I take security one of the most important part of a CMS.
Emails and similar personal data
All sensible data is kept encrypted. Current encription and decryption is made possible by MCRYPT library, with cipher RIJNDAEL 128 in CBC mode. Password are NOT encrypted in the same way, and cannot be decrypted.
In normal condition the clear password is hashed with the SHA 512 alghorithm and sent to the server. When stored, a random salt is generated and used to do a further hash of the given password. The same salt is later used to verify if your sent password - re-hashed - matches the one in the database.
At this time there's no way to decrypt the stored hashed password. An hypothetical hacker could only use the bruteforce attack to guess your password. This could take years, or decades, provided you used an effective password: don't use "1234" (and similar), "password" (and similar), real words or combination of them. Best is the inclusion of special characters like @ # ù ...
By default users with the writing access are blindly accepted and the inserted article content is not parsed in any way (so scripts and any type of link is allowed). Webmaster and administrators are completely trusted. This could be changed creating a plugin ad hoc (htmlpurifier is already installed). This behavior should not raise any risk if the enabled users are thurstworthy.
Encryption key and database
The encryption key is created on the very first setup and stored in a php file. This key can be changed only from logged webmaster users (coming soon).
The database name is randomly generated on the first setup. the name is stored in a php file, like the encryption key. Every other setup will change the name: this greatly protect your database file from being stolen by anyone. An .htaccess file protect your database from being donwloaded (de facto only php and html files placed into the main database directory are reachable by external users).