WordPress, Drupal, and Joomla together occupy the maximum market share in Content Management Systems (CMS) used to develop websites. These CMSs provide the building blocks for a large part of the internet and attract a horde of hackers. They are a prime target for malicious attacks mostly involving data theft, transaction fraud or SEO spamming. Also, check our blog post on Magento vs Woocommerce vs Opencart if you are looking for a CMS, for your e-commerce store. Security is a major concern when it comes to choosing the right CMS for your business needs so we’ve gone ahead and conducted a security comparison of WordPress vs Drupal vs Joomla.
WordPress is undoubtedly the most sought after CMS, due to which it is constantly at peril to cybercrime. It powers nearly 75 million websites (as of 2016) worldwide, most notably BBC, Techcrunch, Sony and MTV amongst many others. Consequently, WordPress regularly witnesses a large number of brute force attacks time and again. Statistics suggest that the vast majority of hacked websites were hosted on WordPress, with a whopping 16,000 sites been hacked in 2016.
There are many providers like Astra & WordPress VIP who can help you enhance the security features of your WP website. It usually includes an in-depth code review to unearth vulnerabilities and provides guidance about security best practices. However, the major security vulnerabilities in WordPress and most CMS arise from using third party plug-ins and extensions. This alone makes up 56 percent of known vulnerabilities in WP.
For instance, Slider Revolution (RevSlider) and GravityForms plugins have seen security issues in the past affecting a huge number of websites. While regular fixes for these security issues have been released, new vulnerabilities keep spring up due to the massive popularity of the CMS.
Drupal has gained prominence as a secure CMS and is favored by government organizations including the White House, Africa Union and other government departments. It is designed for the more tech-savvy users and has the ability to cater to complex projects. The Drupal community is very proactive about security and has a dedicated all-volunteer group of individuals, who work to improve and maintain the security of the Drupal project. Regular security patches and updates are released and notified via emailers.
Joomla has been around for a while now and has gained prominence with developers. Joomla also has an active community focusing on security. The core Joomla code is secure but often relies on the user to configure and implement the system correctly (not automatically done by Joomla). There is extensive documentation made available by Joomla which encourages users to follow some security best practices.
The Joomla security team is comparatively smaller than that of other CMSs, it provides essential information for a developer to incorporate.
WordPress vs Drupal vs Joomla
|Bug Bounty Program||Yes, since April 2017||Yes, since June 2015||Yes|
|Number of CVEs reported||254||313||94|
|Frequency of security patches||Monthly||Monthly||Monthly|
|Built in two-factor authentication||Plugin||Plugin||Yes|
|Logging of Login Attempts||Plugin||Yes||Plugin|
|Astra Security Suite||Yes||Yes||Yes|
|Security Plugins in Marketplace||Yes||Yes||Yes|
According to CVE data (Common Vulnerabilities and Exposures), Drupal encountered the least number of cyber attacks since 2005 whereas, on the other hand, Joomla has had the most amount of found vulnerabilities, with 327. Although Drupal encountered 75 vulnerabilities in 2008 and 29 vulnerabilities were found in 2015-16 combined, its security team has managed to keep these numbers down.
Although Drupal encountered 75 vulnerabilities in 2008 and 29 vulnerabilities were found in 2015-16 combined, its security team has managed to keep these numbers down. 46% of the vulnerabilities found in Drupal were cross site scripting – XSS. XSS is a code injection attack wherein an attacker injects malicious scripts into websites to gain unauthorized access. Cross site scripting has also been a major vulnerability in WordPress with roughly 39% vulnerabilities caused due to XSS. Joomla’s 15% vulnerabilities were XSS too.
54% of Joomla’s vulnerabilities are code execution flaws – an attacker injects malicious codes to gain administrator privilege. While SQL Injection attacks form 40% of the total vulnerabilities encountered by Joomla, Drupal and WordPress are equipped with better security features to defend themselves against code execution.
Conclusion: WordPress vs Drupal vs Joomla
Overall, Drupal comes off as the most security-focused system and has managed to successfully keep vulnerabilities at bay. Joomla, on the other hand, has a comparatively smaller security team to handle security breaches. WordPress’s popularity attracts a huge amount of cybercrime to it, keeping it always on its toes to completely secure the CMS. However, WordPress comes with a plethora of plugins and security documentation to help users make their website secure.
While the choice of a suitable CMS for your business will depend on your business requirements, it is important to have a strong & secure foundation. Being a secure and robust CMS, Drupal is favored for large and complex websites and is trusted by governments globally. Whereas, WordPress & Joomla attract users who prefer a quick & easy solution with maximum ease of use & development.
Don’t forget to check our in-depth analysis on Magento vs Woocommerce vs Opencart if you are looking for a CMS for your e-commerce website.
Here are some Secure Coding Practices Checklist for Developers that can help you to reduce risk.
Wish to fully secure your website in minutes? Contact Astra to protect your WordPress, Drupal or Joomla website from malicious attacks.