make your changes compatible with the new regime, or just blithely hope no one notices the security hole.

My net life lesson, after having dealt with my fair share of boxed CMS implementations, is to avoid them—unless you are clear that you will, in fact, stay within the box.

  • Interesting read. I’ve at times felt bad because I didn’t know a lot about boxed CMSs, and felt somewhat guilty when reinventing wheels. Maybe I find programming more enjoyable than reading documentation; and learning a boxed solution can be quite time consuming. There is also the risk that having investing time testing and using a CMS that it is wrong for the purpose. Custom solutions, while more time consuming don’t really carry that risk.

    If requirements for a project mean that one can’t stay within the box is the alternative to use as much pre-written modular code to quickly build a custom solution?

  • Milt

    Thanks Wyatt, I enjoyed your article. I, too, have experienced the same issues and have resorted to a slightly different approach that allows me to fully control the design and layout of the site while providing CMS capabilities to the client.

    I use several open source solutions to manage the content, but write my own custom code to retrieve and insert the content into the site. I do this because the templates and design control give me the most trouble. True, I have to manage the menu and navigation outside the CMS, but it works pretty well.

    For example, a home page may contain 4 content areas. The way I implement control of these areas within the CMS is usually by create a home page (in the CMS) with 3 submenus. The home page would contain all of the main body text and each of the submenu pages would represent the other 3 content areas. All I have to do within the actual home page is retrieve the content stored by the CMS. I usually create a xref to map the page components to the SQL needed to retrieve the content.

    It may not be a suitable approach for everyone, but it works well for me. Heck, I once used OSCommerce as a CMS for a complete site, all external to OSC.


  • I’ve been using a Boxed CMS Solution now for a number of years for my web-app development and WebSite solution. It has a very extensive API which allows me to develop the client web-apps or custom CMS solution and not have to re-create the many common web-app components required like:
    – Secure authentication and role based access model
    – Template and layout management
    – Common functions for filtering out hostile data
    – Hooks to link into common admin interface, Moderation
    – Hooks to generate RSS feed, Menuing
    Ability to install many other proven apps or components

    I agree that one needs to spend time with a framework to understand it’s uniqueness and ways of doing things. My experience has been that it’s better to not have to keep rebuiding if you can have a core proven boxed solution that you can extend.

  • LinhGB

    100% agreed, Wyatt. When it comes to web content management products, I differentiate between content management systems (CMS) and content management frameworks (CMF). Most products on the market are boxed CMSes and often require hacks to fully implement the requirements. I’ve only found one that is a true CMF – ezPublish – and I’ve been using it for years. Never had the need to mess with core components and I’ve always been able to keep the engine updated and patched without much effort.

    What I like best about it is what most people (who don’t get it) hate: there’s too much work to be done out of the box to get it to do what’s required. Out of the box, it is ugly, plain, seemingly lacks “boxed” functionalities, but the fact that it is so makes the developers think clearer about what they really need to do instead of just using the defaults because they look cool or are good enough. After all, content management is not that easy!

  • I kept waiting for the…. “and then I found MODx”… but it didn’t come, so here it is “and then I found MODx!”

    Part CMS, part CMF… still in the very young stages, but I must say since I discovered MODx a month or so ago, and it has had a dramatic impact. I think what made me sit up and take notice right away was the ability to drop in any existing site design, and then pull various functionality into that design… unlike the typical skinning and templating, which seems more like stretching a trash bag over an SUV.

    But as a non-programmer, having easily customizable functionality within reach brings a missing element to the table that has been long overdue.

    Admittedly, my experience in CMS land has been barely as a tourist. My only real previous experience was working with Drupal, which I am still very impressed with… but talk about learning curve. Then I took a site that was about to launch that I created for Drupal over the previous month or two (granted first time and lots of learning) and remade it in MODx in a matter of about a week (again, first time and lots of learning).

    MODx still has growing to do, but may well be worth a look for anyone wanting more control with the box.

