One of the more popular methods of publishing content on a website is a CMS (Content Management System). A CMS generally has a graphic user interface where a user can log in, create or upload content, update existing content, design how they would want their website to appear, and other related tasks. The three most popular CMS choices by usage are WordPress, Joomla, and Drupal. A cursory glance at these three different pieces of software shows that they are somewhat similar- a PHP framework interacting with a database. However, looks are deceiving. Each of these has its own user experience, add-on management, and working process.
WordPress, Joomla, and Drupal are very different, and as such their benefits and disadvantages are discussed ad nauseam throughout the online community. Instead of comparing every single attribute these CMS choices have to offer, we wanted to provide a guide of a sort that allows reader to review information and come to their own conclusion. For the sake of simplicity and clarity, we will be focusing on the base installation and common plugins and themes.
Launched in 2003, WordPress is the most commonly used CMS, has a marketshare of 60.2%, including 239,139 of the top 1 million trafficked sites (source). As free and open-source software, WordPress makes heavy use of a plugin architecture and template system. Plugins and themes are used to enhance functionality and improve appearance to the end user.
Though primarily powered by unpaid contributors, WordPress has a paid core leadership team committed to software development and implementation efforts. In addition to the leadership team, WordPress has a security team specifically devoted to investigation, identification, and remediation of WordPress security issues that arise in the core code. As security vulnerabilities are disclosed, fixes are pushed out to existing installations of WordPress. That’s why keeping WordPress updated to the latest version is incredibly important to the overall security of your website.
WordPress Resource site wpbeginnner.com offers a large resource of walkthroughs, explanations, and articles about the importance of WordPress security, such as updating your WordPress core files, passwords and user roles/permissions, and their opinion on best security practices for both the intermediate and beginner level users. WordPress’ Codex also contains a very lengthy and in-depth list of items to harden your WP installation. WordPress, however, does not appear to publish a CVE (Common Vulnerabilities and Exposures) list, as some other CMS providers do.
Joomla is another free and open-source CMS that is quite popular among web developers. Accounting for 5.3% market share, Joomla is also used for 13,480 of the top 1 million trafficked sites on the internet (source). Started in 2005 as a fork of Mambo, Joomla uses object-oriented programming techniques and software design patterns and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, search, and support for language internationalization.
Where Joomla differs from WordPress and Drupal most is how open-source it is; Joomla is organized into different departments that make up its board of directors, governed by Open Source Matters, Inc. Joomla’s board is made completely of unpaid volunteers. No one is paid by Open Source Matters to manage Joomla.
Joomla’s official documentation on securing your site is a great start for new users to the CMS who want to ensure their installation of Joomla is as safe as possible.
Drupal was first launched in May of 2000 by its original author, Dries Buytaert. A free and open source CMS holding a 3.5% market share, Drupal makes up 23,330 of the top 1 million trafficked sites (source). The standard release of Drupal, known as Drupal Core, contains the basic features of a CMS including account registration and maintenance, menu management, RSS feed, taxonomy, page layout customization, and systems administration. Like WordPress, Drupal also has a security team that resolves reported issues, assists in users resolving their security issues, provides documentation, and helps the infrastructure team. Like Joomla, Drupal is also built and maintained by the open source community. Drupal’s official documentation for securing the installation contains tips and examples on how to harden your installation.
Drupal has also had its fair share of security issues. However, their security team does publish a verbose list of CVEs dating back to 2005, which also include best practices.
So Which CMS is the Most Secure?
Unfortunately, there’s no quick and simple answer to this question, and as the end user, your needs might vary for the project you are working on. What you can do is arm yourself with the information necessary to make your decision, and understand the differences between WordPress, Joomla, and Drupal.
With a great comparison of the three major CMS options and a quick overview of the security differences between them, websitesetup.org explains that current security issues with WordPress aren’t due to compromises in the core software, but most often related to 3rd party plugins. Drupal, mostly secure out of the box, has had its fair share of problems, such as the 2014 SQL injection vulnerability. As far as Joomla is concerned, the security of the installation is the responsibility of the user. Joomla, while quick to respond to vulnerabilities with applicable patches, lacks automatic updates. This means its users must actively work to maintain awareness and apply the updates.
cmscritic.org also has a solid breakdown offering their opinion on the pros and cons of each of the big three CMS choices. WordPress again wins points for having the core software considered secure, while the issues most often lie in 3rd party applications. Joomla is rated the same way, with kudos for their secure core files. However Joomla’s volunteer force has historically been smaller than WordPress or Drupal, and securing an individual’s site or sites is the responsibility of the end user. When it comes to Drupal, their profile leaves a little to be desired, only mentioning that Drupal’s core software is secure.
As an aside, thehackernews.com has documented the more recent Drupal exploits in detail, which the previous comparisons do not.
The most important thing to keep in mind when selecting the right CMS for your content is to consider which features are most beneficial to you. Each of the major three CMS options has benefits and concerns, and security vulnerabilities in each can be counteracted by being a proactive user; check for security updates and make sure that all software is up-to-date.
To discuss WordPress, Joomla, and Drupal security more in-depth, or to weigh in with your own opinion, join the conversation on Slack, Discord, or the Official cPanel subreddit.