Plone is one of the most secure Content Management Systems (CMSs) on the market. It is open source; it has been around for 20 years; and, knock on wood, it has never had a zero-day exploit. As a result, security is one of Plone's primary selling points, and it’s why many government and security entities choose to operate their websites using Plone.
Plone is written and runs on Python. The Python language is very secure and well maintained, but Plone takes it one step further by implementing RestrictedPython. For extra security, RestrictedPython allows users to define a subset of the Python language and disable Python features not being used which could be utilized to attack the system.
Zope is a free and open source web application server. The Zope Object Database is the object-oriented database where the data from a Plone site is stored. It is not SQL, and data is stored as Python Objects. Storing data as Python Objects allows for security measures to take place at the object level which can't be done with plaintext. The Zope Object Database also features a hierarchical model where objects inherit their parents’ security policies.
Every Plone site comes with a set of default roles. Each user can be given a number of roles, and each role can be given certain permissions. Giving certain users view-only access, others edit access and some admin access, allows websites to have fine-tuned security policies. While admins can create new roles, it's best to keep it simple with clearly defined rules. Never grant every user admin access as your site will be more at risk for tampering.
Website admins can either assign roles on a per-user level or create groups of users and assign roles to groups. There are both global and local permissions, where you could even be as granular as a single content item.
Workflows in Plone represent a way to control access to content as a function of time. To visualize workflows, think about a blog post which can be saved online in 3 different states:
Websites can further define permissions by specifying which users are allowed to transition items forwards and backwards. Every workflow state change or transition is tracked automatically, so admins can easily see what each user did and when the edits took place.
Any open source system which allows users on the internet to insert their own HTML code needs to implement strict filters which limit users from entering code that could be malicious and compromise the integrity of a site. Plone has a number of built-in HTML filters that err on the side of caution. Users can enable additional HTML tags, but be mindful of ways the tags might put a website at risk. Furthermore, implementing Plone.protect helps protect Plone by restricting the kinds of HTTP calls the system can make. This protects websites against Cross Site Request Forgery and Clickjacking.
In terms of security in the world of CMS, Plone has been tested by fire many a time and remains undefeated. Plone comes with a robust set of out-of-the-box security policies and encourages best practices whilst allowing users and administrators the flexibility they need. Plus, the CMS has security both on the Web Interface and deep in the backend of a site at the database and code execution levels.
For more information, watch my 2020 Python Web Conference presentation, “Permissions and Security in Plone,” now.