Welcome to the Geeks & God Static Archive. Read more »

CMS vs. ChMS


You are missing some Flash content that should appear here! Perhaps your browser cannot display it, or maybe it did not initialize correctly.

Church Management Systems, also known as ChMS, are used daily but thousands of church leaders all over the world. They help churches organize the information floating around their churches and manage the activities that can quickly clutter your brain. But, what happens when churches want to tie their Church Management Systems in with the Content Management Systems that run their websites? Or, when a church is curious about building a Church Management System with a Content Management System? This week we dive in the difference between a ChMS and CMS, why and how those differences are important, and speculate on the direction these two types of setup are going.

Before we dive into that there's a load of great listener feedback with some ideas and testimony about how a church can get free web hosting. That's right, I said free. So come join us for another episode of Geeks and God and you just might save your church a bunch of money on your web hosting.

Picking Rob's Brain

Not sure which was the more disturbing part, the thought of picking Rob's brain in general, or the mental image of doing it the way Sylar picked Claire's brain in the Heroes Season 3 opener. (Yeah, yeah, I know you're not a fan.)

As far as ChMS charging more for API access, that's fairly standard as far as Enterprise Resource Planning systems go, especially in the academic and business worlds. There's no reason for church systems to be any different in this regard. API and developer toolkit access usually entail more support issues for the vendor, and charging more for additional functionality is pretty normal for these types of business systems.

I think if anyone was to write a CMS module for interfacing ChMS data, it should be done in two parts. The first part would be the front-end functionality side - what do you want to do in the CMS with this data. The second part would be the interface to the ChMS API interface. This should be generic enough that other front-end modules could use it, while the front-end module could ultimately be designed to interface with different back-end connector modules.

That being said, I'm growing increasingly skeptical that this integration needed. You shot some pretty big holes in some common reasons for doing this.

I guess one thing I'd ask is whether or not some of these ChMS systems allow for any congregation member to log in and view and alter some of their personal data, like giving history or something. In that case, then the biggest integration would be in the area of Single Sign-On. But in that case, all that would be needed is for the ChMS to act as an LDAP authentication server. That could be useful.

Another good integration point for CMS would be for services like Planning Center Online, which is becoming popular for worship service planning in churches. Again, SSO would be a benefit, as would the ability to see a PCO "my calendar" badge when logged into the church community website. (PCO provides iCal feeds, so there's a start for that idea...)


DreamHost and free non-profit hosting for Churches

On the show, you talked about how DreamHost gives free sites to non-profits. All that was needed was a 501(c)(3) letter. Even in DreamHost's WIKI it mentioned a 501(c)(3) declaration letter was needed.

I doubt many people are aware but churches don't need to have a 501(c)(3) in order to be exempted from federal income tax; they are tax exempted by definition in the Tax Code.

In most cases if the church needs to show something tangible, they would provide a state sales tax exemption number (which they could only get because the state is convinced that they are a legitimate 501(c)(3)), and a copy of the church's Articles of Incorporation.

I talked to Mike G on the DreamHost Sales Team this morning. He is at sales@dreamhost.com. His reply to me was, "Churches actually can apply for it just send us those papers and that is good enough."

Thanks for the info. WIll the plan handle a busy Drupal site

I wonder what level of hosting this is since Dreamhost went to a one plan a la carte system. This used to be advertised as having a free SSL and unique Ip etc.

I have been with Dreamhost for years hosting quite a few static sites and a couple of dynamic image galleries. Overall I have been pretty happy with them. They have tons of options, instant installs and good customizability. For the price, down time was acceptable.

I wonder what level of hosting this free account is. Will handle a busy Drupal Community site? Is there a method to load test a Drupal site on a web host?

I plan on getting a Media Temple VPS account for my next mid-sized church Drupal site (based on recommendations from the forums). It's for the church I attend so I am also recommending signing up for the free Dreamhost account as either a back up or for sub sites. It's free right.

I will let you know what level of performance Dreamhost Free offers once I get signed up.

Regarding the CMS & ChMS talk, great topic. I have been researching this topic myself. Currently, we are not ready to pull the trigger on a full blown new ChMS.

Does anybody now of a good way to do a small group management online? Hopefully open source. We are not ready to pay for a Fellowship One type solution at this time. We just need attendance and comment tracking for Small Group Leaders. Small Group Members do not need to login for anything.

Since there will not be any financial or really sensitive data, I looked at CivicCRM. Our current hosting environment is running PHP 4 and we are not ready to upgrade to PHP 5 (too many custom scripts to migrate / test all at once).

So, I looked at SugarCRM.com. Has anybody used it? They have vendor supported and open source versions.

