Yeah, that's the whole point, but it also means they can see your bugs too. We have been careful about security throughout this project and have several security features built in.
User permissionsUser security in Jojo consists of users and groups. A user can belong to one or more groups. Each resource in Jojo (e.g. a page, or article) has different permission levels for each group. Some articles may be viewable to all groups, but only editable by administrators. A forum may be invisible to all users, except those belonging to a particular group.
No writable files in web-rootThis is a fundamental rule of web hosting, yet almost all CMS systems get this wrong. On shared servers, you should not have writable folders within the web-root of your server. Doing so can potentially expose you to attacks from other users on the server.
We have bent over backwards to make sure this does not happen in Jojo CMS. In fact, if you follow our recommended installation, your web-root folder will only have 3 files in it, and none of them writeable.
Spam protectionThe contact form plugin includes an optional CAPTCHA, to help prevent contact form spam which is becoming more common. Several other forms on the site include a CAPTCHA. To make things slightly easier for the user, our CAPTCHAs are only 3 characters long and are not case sensitive. This may increase as spammers get better at cracking CAPTCHAs.
Email injection preventionEmail injection is a technique used by spammers to send spam via the contact form on an unprotected website. If your contact form is unprotected and your site is popular, it will be attacked in this fashion sooner or later. If your server is continually sending out spam, it will be added to the spam blacklists where it won't be able to send legitimate mail without being blocked.
Any forms POSTED from a Jojo site will be checked for email injection attacks. Because we still have a sense of humour about all this, if we detect someone trying to do a header injection on one of our forms, we redirect them to the Wikipedia page on email injection.