  • Biggus Dickus

    I agree with your point of view Wyatt.
    My experience is also that clients get overwhelmed by the amount of features of boxed CMS’s. Imagine selling a keyboard with all possible letters and signs (including chinese, arabian, …) to a newbie (which most of my clients are when it comes down to website management) and have a look at his expression when confronted with it… Ok, it is very complete and universal, but it scares people of to work with it or try to understand it.
    I’m a web developer and not a helpdesk so I don’t want to answer calls all day because clients got stuck again in their CMS. And many times you have to explain over and over again because they don’t work regularly enough with the system so they forget again.

    Through the years I build a sort of modular system myself which allows me to set up a customized CMS in a short time. It works very intuitively (in contrast to many boxed CMS’s) and contains only the elements the website really needs. And I also prefer my source code not being available to the whole world.
    Must say though that MODx sounds very promising from what I’ve read about it so far so I’m definitely going to give it a try soon. And based on the Prototype library, it seems very user-friendly.

  • LC

    ModX is a complete winner in my view. I loved it so much and it made my life so much easier i even chose to change servers completely and take the risk of losing all my members by changing to a new cms. If your a web designer i believe you will love the ease of adding snippits of code which then are never broken by the updates done to the framework. Two thumbs up to ModX. You might ask why i changed servers, there were issues with php.ini settings that i could not change on my previous server, and file permissions need to be set to make full use of the cms, i didnt have that luxury with my previous server.

  • drakke

    Which closed-source CMS’s have you tried – Documentum, RedDot, Vignette, Interwoven? Which OS systems have you tried?

    You really should not be using the same cms for every project. Before each you should perform an analysis for the best suited cms. Then match the IA with the cms capabilities.

    If you see any comparison of cms’s you will see each has its own strengths and weaknesses. And each project has its own requirements as well.

    You can either hack the same cms for each project or use a different cms and work within its framework. I think the latter is faster.

  • dev_cw

    I agree with Wyatt. I have started to use a few CMS solutions in the past (a feeble attempt to make things easier) but quickly found that they are just too much for my clients to deal with and take way to much time to learn to work with. This has led me to give up on using a ‘boxed’ solution. In reality most of my clients only need article/page editing they do not need to change the navigation, templates, etc… I like the idea that was mentioned about only using the CMS as an engine and then retrieving the data straight from the DB.

    MODx looks interesting, I will give a try over the weekend to see what it is all about.

  • I’m a firm believer in the bespoke CMS. I start with a base core, upon which I can build modules, and then build it all based upon my clients requirements.

  • Anonymous

    Did anyone else notice this post is next to sitepoint’s sponsor cms400?


  • The ads rotate. I’m looking at one for Web CEO.

  • Anonymous

    Currently, I am helping one of our daughter organizations launch their new website. A website built on rather well-designed, mature open-source CMS. And they hate significant bits of it with a passion, while not even touching many features because they are totally unnecessary in their application.

    Are you talking about DotNetNuke? ;)

    I’m going through the same thing, and I feel your pain!

  • The Web Guru

    I have found that out of the box solutions to be a nightmare to work with. There are the endless patches and administration areas designed by the developer for the developer rather than for the end user (not to mention the generally poor level of code commenting and naming standards).

    Simplicity is the key to these things – something that is sadly lacking in most cases. The end user wants to make changes to their sites quickly and easily and not have to figure out some overly elaborate administration area.

  • julz

    Something I’ve been thinking about too.
    Perhaps using CVS will help integrate the customization to the code with the updates.

    This isn’t a full solution, but it might be a start.

  • wwb_99


    We are a .NET shop, and ASP.NET 2.0 gives you most of your bullet points out of the box and provides a clear update path. So we have not had the need for a basic framework to even handle those tasks.


    Good point. I tend to prefer to go a level deeper–I use alot of 3rd party libraries and components to handle specific functions. This has worked out beatifully under most circiumstances–saving significant coding effort while also keeping things nice and sane and flexible.


