Recommend secure blog software for a collaborative project?
June 8, 2007 7:48 AM   Subscribe

Can anyone recommend secure blog software for a collaborative project? I am setting up a web site for a task force to use, in order to post news and collaborate - just to converse with each other, basically. I want to use a blog for this purpose. But.. can I? More on requirements to follow..

It's not on an intranet unfortunately, the task force members live all over the country and need to collaborate online.
The site has to be entirely secure, password protected - no one should be able to view posts or comments. Security is very important!

I don't want to use forums as I think our users would find the interface unwieldy - not all of the users are tech savvy.

I adore Basecamp but it won't work for us in this case, sadly, it has something to do with the trust-level of the actual users who will need to be on "our own site" to have confidence to use it. No, I can't talk them out of this.

We can spend some money on this but there's not time to purchase and implement a full blown CMS solution (yet), though we are looking to do this toward the end of the year. So, bonus if this outputs data in a format we can easily migrate when we get around to it.

I need to set up about 5 separate blogs.

I wonder if Movable Type is a solution, if it can be made secure. We have a secure server but I don't know if I can install and run Movable Type on it - trying to read the documentation now but I'm not an expert here myself and having some trouble understanding what is possible.

Thanks very much in advance for any advice you can give!
posted by citron to Technology (18 answers total) 2 users marked this as a favorite
You're over-thinking this.

Setup something like Drupal and protect it via .htaccess and .htpasswd. Would take 20 minutes to set up, costs nothing, and can be deployed anywhere.
posted by unixrat at 7:54 AM on June 8, 2007

You could do this in Drupal even without htpasswd stuff. Set up a role that all your team members will be assigned, and then set up a blog (or several blogs, or a forum, or a wiki, or whatever) and make it so it can only be viewed by users with that role. This will be much more transparent to the rest of your team.
posted by adamrice at 8:05 AM on June 8, 2007

Or, might I suggest, a Wiki? A lot of small companies use Wikis to jot down notes quickly, and they're also pretty customizable.
posted by theiconoclast31 at 8:17 AM on June 8, 2007

The only problem with wikis is wiki code. I was going to use one in my company, but the thought of asking people to learn wiki code was painful. I guess if your users are "techies" then that might be a solution. If not, then it's probably a lot to ask of "normal" users.
posted by TheDonF at 9:02 AM on June 8, 2007

Just lending a nod to the Drupal suggestions. Very easy either way (securing via apache or within Drupal).
posted by hrbrmstr at 10:07 AM on June 8, 2007

Response by poster: Maybe over-thinking, but.. maybe not - a detail I left out of the original post is that we'll be looking for a full CMS solution to manage all the different websites we do, not just this one in particular. But we can't do it fast, and this site project I'm working on now has to happen before we can implement a real CMS to handle all our sites. Can I change the time lines on this situation? No, not really...

I'm really concerned about security issues using Drupal and in general there's an organizational bias here against open source solutions for many reasons, concerns about security, access to tech support. Not trying to shoot down ideas - it's just a very conservative organizational culture here (higher ed) and I don't have authority, and the group that wants to use the site has a very high degree of authority.

I thought of a Wiki but.. again, this is not a tech friendly user group who is used to working online.. it's more about them being able to have a conversation than to jot notes. Not an option for me to be able to ask them to learn any code, regrettably.
posted by citron at 10:10 AM on June 8, 2007

Response by poster: I don't feel comfortable with any of our team administering and maintaining Drupal.. there are only a couple of us and not one is a real expert in these matters, esp. patching security holes. I could set up whatever and cross my fingers and the odds are good we'll never have a problem, but I think I'd be doing a disservice to the organization if I took that path.

may have to bump the whole collaborative aspect of the site to late fall after we've found a real CMS..
posted by citron at 10:23 AM on June 8, 2007

yeah, i am thinking server side tiddly wiki, which requires no DB and using .htaccess takes about 21 seconds to setup and get running.
posted by chasles at 10:31 AM on June 8, 2007

If you wanted to be ultra secure, you would place the web server on an internal IP address behind a firewall, that is only accessible via VPN. Balancing security vs. usability is always the tradeoff, though.

If you use .htaccess protection (mentioned above) on the web server in combination with Drupal (or similar), you mitigate most Drupal security concerns, as you block all access to Drupal until somebody passes the htaccess phase of authentication.

