Your site audience is the life of your site, but you should not assume that everyone visiting your site does so with the best intentions.
ImpressCMS takes great care to provide you with functionality that will keep your site visitors and their data safe.
ImpressCMS has it's very own hacker program on HackerOne, where you can participate in finding security issues and solving them in a well-organised and responsible manner. We don't believe in security by obscurity so we encourage everyone to look at our code from different angles, and try to make it do something it is not supposed to.
ImpressCMS uses a combination of the following techniques to make sure that access to non-authorised information by non-authorised users is as hard as possible.
As a rule of thumb, you should not trust input coming from users on the web. In the cases that you have to accept user input, it should be sanitized. For that, we use the well-respected HTMLPurifier library to clean up input data before using it on the site.
Never place files with sensitive, security-related information, such as passwords to your database for example, on a location that is potentially open to the internet. ImpressCMS places sensitive information on your server in a location that cannot be reached from the internet.
ImpressCMS takes password security seriously. Every user password is padded with a unique code (a technique called 'salting') and is then hashed with a one-way function to make it impossible to decode. If you give us a password, the system can verify that it is correct. But it is impossible to retrieve the password from the hashed value in the database.
New users need email verification before they are activated on the site.
ImpressCMS works very well on a HTTPS SSL secured server, no special configuration required.