Drupal vs. WordPress: Planning for Security

Author: Jack Martin

As we’ve been taught throughout our lives, not everything is a popularity contest. While something may appear bright and shiny on the outside, what’s offered once you’re inside? In a testament to people, we know not to base everything off of ease and appearance, but rather the opposite. The same goes for web development. While there are certain software systems that require a time commitment to get started, the result often leads to structured websites that can withstand a good chunk of what’s thrown its way. In comparisons between Drupal and WordPress, we could be here all day weighing the pros and cons of either CMS, but to narrow it down to one piece of criteria we’ll focus on the difference in security level between the two.

The Risk of Simplicity

WordPress is the world’s most popular web development platform but there’s more to your website than the simplicity of design and maintenance. As Drupal advocates, we know there can be difficulties with any software, but the security of your website outweighs a good amount of fluff any day.

When it comes to shopping online, we know not to trust a site that provides a product for pennies when we know of a trustworthy website that sells the same thing for $10. While this may sound like a strange analogy, the same can be said for the simplicity of WordPress versus the relative complexity of Drupal. In an effort to create a running site fast and easily, users often use WordPress. While this is understandable, what they don’t realize is the risk they’re running by confiding in such a user-friendly site. With such vulnerability comes hacking capability that allows outside access through plugins that wipe out thousands of sites within WordPress.

Finding Trusted Security

With enterprise level security and site scale, one of Drupal’s biggest differentiators with WordPress is its trusted security. As the web development platform behind a plethora of government sites such as whitehouse.gov, Drupal is capable of withstanding threats from hackers all while maintaining the safety and security of your site from the inside. In recent password breaches, encryption methods used by content management systems such as WordPress were to blame. With sufficient encryption technology and strong hash function with a per-user salt, Drupal has reduced its exposure when it comes to breaking in through password attacks. Drupal also protects your site from brute force attacks by including and enabling by default such features as limiting the number of failed logins over a specific period of time or by IP address. Something you would need a third party plugin to do in WordPress.

Drupal Flexibility

Drupal provides much more flexibility in development, with its own built-in tools. This can be very important for security vs. WordPress, because unless you spend money on bloated WordPress plugins for certain functionalities (which could make your site very slow), you would most likely turn to writing in the functionality yourself. This could be a wide security hole unless you know how to write very secure PHP code. Thus, unless you find a very knowledgeable PHP developer to add custom functionality to your WordPress site (big cost) or you install bloated, premium, or possibly unstable WordPress plugins to add the functionality to the site, you cannot get custom work that matches what you can get with Drupal.

A Drupal developer can make it very simple for a customer to edit any piece of their website without any knowledge of code, utilizing Drupal’s secure tools to do so. Monitoring and resolving a website’s core, module/plugin, and theme security holes is much easier with Drupal. Drupal has a built in emailing system that you can set to send you an email notification when a module has an important security update and when a module has lost support in the Drupal community. In this case, Drupal will request a new system for you.

WordPress Simplicity Comes at a Cost

WordPress, however, has no free service that will do this. The only thing you can do with WordPress sites would be installing a plugin that sends you email updates when the themes, plugins, or core has an update. There is no differentiation between security and minor updates. You will need to log into the website, read the changelog for the things that need updating, and try to determine if a security risk was found and resolved within the update.

With many standard and robust security features that work “right out of the box,” Drupal and the Drupal community show that they take security seriously. It is easy to see why a number of large organizations end entities make Drupal their CMS of choice.