Stable PHP CMS for hacking against

Question

I've used Wordpress and Joomla to build a couple of small websites, and done some hacking about to get them running exactly as I want. But both of these, and probably many other PHP CMSs, are subject to a constant barrage of security fixes. I don't have to time to test the fixes, make sure my customizations are still working, and roll them out before anyone attacks the site, then do the same thing again a month later - I'll never get anything else done with that kind of overhead.

So my question is: Is there a (preferably PHP) content management system that somehow successfully avoids the constant barrage of security updates and resulting testing/sysadmin work? So I can just work on it when I have time, not keep racing to patch the latest attacks?

Bonus points for having a sane plugin model to make it easier to code against. More bonus points if it provides an easy method to import data from Joomla and/or wordpress.

Thanks

EDIT: As rightly pointed out, avoiding updates entirely is not a sensible goal. Rather, I want to minimize the pain of updates. So what I'm really looking for is:

• Easy to adapt and theme in a way that is guaranteed not break during updates
• Simple update process

Answer 1

I like CMS Made Simple, which is written in PHP.

Answer 2

In term of security, stability & flexible maintenance I suggest Symfony framework (see:http://www.symfony-project.org/). It has a lot of plugins, support towards wordpress, joomla and whatever you need. See also PHPcake at http://cakephp.org

Answer 3

I really like ExpressionEngine, made by EllisLab, its based on their open source framework CodeIgniter, (which I think is one of the best PHP MVC frameworks).

There is a free version of ExpressionEngine for non-commercial use, which is all I've used, but the paid addons + modules look pretty slick.

As for actually really free, ModX is alright, but has a frankly wierd plugin system, that said, Ive built a couple of sites on it, and been happy with the results.

Answer 4

there is no cms (no software, for that matter) so secure you never have to update. developers make mistakes, and new exploits appear. so every cms should be "subject to a constant barrage of security fixes". if it is not, you should ask yourself about the security policy of the project and the security of your site. see The Open Security Model, Drupal and ExpressionEngine on Security for a related read.

so unless you don't care about the security of your site, you are asking the wrong question. i think it should actually be: is there a cms that is customizable without modifying core files so that security updates don't break my customizations? or: how can i customize a cms so that security updates don't break my customizations? security updates usually don't break a (even customized) site - unless the customizations are done the wrong way.

my answer to that new question would be Drupal (including bonus points).

Answer 5

The last versions of WordPress (2.7 branch) have auto update for core and plugins making it really easy to upgrade when a fix is available. The api is also awesome - I've done quite a few WordPress based sites and rarely (if at all) needed to hack the core.

As long as you customize through plugins or themes, and use auto update when a new version is available, you shouldn't have any problem at all.