We just need a simple solution. We hope to find a cost effective one for the interim until we are ready to implement a new full blown ChMS church wide.

The reason we liked having a ChMS that linked to our CMS user database is for metrics. It would be great to link people church attendance, event participation to their history on our website and email campaigns.

Thanks for another great show. have fun at your private 100th episode party.

Nothing Ventured, Nothing Gained...

I'm currently working on a project to convert out church website to Drupal, and I think we'll end up signing up for a Dreamhost account as part of the migration. Nothing ventured, nothing gained, and all this costs is time.

I suppose it'll be hard to tell how well it stands up without some good testing. It's probably time to take a quick look at SimpleTest. That tool can create and delete test data, right? I found some examples of using jmeter with SimpleTest, so that shouldn't be too hard to set up.

Since MediaTemple's VPS essentially gives you a virtual CentOS Linux box, setting up multiple sites is pretty simple. The ability to do so comes with the package, but I've done it in a shared Drupal install where I didn't even have to define the other sites on MT's control panel.

At this point, my plan is to load test with Dreamhost to see if the free package will handle a reasonable amount of traffic. If so, we'll probably stick with it.

Actually, I searched drupal "load test" dreamhost and found several hits, including this discussion on drupal.org. Most of it is from 2006, so it's a little dated, but sounds promising.

If anyone has recent test data regarding the free Dreamhost account, please let us know. I'll post info once I'm done with my own testing.


ACS told us they were

ACS told us they were working on building an API and I want to believe it, even if they take some time to do it.

ChMS export capability


Is it possible to export out a ChMS event/person profile/etc as an XML file asynchronously? I think it would then be less problematic to import that data to a calendar component or other repository of a CMS.

No CRM = no ecommerce?

It's a while since listening to the episode and posting this comment, so I hope I'm posting it on the right episode! In the episode the two of you seemed to agree that basically unless you were some sort of experienced web security consultant, you shouldn't even consider deploying something like CiviCRM on your web platform. The impression given is that neither of you would consider deploying something like that yourselves despite your experience, unless I misunderstood you.

Given your feelings on this, I presume you also believe that such people also should not deploy an ecommerce solution and run a webstore, like Drupal's eCommerce module or the newer Ubercart. If not, why not? Surely dealing with credit card processing and all of the contact details that people store in an account when making purchases is just as sensitive as what would be stored in the average CRM? On the other hand, if you see a major difference between ecommerce and CRM I'd be interested to hear more why...

How ECommerce Works

Hey Duncan...Good question, here's my thoughts:

I'll deal with the eCommerce question first. Since we shouldn't be storing sensitive data does this mean we shouldn't be doing eCommerce on our sites? Absolutely not! Why? Because eCommerce implementations, when done properly, don't store any sensitive data!

The way eCommerce systems work is the person enters in their credit card data and Drupal (or other system) talks directly to the bank (ie. merchant account) through a secure connection. The merchant account spits back a 'yes' or 'no' on the credit card, and the transaction proceeds. Your site is NEVER storing any sensitive data in this process, it's simply passing that data onto the bank and letting them deal with it, then listening back for a thumbs up or thumbs down. So, this ends up not being much of a security risk.

For CiviCRM, I think it's riskier, but still doable. This totally depends on how comfortable your client is with having the data exposed to the internet and what kinds of data you're storing. Normally, a CRM is storing data such as phone numbers and addresses, stuff that some people consider sensitive but is available in phone books and on the 'net already. Sure, this is sensitive data, but it's not social security numbers and bank account numbers. I'd say that's a 'reasonable' risk.

Now, if you're storing financial data in your CRM, that's a whole other story. Personally, I'd say "if we do this, we need to hire a security consultant" to plan the setup of that CRM and setup procedures and implementation methods.

So, with CRM, I guess my answer is: It's fine as long as you're not storing data that will get you sued if it gets out. If that's the case, you need to hire a security expert for the project team.

-Rob Feature
Geeks and God Co-Host

-Rob Feature
Geeks and God Co-Host

a minor clarification ...

1.note that civicrm does not store any of the credit card information in the database. The behavior is similar to an e-commerce system, and we know if the transaction succeeds or fails based on what the payment processor/bank says

2. Similar to ecommerce storing the billing name, address, purchase history, civicrm does the same for donations. So the security needs to be addressed for both packages (IMO)

3. finally, any system which stores personal data should be pretty secuurity conscios. The software is one aspect of this, the other aspects include machine / network configuration, software patches, who has access to the systems, various business processes etc



The issue here is security. With a well done ecommerce solution (like you would setup with the ecommerce module or ubercart) you'll have your payment gateway handle the transaction and the connection sensitive information is shared over. They take great pains and use ssl.

