An important consideration for anyone standing up a CMS is security. So, which CMS do you choose?
Here are two things to consider:
WordPress Plug Ins and Drupal Modules
Both WordPress and Drupal are open source, which has many upsides. For one, Drupal and WordPress are free to install and stand up. But, an open source CMS can also present security risks. Users within these open source communities are constantly writing and distributing custom code to increase functionality. In WordPress, these pieces of custom code are called plug ins, in Drupal they’re referred to as modules.
Modules are, for the most part, pretty secure. They’re vetted by the community and updated often. A WordPress plug-in isn’t as secure. They’re not always closely inspected by the community and can develop security vulnerabilities.
Drupal Has a More Complex Set of User Permissions
Another reason Drupal is more secure than WordPress is the complexity in its user permissions.
Let’s say you’re taking a flight. You go through multiple screenings to get on this flight; you check in when you first arrive at the airport, you go through a TSA checkpoint, and your ticket is checked again before you board the plane. There’s no way to get to the gate without confirming your identity multiple times.
That’s like Drupal’s level of security. The CMS has granular control of user permissions. You have the option of assigning users a role in just one section of the site.
Maybe you want to make someone on your HR team an editor in the hiring section of your website and nowhere else — that’s possible in Drupal.
Now, back to the airport analogy: if you work for the company that provides food for airplanes, you don’t have to go through security checkpoints every time you access a plane. You likely go through some security when you start work, but after that, you have access to the tarmac and planes on it.
This is more like WordPress. If you have editor permissions, you are an editor across an entire WordPress site. You can’t silo users into specific sections.
This allows compromised accounts to make changes site wide.
Of course, security isn’t the only thing to think about when choosing a CMS.
WordPress is still the most popular CMS out there. It’s generally easier to use and doesn’t take as much technical know-how, which is attractive for a lot of people.
But, if you choose to stand up WordPress, your site is likely to be less secure than Drupal. It will be important to keep your CMS protected by removing old themes & plugins and keeping your user roles up to date.
It’s always good practice to do this — but especially in WordPress.