WordPress, Drupal, and Joomla together occupy the maximum market share in Content Management Systems (CMS) used to develop websites. These CMSs provide the building blocks for a large part of the internet and attract a horde of hackers. They are a prime target for malicious attacks mostly involving data theft, transaction fraud or SEO spamming. Also, check our blog post on Magento vs Woocommerce vs Opencart if you are looking for a CMS, for your e-commerce store. Security is a major concern when it comes to choosing the right CMS for your business needs so we’ve gone ahead and conducted a security comparison of WordPress vs Drupal vs Joomla.

WordPress

WordPress is undoubtedly the most sought after CMS, due to which it is constantly at peril to cybercrime. It powers nearly 75 million websites (as of 2016) worldwide, most notably BBC, Techcrunch, Sony and MTV amongst many others. Consequently, WordPress regularly witnesses a large number of brute force attacks time and again. Statistics suggest that the vast majority of hacked websites were hosted on WordPress, with a whopping 16,000 sites been hacked in 2016.

There are many providers like Astra & WordPress VIP who can help you enhance the security features of your WP website. It usually includes an in-depth code review to unearth vulnerabilities and provides guidance about security best practices. However, the major security vulnerabilities in WordPress and most CMS arise from using third party plug-ins and extensions. This alone makes up 56 percent of known vulnerabilities in WP.

For instance, Slider Revolution (RevSlider) and GravityForms plugins have seen security issues in the past affecting a huge number of websites. While regular fixes for these security issues have been released, new vulnerabilities keep spring up due to the massive popularity of the CMS.

Drupal

Drupal has gained prominence as a secure CMS and is favored by government organizations including the White House, Africa Union and other government departments. It is designed for the more tech-savvy users and has the ability to cater to complex projects. The Drupal community is very proactive about security and has a dedicated all-volunteer group of individuals, who work to improve and maintain the security of the Drupal project. Regular security patches and updates are released and notified via emailers.

Joomla

Joomla has been around for a while now and has gained prominence with developers. Joomla also has an active community focusing on security. The core Joomla code is secure but often relies on the user to configure and implement the system correctly (not automatically done by Joomla). There is extensive documentation made available by Joomla which encourages users to follow some security best practices.

The Joomla security team is comparatively smaller than that of other CMSs, it provides essential information for a developer to incorporate.

WordPress vs Drupal vs Joomla

We’ve put together a comparison table based on the important security features required while setting up a website. In the table, you can see the features that are available in the CMS core itself and those which can be implemented with plugins like Astra.

 

WordPress

Drupal

Joomla

Bug Bounty Program Yes, since April 2017  Yes, since June 2015  Yes
Number of  CVEs reported  254  313  94
Frequency of security patches Monthly Monthly Monthly
Security Advisory  Yes  Yes  Yes
Built in two-factor authentication  Plugin Plugin  Yes
Clickjacking Protection  Plugin  Yes  Plugin
Logging of Login Attempts  Plugin  Yes Plugin
Astra Security Suite Yes  Yes  Yes
Security Plugins in Marketplace Yes Yes Yes

 

According to CVE data (Common Vulnerabilities and Exposures), Drupal encountered the least number of cyber attacks since 2005 whereas, on the other hand, Joomla has had the most amount of found vulnerabilities, with 327. Although Drupal encountered 75 vulnerabilities in 2008 and 29 vulnerabilities were found in 2015-16 combined, its security team has managed to keep these numbers down.

Although Drupal encountered 75 vulnerabilities in 2008 and 29 vulnerabilities were found in 2015-16 combined, its security team has managed to keep these numbers down. 46% of the vulnerabilities found in Drupal were cross site scripting – XSS. XSS is a code injection attack wherein an attacker injects malicious scripts into websites to gain unauthorized access. Cross site scripting has also been a major vulnerability in WordPress with roughly 39% vulnerabilities caused due to XSS. Joomla’s 15%  vulnerabilities were XSS too.

54% of Joomla’s vulnerabilities are code execution flaws – an attacker injects malicious codes to gain administrator privilege. While SQL Injection attacks form 40% of the total vulnerabilities encountered by Joomla, Drupal and WordPress are equipped with better security features to defend themselves against code execution.

Conclusion: WordPress vs Drupal vs Joomla

Overall, Drupal comes off as the most security-focused system and has managed to successfully keep vulnerabilities at bay. Joomla, on the other hand, has a comparatively smaller security team to handle security breaches. WordPress’s popularity attracts a huge amount of cybercrime to it, keeping it always on its toes to completely secure the CMS. However, WordPress comes with a plethora of plugins and security documentation to help users make their website secure.

While the choice of a suitable CMS for your business will depend on your business requirements, it is important to have a strong & secure foundation. Being a secure and robust CMS, Drupal is favored for large and complex websites and is trusted by governments globally. Whereas, WordPress & Joomla attract users who prefer a quick & easy solution with maximum ease of use & development.

Don’t forget to check our in-depth analysis on Magento vs Woocommerce vs Opencart if you are looking for a CMS for your e-commerce website.

Here are some Secure Coding Practices Checklist for Developers that can help you to reduce risk.

Wish to fully secure your website in minutes? Contact Astra to protect your WordPress, Drupal or Joomla website from malicious attacks.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Bhagyeshwari Chauhan

An engineering grad and a technical writer, Bhagyeshwari blogs about web security, futuristic tech and space science.

3 Comments

  1. How Does the WordPress DoS Exploit Work? - Astra Web Security Blog - Reply

    […] WordPress, one of the most popular content management systems in the world is rendered vulnerable to yet another vulnerability capable of bringing down an entire WordPress powered system. Statistically powering nearly 29% of the web, an unattended WordPress vulnerability breeds serious consequences for businesses and websites. […]

  2. Hello,

    I am running a website on wordpress and joomla 2.5. The blog part is on wordpress whereas all other functionality (forum, users management…) are on joomla.
    I need to upgrade joomla from 2.5 to 3 but I strongly hesitate to do so. I wonder if I shouldn’t migrate to wordpress.
    It would be easier to maintain but I am concerned by the datable sizes. If everything is in the content table, it will be very big and I am not sure the server will be able to handle it. There are also 100 k+ users and a lot of content managed by seblod (3000 contents).
    Is there a maximal size for this table, so that the website runs well? I am using a shared hosting server and don’t want to change.

    What would you choose : migrate every thing on wordpress or upgrade to joomla 3?
    Tell me if you miss some elements to compare !

    Thanks a lot for your help!!
    Perrine

  3. I am really loving the theme/design of your web site.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close