When you setup CiviCRM on a site and you store information like phone numbers, notes about people, and other information it will be transmitted as clear text for anyone to read if they know what they are doing. For something like this you need to setup an SSL connection and make sure to keep up on security updates.

Most of the people who have asked me about setting up CiviCRM do not know how to manage an SSL Cert and are people who don't tend to keep up on security. For them, I would not recommend such a setup. Another problem I see is with people putting CiviCRM on a shared or shared like hosting environment and opening up to many security holes. This is bad.

If you can secure your database, keep up on security updates, setup a ssl cert, and keep up on other security concerns than by all means use CiviCRM. This is what I mean by known what you are doing.

Matt Farina
Geeks and God Co-Host

Matt Farina
Geeks and God Former Co-Host

SSL is only part of the answer

I think SSL gives a false sense of security. I've seen people do SSL wrong for a long, long time. Like putting the form on an SSL site, but processing the form submission (the step where sensitive data is transferred over the wire) in the clear. I've also seen setups where credit card information is collected over SSL and then sent from the web server over unencrypted email for manual processing.

While SSL is a big issue in places where the network is vulnerable, like unencrypted WiFi hotspots, having data get captured off the wire is a lot less likely these days, though it can still happen.

That's not to say that we should skip SSL for sensitive transactions, just saying that it makes us feel safer while protecting what I believe is a lower risk. There are bigger risks on either end of the transaction.

Virus and Trojan Horse infections on the user's computer means their keystrokes may get captured even before being sent by the browser. We can't do anything about that problem, but it does exist.

My biggest concern is data being transferred safely over SSL to an insecure web server, or otherwise being mishandled after transmission.

Like Matt said, proper database management and other server security practices are all part of the solution. Proper SSL configuration is a necessary step, but it does not provide a complete security solution.


You're Right

You are completely right. If someone isn't sure where to go beyond SSL they shouldn't be setting something like this up.

There are things like having a secure server, cross site scripting attacks, handling cookies securely for these sites, and so much more.

Sadly, I'm finding not enough sites take security seriously. In many cases the developers don't know (or don't care as more than one developer has told me). Some sites to get hit with a security attack recently even include big names like Google and we think of them as smart.

I wonder how many church sites are insecure even without dealing with sensitive information.

Matt Farina
Geeks and God Co-Host

Matt Farina
Geeks and God Former Co-Host

session cookies/issues with SSL

A good reason to keep Drupal core up to date:

According to this:
the patch for this has been submitted to core on 8/24 or so. I am not for sure it is in 5.11, but I would hope so at this point.

Scary stuff.

Mark Shropshire "shrop"
Geeks & God Forums Moderator

I just compared source. The

I just compared source. The patch for the above (severe) security issue was rolled into Drupal 5.11. You can find it in includes/bootstrap.inc around line 293.

This issue is all over the net too. Not just Drupal. Google even had the same ssl cookie issue in gmail.

If you run SSL on your Drupal site, please make sure you are at 5.11 or 6.5. Both have the patch. Heck make sure you are up to date regardless :) There are other security fixes in there too.


Mark Shropshire "shrop"
Geeks & God Forums Moderator


I have been hosting a Joomla website (www.phoenixcrc.org) on Dreamhost for over a year now. The feature set of the non-profit package is awesome! When I first started with Dreamhost there was some problems with reliability but I have not had trouble in a long time. Joomla runs great on this host. Dreamhost has both Drupal and Jooomla as one-click installs.

I actually had the churches 501(c)(3) letter so signing up for the Dreamhost package was easy. What I realized while looking at the letter was that it was actually written for the denominational organization and not any individual church. This leads me to believe it would be possible for the individual church to contact the denominational headquarters and request a copy of this determination letter.

Just my experience hope it helps!


Not sure if you guys have seen this:


Looks interesting and will be free.


Mark Shropshire "shrop"
Geeks & God Forums Moderator




I just listened to this podcast as I've been thinking about building a staff-based, intranet-type thing for our Church in Drupal.

You suggested not trying to build your own ChMS with a CMS because of security:
ChMS's have better security because they have a team of people dedicated to that, whereas CMS's don't have as good security because they're just for building websites, not storing financial data, etc.

I was talking to a friend of mine about this, who seemed to disagree, saying that the better security (or at least equivalent) would be found in the software with the largest community behind it (i.e. the open-source CMS). Sure, a ChMS might have a dedicated team of people working on security, but CMS's have whole communities behind them, constantly managing and updating the software, fixing bugs and security issues.

What are your thoughts on this?