    Principal closed-source experiences have been with Sharepoint (never try that at home) and MS CMS server. MS CMS is much more CMF-like, but it still has alot of fundamental issues.


    Fortunately it is not .NET nuke.


    We do have source control in place. That helps keep you organized, but hardly helps with the problems above.

  • Jay

    You use .NET dude, what do you expect from open source? Maybe try using a popular scripting language such as PHP or Perl. No one gives a crap about .NET hence the lack of CMS’s/CMF’s available for you. Oh, and if you like complaining so much stop wasting time posting on this blog and build your own.

  • drakke

    There is a very promising ASP.NET cms called Umbraco that is looking pretty interesting.

    The .NET framework has a lot going for it as it seems you can use over 40 different languages and any control that is compatible with .NET.

    Umbraco is thought of as a free version of Sitecore by people who have been promoting Sitecore.

  • wwb_99

    @Jay: do you even have any idea of the open-source projects avaliable from .NET land? There are some very good blogging packages–SubTEXT for example. Nevermind the plethora of developer oriented tools–NUnit, NHibernate or the MS Enterprise Library to name a few. I would also note I have not found much reason to buy into store-bought CMSs either.

    And, yes, these days we have gone completely .NET. But I spent a few years building PHP applications, so I am not unaware of the other side of the fence. I just happen to like strongly typed and compiled languages for various reasons.

    @drakke: I have heard decent things about Umbraco, though I suspect it still falls into the typical boxed CMS traps.

  • drakke

    Here is a related thread from webmasterworld.

  • Anonymous

    I’ve worked with a team that have designed, built and implemented box CMS products for about 8 years. We regularly experience expectation gap, requirements mismatch as well as the unfortunate half baked add ins “quick, we need a blog module”. The key to success is continous improvement. Listen to your customers and grow.

  • micreate

    probably has a half-dozen more features than you need.

    I agree with many of the problems with a boxed CMS, but I think the modular approach of Drupal helps deal with this issue.

    And then the controlling party of your boxed CMS —be it a vendor or the open source project—releases an update. And, more often than not, this update breaks your changes, rendering your implementation of the application useless.

    It helps to use version control e.g. subversion.

    For sites that need limited content management I have been using CakePHP.

  • lukemeister

    Great article. I’ve found (I’m a programmer at the core) that my own homebrew system is consistently by best ally. I could see how non-programmers would need a nice framework kit to play off, but my opinion is that if you are going to run cm’s, understand the available 3rd party systems and use the strengths to your advatage, or just hire a programmer to do what you need. It’s amazing what a computer science major can come up with, for any platform, if you convey your ideas correctly. If you can code, even fairly well, build your own system. It’ll more specifically do what you need, and you’ll gain invaluable experience to make yourself more marketable.

  • arlandean

    Wow! I thought it was just me. All these years suffering in silence and shame because I always thought I should be doing a better job of using boxed CMS apps.

    Where was this post when I had to coax a client off the roof because I told them “Hey, once we get this up and running you can add content yourself!”? Where was this post when I joined the client up there on the roof?

  • Skweekah

    When it comes down to it, most people who dont want to spend thousands of dollars to a developer for a custom application to be built should be damn happy with what is out there. Some of these CMS programs are unweildy but with a bit of time and patience, a site admin should get used to it soon enough.

    Take any application. I use Word but probably have never used it for more than typing out my resume. Someone else, on the other hand, has probably developed wizz-bang apps, using macros and VB, to develop cross-office suite masterpieces (who knows? Maybe even a CMS!). My point being, just because the functionality is there doesnt mean that it has to be used. Just work with what you feel you need to best manage your site.

  • anetus

    I’m surprised nobody mentioned Joomla! CMS. It’s LAMP based, with plenty of features “out of the box”. Sure, it does not contain some of author’s required features, as a forum, but it has over a 1000 extensions available to install. (OK that would be 2 boxes ;) )
    Still, it may be too complicated for average client. Then maybe sNews.

