Airship is a Content Management System designed to provide a secure foundation for your website.

Why Airship?

  • Carefully Chosen Cryptography Features — Powered by the Sodium cryptography library (accessed through Halite, our easy-to-use libsodium wrapper).
  • Secure Automatic Updates — Critical security updates will automatically be applied within an hour (in the default configuration). Never worry about something like this happening again.
  • Open Source — Airship is dual licensed. You can use it under the terms of the GNU Public License as Free Software, or if you'd prefer, you may purchase a commercial license from Paragon Initiative Enterprises.
  • No Legacy Cruft — Airship was born into PHP 7 and does not need to retain the bloat or bad designs necessary to maintain compatibility with early versions of PHP 5.

Launch Your Airship
PHP CMS Out-of-the-Box Security Comparison Chart
Security Feature CMS Airship WordPress Drupal Joomla! Notes
Note: A detailed technical breakdown of the security of the other CMS platforms is available.
Automatic Updates The automatic updates you receive are secure against forgery even if our update server is compromised.
Prepared Statements For preventing SQL Injection vulnerabilities.
CSRF Protection Everywhere Plugins notwithstanding.
Context-Aware Output Escaping
Escapes on input
For preventing cross-site scripting vulnerabilities.
Content Security Policy CMS Airship lets you manage CSP and HPKP headers through a web interface.
HTTP Public-Key-Pinning
Password Hashing

Salted MD5


Read more about how to safely store users' passwords and why Argon2 is the best choice.
Two-Factor Authentication
Secure "Remember Me" Checkboxes We outlined how to implement secure "remember me" checkboxes in PHP last year.
Login Brute-Force Resistance
Account Recovery: Opt Out
Account Recovery: GnuPG Encryption CMS Airship allows users to provide a public key, which will be used to encrypt the outgoing account recovery emails.
Defuse v1*
* As of v3.5.0; before, JCrypt was insecure.
Minimum PHP Version



Read more about why low minimum PHP version requirements are bad for security.
Secure Random

random_compat v1

random_compat v1

random_compat v1
Version 1 of random_compat falls back to OpenSSL as a last resort, while version 2 is more secure and truer to what PHP 7 does. Learn more.
Code Footprint



Less code usually implies less room for bugs to slip in. This metric is useful for estimating the cost of a full audit.
Free / Open Source



All four are released under GPL
Security Feature CMS Airship WordPress Drupal Joomla! Notes

Frequently Asked Questions

Why does the community need yet another CMS?

Airship carries two benefits that none of the existing content management system solutions offer:

  1. Airship was designed, and is maintained, by a team of PHP security experts.
  2. Airship is not encumbered by risky backwards compatibility concerns and years of technical debt.

Though our security team often shares our insight into better security practices with the maintainers of popular Free Software projects, they are almost always held back by technical debt and obligations to maintain compatibility with legacy systems.

What makes Airship different from any other CMS?

The short answer: In terms of security, Airship is worlds apart from the CMS platforms you're already familiar with.

The Long Answer:

A lot of the security problems that the other CMS solutions encounter is the result of unknown unknowns. For example, "Is it safe to pass user-provided data to unserialize() in a PHP 5 application?" is a question that many CMS developers would never even think to ask (let alone know the answer to off the top of their heads).

We live and breathe application security. Our set of unknown unknowns is consequently a lot smaller than most PHP programmers'.

  • To prevent SQL injection, we use prepared statements where we can, and a strict whitelist where we can't.
  • To prevent cross-site scripting, we escape on output, not on input. We also provide a user-friendly interface for managing your Content-Security Policy headers.
  • All forms that accept POST data are protected against CSRF attacks by design.
  • Users' passwords are hashed using Argon2i, and the hashes are encrypted with authenticated encryption, before storage.
  • We made access controls painless. (Read the docs to learn more.)

Need Technology Consultants?

Will tomorrow bring costly and embarrassing data breaches? Or will it bring growth, success, and peace of mind?

Our team of technology consultants have extensive knowledge and experience with application security and web/application development.

We specialize in cryptography and secure PHP development.

Let's Work Together Towards Success

Our Security Newsletters

Want the latest from Paragon Initiative Enterprises delivered straight to your inbox? We have two newsletters to choose from.

The first mails quarterly and often showcases our behind-the-scenes projects.

The other is unscheduled and gives you a direct feed into the findings of our open source security research initiatives.

Quarterly Newsletter   Security Announcements