Features · Security
Secure for large and small masajid.
No plugin marketplace, no theme ecosystem, no third-party scripts you didn't approve. The #1 attack surface on every masjid's WordPress site simply doesn't exist here.
No plugins
The #1 attack vector, gone.
Plugins are how WordPress masajid get compromised. We don't have plugins. The features in the platform are the features in the platform — and they ship from one audited codebase.
One codebase, audited
Fix once. Ships everywhere.
What ships to one masjid ships to every masjid. Vulnerabilities get fixed once and the fix rolls out everywhere — automatically on Hosted, with one docker-compose pull on Self-Host.
Last security release
v1.4.2 · 2026-04-15
· upgraded Next.js (CVE-2026-0124)
· tightened CSP for embed routes
· rotated all signed-URL secrets
Pushed to all 12 hosted tenants.
Quarterly updates
Zero-touch on Hosted. One command on Self-Host.
We ship security updates four times a year on a regular schedule, plus emergency patches as needed. Hosted tenants get them automatically. Self-Host runs `docker compose pull && docker compose up -d`.
$ docker compose pull
Pulling openmasjid:1.4.2... done
$ docker compose up -d
Recreating openmasjid_web... done
Recreating openmasjid_worker... done
Updated. Site stayed up.
Tenant isolation
Enforced at the database, not the application.
Every query checks the tenant relationship at the row level. No cross-tenant leaks, ever. We've stress-tested this — see our security writeup on GitHub.
Open source = audited by you
Read the code. Hire a security firm to read the code. Run static analysis. We have nothing to hide.
View on GitHub