I’m guessing this conversation crops up a lot when talking with potential clients – “why are you suggesting Kirby CMS, when I’ve heard of WordPress?”.
If we need to give six good reasons why the client should use Kirby, what are they? (This is obviously different from why a web designer would use Kirby.)
I’ve had a look around, and come up with the following pros for clients:
• Security. Wordpress being so popular is targeting by hackers.
• Kirby can do most things without the need for plugins and having to keep them up-to-date and secure.
• The admin Panel is bespoke to them and their site and is intuitive to use.
• Their site is bespoke to them, unlike Wordpress sites which are often template based.
• Speed. Kirby sites are fast to load, so good for visitors and SEO.
• Paid for software is reassuring and great support.
While this is true, that argument alone is probably not convincing. We care a lot about security, and Kirby has been professionally penetration tested by clients. When we learn about security issues, we fix them as fast as possible. See also Security Policy | Kirby CMS
Modern code base that doesn’t have to stick with support for outdated PHP versions.
Yikes, so I’d have to visit this GitHub page every two weeks just in case there is an update and if there is, update Kirby? That sounds very onerous. Could I just update Kirby if there is a security patch / fix? What do other developers do?
So we’re not notified by Kirby of a security fix?
Where do I download the latest version from? The GitHub page (I have no idea what GitHub is and I’ve never read a clear explanation of what it is), or the Kirby website?
So in practise I’d need to check every couple of weeks for security updates (because we don’t get notified of security updates)?
And we only need to update Kirby if and when there is a security update (the other updates we could choose to ignore as I don’t fancy having to update my Kirby websites every couple of weeks)?
You can subscribe to the releases.rss feed to get informed about new releases automatically. We also inform here, on Twitter, LinkedIn, Discord, Insta and Kosmos newsletter.
Do developers update their Kirby every couple of weeks? Or is it okay to only update when there is a security update? Or will that lead to problems? What do other developers do?
While I don’t know what the majority does, I do know that there are many installations out there that don’t get updated regularly or at all. Keep in mind that many projects are one-time developments with no maintenance contracts in place.
And regarding the security updates: Many of these incidents don’t affect all users. Like when you have only one admin who is also the owner of the site, then some security issues are not overly relevant.
I don’t think we had many hacked sites over the years and if there were some, they were usually due to user inflicted stuff like using FTP and weak passwords. Or a Wordpress installation in the same root folder that got hacked.
Having said that, it nevertheless makes sense to update the installation when your client pays for maintenance. It also makes it easier to keep track of necessary changes over time.
We have some sites who receive updates regularly, other sites are still on older versions.
Depends on the client, the website and the budget.
It might also depend on if and which plugins you use. Some of them might not be regularly updated and could break (but that’s a general problem, not only Kirby related).
To be honest: I would rather have an outdated Kirby page than an outdated Wordpress installation. That’s for sure.
I update Kirby as soon as an update/security patch becomes available.
However, compared with something like WordPress, security patches/updates for Kirby are fairly rare. I think the lack of database makes Kirby inherently less vunerable and much more stable.
We have plans to integrate an update check into the Panel. You will be able to configure it to just check for security updates. There won’t be automatic updates though, only a notification in the System view in the Panel.
Absolutely. If the site works as expected and is not affected by any bugs and if you don’t need any of the new features of the newer versions, you can certainly stay on older Kirby versions. For security releases (which we had a total of six of in the last 3.5 years!) it makes sense to at least check if your sites are affected. As Sonja wrote, many security fixes are only necessary in certain use cases/circumstances. We describe those in detail in the security advisories of our security releases. If you are not affected, you can safely skip these updates as well.