Home / Solutions / WordPress / Drupal vs WordPress Security: Which CMS is Most Secure?

Drupal vs WordPress Security: Which CMS is Most Secure?

When it comes to creating a new website for your business, the area that a company should contemplate most carefully is probably security.

Whether an attacker simply wants to deface your site “for fun”, or has more malicious intentions, it’s important to keep the hackers out. You don’t want your users’ information compromised or their passwords stolen, nor do you want malware or phishing software installed on your site. In the most serious of cases, websites get diverted to unsavoury places and companies can be completely locked out of their site and subject to a ransomware attack and having to pay perhaps thousands of pounds just to restore access.

Two of the more popular CMS platforms are Drupal and WordPress. Just how does each platform stack up when it comes to the important question of security?

WordPress security positives

WordPress is very popular and is used by more websites than any other CMS. However, this very popularity also makes it a platform that is attractive to hackers.

The security of the core WordPress programme is considered to be good though, as it is built on robust code. Also, WordPress responds to any security threats quickly. They believe in transparency about security issues and state that they will always disclose them. There are thousands of developers in the community working on millions of websites, so it’s important to everyone involved that security issues are quickly spotted and resolved.

The core programme is regularly updated, and there are also regular security and maintenance releases. It has an auto-update feature that allows for it to be automatically updated to a newer version if there has been a fix for a security issue.

Like other CMS platforms, WordPress security can be further enhanced by implementing automatic backups, two-factor authentication for logins and by adding in a variety of security plugins.

WordPress security doubts

While the core of the software is generally deemed robust, WordPress plugins are less so and can present opportunities for hackers to exploit their liabilities and weaknesses.

There are more than 45 thousand plugins available for WordPress, written by third-party developers and individuals. These are not routinely checked by WordPress for vulnerabilities and can offer a way into a website if there are not secure.

Some of the risk can be mitigated by choosing well-known and respected plugins, and by keeping them regularly updated, but this doesn’t completely stop them being vulnerable to hacking.


Drupal security positives

Like WordPress, Drupal also takes security issues very seriously and publishes detailed security advisories on its website. It has a dedicated security team and a Twitter security account and also runs a security announcement email list that users and developers can subscribe to.

Its 34 thousand modules are considered more reliable and dependable than WordPress’s plugins as Drupal also issues advisories about these. This not only means that the users are kept informed, but it also encourages the third-party contributors to update and patch their modules.

Drupal security doubts

According to security data source CVE Details, there have been 309 security vulnerabilities detected since Drupal launched in 2002. Compared with WordPress’s 240 vulnerabilities since 2004, it would appear that Drupal is not as secure as WordPress.

And certainly many commentators agree that the Drupal core code is not as secure as that from WordPress. However, it is certainly deemed secure enough to be used by thousands of worldwide government departments and bodies.

Drupal vs WordPress security: which is the winner?

Both Drupal and WordPress observe excellent security procedures and work to keep their software free from vulnerabilities.

But things can still come unstuck and a CMS that isn’t managed well – on whatever platform – can expose your company to hacking and security breaches.

Good security is based on ensuring that software, themes and plugins/modules are kept updated to the latest versions. It’s vital that your IT department or your web development company keeps on top of updates. They should also adopt accepted security practices, such as running real-time monitoring systems that log what happens on your website, so that any threats can quickly be shut down.

You can further reduce your risks and exposure by checking that your IT department and web development agency employ best security practices, use respectable and highly secure hosting providers and are suitably knowledgeable about issues and threats.

You may also be interested in these articles


Alexander Frost | Reading time 14 min

Brexit for WooCommerce sellers


Alexander Frost | Reading time 3 min

Cynefin: a valuable framework to classify, communicate and respond to tasks in digital projects


Alexander Frost | Reading time 6 minutes

Web fonts for WordPress

Fonts control how your text is displayed – how the letters actually look. web-safe fonts. W…

Read more

Alexander Frost | Reading time 6 min

Web fonts for WordPress

Subscribe to our newsletter for tips, inspiration and insight about WordPress and WooCommerce and the digital world beyond.

Time to take the next step towards a more effective website?

Contact us, and we can talk more about how we can take your business to the next level together.