  • Brade

    I’m pretty sure Joomla is one of the worst culprits of them all, with its vast array of unnecessary features and completely absurd admin panel. That might be why no one’s mentioned it yet.

  • Ian Symonds

    I have a preference for the boxed CMS – but you do have to be aware of the advantages and drawbacks.

    The advantages can be summed in that there’s already been a significant amout of design, planning and programming gone into them. You’re getting the benefit of lots of experience and feedback already. Many things that go to make up a CMS are already there. Templating, workflow, rollback, integrated security, and a simple edit interface are taken for granted when choosing an out of the box system.

    You have to be sure you’re choosing the right CMS. More specificially, the right size CMS. You’ll usually have to accept, that without modification, there can be differences between requirements and expectations (for instance the way security, groups and workflow are managed).

    A bespoke system will have greatly reduced functionality it all has to be written. It will take more specialised local knowledge. If the guy who designed and implemented it walks out the door, that knowledge is going to be hard to replace.
    Evolutionary growth can be a problem too – without careful planning, a bespoke system which keeps getting modifed and extended can exceed its original architecture.

  • jscheel

    I implemented Joomla for one of my biggest sites, and it’s been downhill ever since then. Boxed cms solutions never seem to work. The rest of my sites will be moving over to a custom solution I have built with CakePHP. A solution that I can change for each site fairly easily.

    That said, I’d like to take a look at EZpublish, but it still doesn’t support php 5. I think it’s time everything supported php 5, as it has been out for 2.5 years.

  • gregd

    Anyone familiar with web programming should be able to build the nuts and bolts of a CMS in a matter of days. The flexibility of your CMS is going to depend almost entirely on how you plan it out and build it.

    When I first started working for my current employer, I took a look at their CMS. Clunky, quirky, but works like a charm for what they do (they’re a magazine publishing company with over 200K hits a day). Too many CMS developers out there think that their CMS has to look cutting edge to be respectable. If you’re AJAXing up your CMS, or creating a bunch of cute little icons to dress them up, then you’re probably forgetting the real reason that it’s there in the first place.

    I’ve added newsletter administration, added a WYSIWYG editor to speed up the conversion of magazine articles to web based articles, created workflows to streamline the process of pushing out the content of our shopper magazines to the web, and added many other features that we actually use. I don’t know how hard it is to add a Google Maps interface to a boxed CMS, but it took about an hour to write one and roll it out on the one we use.

  • revive

    Although I value your perspective and see it’s application in some instances, I think that a bespoke CMS or application for a client solution is not the best for most clients. Why you ask? Well, for starters lets think of the resources we can offer to our own developments,.. and how many of those we do a week, month, year.. now, how can one stay atop all the security ‘alerts’ alone that may be made aware after all your hard work to find and fix them in the first place?? Answer: You can’t. The resources of the Open Source community, or a commercial app., far exceed the resources that we can offer our own apps… in most cases. I do agree that they have their place, but it is by far the minority. Another aspect is your clients future. What happens if, for whatever reason, they discontinue your services for those of another programmer? Now, they felt as if you ‘stuck’ them with some ‘custom’ (that means hodge-podge in their eyes) solution that a new programmer will not easily know where to pick up, where you left off. Not so with most ‘boxed-CMS’s’.
    No, I dodn’t ‘find’ Modx… like the poster above,.. but we have used many, many boxed-CMS’s (inlcuding Drupal, Mambo, Joomla, MODx, WordPress (not truly a CMS in our eyes, WebsiteBaker, CMSMadeSimple, RoR CMS’s, etc. etc. etc.) and have chosen Joomla! for the majority of our developments,. as it provides most of the features our clients desire, and those it doesn’t can be added via extensions or developed quickly via the robust API.

    Thank you for the article, it was a great read and shows your passion for your work… there is nothing that can beat that!
    Keep up the great work.

Get the latest in Front-end, once a week, for free.