Micro-core is widely used by small CMSes, with limited core functionality, to grow their community and expand functionalities. The best example of this is Wordpress. We do not even consider Wordpress as a CMS, but they have thousands of functionalities extensions to their minimal system.

Positive reflections about the micro-core approach

The micro-core keep the Open Source CMS vendors' job easier in order to secure the main platform. Most evangelists for the micro-core approach also point out the importance of not to activate a lot of functionalities you do not need. This just raises additional security issues to your Open Source CMS.

Negative reflections about the micro-core approach

In the same way as the Open Source CMS vendors job to secure the core becomes easier, the job of keeping track on the extensions gets harder. As a user of an Open Source CMS with a micro-core approach, you are for forced to install extensions provided by the community, without any guaranty of quality or upgrades.

Some Open Source CMS vendors have been trying to control the security profile of their extensions and modules by having security teams that scan the source code. However, these teams are missing the important step of participating with security advices on how modules and extensions are designed.

As John Viega in the article “Open Source Security: Still a Myth” writes:

“Most of these people who look for security problems will start by looking for the low-hanging fruit, focusing on the potential problems that could have monumental impact. In practice, this means that people tend to look for straightforward instances of common problems such as buffer overflows, format string problems, and SQL injection. Less sexy risks tend to get ignored completely.”