You could always use Groove if you don't want to go open source. It is designed for collaboration amongst parties in multiple locations.
posted by stovenator at 10:31 AM on June 8, 2007

I have no idea how much flexibility you have at work, but you could just try installing Drupal (or whatever—I use and like Drupal, but there are other equivalent options) on a company machine or a hosted account that you control--hosted accounts often offer Drupal and many other open-source packages as a one-click install. You could get something basic but usable going within a couple hours, probably less.

Get it configured the way that makes sense for your situation and tell the involved parties "Look, I set this up, try it out, see how you like it." Maybe they'll see "yes, that's it, let's just use this," maybe they'll say "thanks, but can we do XYZ?" maybe they'll say "I don't like the looks of those teenagers." They probably won't say "pack your things, you're out of a job."

Getting something up and running would be useful if for no other reason than to give them something to criticize, so they can be more specific about what they do want.
posted by adamrice at 11:04 AM on June 8, 2007

no one should be able to view posts or comments.

I assume you mean no one from the public, yes? Just the members posting should be able to view the blog, right? Do they people posting need restrictions, based on who they are?

ExpressionEngine is a security conscious (link to a blog entry from one of their developers about security) CMS. They have a free, light version (see the ExpressionEngine Core link on the homepage), which can be easily upgraded to the full version at anytime.
posted by Brandon Blatcher at 11:07 AM on June 8, 2007

Response by poster: Thanks much for the suggestions! Looking into these esp. the last two.

No one from the public, yes, that's what I meant. Just the members should be able to view. No posting restrictions required once they've logged in.

FWIW I would have to do something unimaginably heinous and/or illegal to be out of a job here, because it's near impossible to fire people and hard to hire new good people, the salary is not really competitive, so what happens is you get people like myself who have not really a sufficient level of knowledge handed projects like setting up this web space.. I mean, I could ax the collaborative feature entirely and focus on other stuff they want that's very do-able, but for now I like the challenge. That said when something goes wrong one never looks forward to the stress of higher-ups making angry phone calls and being at the epicenter of the drama of the month.
posted by citron at 11:18 AM on June 8, 2007

If you can't advocate an open source solution, you're probably going to want to go with Microsoft's SitePoint. This may require money, however, depending on what servers you're running right now.
posted by rhizome at 11:44 AM on June 8, 2007

er, SharePoint
posted by rhizome at 11:44 AM on June 8, 2007

Second ExpressionEngine.
posted by kirkaracha at 4:14 PM on June 8, 2007

You mentioned Movable Type - what about just plain old Typepad? For $150-ish for a year, you can set up however many blogs you want from your base URL. All of them can be fully password protected and hidden from web indexers, if that's what you need. And, it's hosted, so you don't have to install anything. Typepad is simple to use, if you can use Word, you can post on Typepad.

You (or someone) would be the owner, and invite the other collaborators to write for each blog as a guest author.

This is exactly how I administer our library's blogs. We have 40+ running off a hosted instance, with various levels of security and obfuscation. Email's in my profile if you have more questions.
posted by donnagirl at 4:29 PM on June 8, 2007

I tried a bunch of different online collaborative programs recently to find one for my group, and the one we're using now is

It's definitely overkill for us now (less than 10 users with 6 workspaces) but we anticipate adding a lot more people over the next year, and the varying levels of access were critical.

Price-wise it's okay, and we're going to ask for the non-profit discount which makes it more than worth it.

We were basically sending emails around with a shared calendar, but discussions were getting lost in inboxes and documents associated with a single project were difficult to track. Plus assigning tasks became a giant muddled to-do list.

Another plus was that the learning curve is steep but *short*. Our team is in Singapore, Cambodia and a couple of other countries. The Cambodia staff have basic web skills, but this was their first collaboration/wiki/blog type thing. I sat down one morning and in two hours, they were up and running.

And if this helps - I picked a tiny little project we were working on, and wrote up tasks, appointments, discussions etc. across four or five trial sites I'd shortlisted, then tried them for a couple of days, dropping the unwieldy ones until I only had centraldesktop left. Then I started seriously transferring all our email/paper documentation over.
posted by viggorlijah at 4:43 AM on June 9, 2007

The "htaccess" that several people above have mentioned is a security access restriction at the web server level. It has nothing to do with which CMS you're using, you'd essentially be blocking out anyone that doesn't the appropriate password from even accessing the site. So you don't really have to worry about security holes or patching the CMS, as long as someone is maintaining the web server you'll be fine.

Personally, if you're just looking to set up blogs, I recommend WordPress.
posted by exhilaration at 3:55 PM on June 9, 2007

« Older SOP for banks, guards, and guns.   |   Why is recombinant EPO differently charged? Newer »
This thread is closed to new comments.