The Big Three: A Security Comparison of WordPress, Drupal and Joomla!

WordPress, Drupal and Joomla make up the big-three in content management systems, collectively they form the three most popular and widely-used CMS. Security wise, CMS are a goldmine for hackers, as they provide the building blocks for a large portion of all the world-wide web. The popularity of these systems means they are a prime target for hackers. Because of this, the systems have been developed over time to be extremely secure. All services are free and open-source projects that use extensions and add-ons to supplement core code to allow for additional features. Individually, they all offer a different take on security, but have similarities in that they are all based on the PHP scripting-language and support the use of relational database management systems, mainly utilising MySQL.


WordPress is undoubtedly the most popular CMS on the planet, and for this reason it is exposed to a constant attention from hackers. The WordPress security team is made up of 25 experts, including lead developers and security researchers. A number that seems low, given the number of sites running off WordPress is around 75 million and accumulates up to 27% of the entire net.

WordPress offers enhanced security for members for their paid service – WordPress VIP. By paying for the VIP treatment, a dedicated group will do an in-depth code review to seek out vulnerabilities. They will also guide customers with suggestions for best practices in development to make sure that the site will continue to live on without significant maintenance costs or major issues.

The major security vulnerability with WordPress, and most CMS, is the entry points created using third party plug-ins and extensions, which make up 56% of known vulnerabilities in WP. Overall, the security is at the level it needs to be to protect such a vast number of sites, and security suggestions are updated frequently by the maintenance team to guide users on the best security practices.


Joomla is an easy-to-use CMS that appeals to those who may have limited experience and knowledge in managing content online, or who may be looking for a simple CMS solution. This means that even though Joomla’s core is highly secure, there is pitfalls users can fall into when implementing their system without appropriately configuring all system components.

Documentation made readily available by Joomla encourages users to focus on what they can do to improve their system security, as opposed to just relying on the system itself. It is worth noting that Joomla has the least amount of individuals on their security team with just 13 people, but provides solid information to individuals using their services to configure security in the appropriate way.


Drupal is considered to be the most secure of the big three, designed for the more tech-savvy users, it has the ability to cater for large amounts of complex content. The Drupal community is very serious about security and has a dedicated all-volunteer group of forty individuals, who work to improve and maintain the security of the Drupal project.

The scalability to large sites is what sets Drupal apart from the other two offerings, and the list of Drupal sites used for state, provincial and national governments is the perfect indication that the system is highly secure. Government sites including the White House, House of Representatives and all U.S. government departments use Drupla. I’m sure those in charge on administering those sites have received consultation from some of the leading experts in information security that Drupal is the best way to manage highly classified data online.

Statistical comparison

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The CVE is funded by the National Cyber Security Division of the United States of Homeland Security and is considered to be one of the most reliable sources of cyber security assessment. According to CVE data, if you compare market share to incident rate, Drupal comes out with the least number of incidents to market-share ratio and since 2005, Joomla has had the most amount of found vulnerabilities, with 327.

Drupal experienced a tough time in 2008 when security team had to deal with 75 known vulnerabilities and 52 in the following year. To put that into perspective there was only 29 vulnerabilities found in 2015 and 2016 combined, showing a determination to keep those numbers down by the security team in recent years.

46% of the total vulnerabilities found in Drupal consisted of cross-site scripting (XSS) – referring to a code injection attack wherein an attacker can execute malicious scripts into a legitimate website. A method used to bypass access control and gain unauthorised access. 39% of WordPress vulnerabilities were also due to cross-site scripting and 15% of total vulnerabilities for Joomla.

Joomla’s vulnerability percentage is made up mostly of code execution flaws (54%) – vulnerabilities that allow the execution and injection of shellcode to give an attacker the ability to manipulate a system in to granting administrator privileges. Joomla has also struggled with SQL injection attacks (40% of total vulnerabilities) – in which SQL statements (database queries) are inserted into an entry field for execution by the attacker, giving them means to carry out such actions as dumping database contents to the themselves for further investigation. Both Drupal and WordPress fare much better in defending themselves against both code execution and SQL injection attacks.

With the right implementation of information security, it is valid to use any of the big three as a suitable CMS based on business requirements. A more robust and secure CMS such as Drupla may be more appropriate for large datasets and complex content management. For a different type of experience where ease of use and less amounts of complex data is used, Joomla or WordPress may offer a better solution. In any case, there is no 100% guarantee that a security breach won’t happen and the steps taken to secure the system are as important than the security of the systems themselves.


Overall, Drupal offers the system with the most focus on security and the dedicated team of volunteers have done well to keep vulnerabilities statistics low in recent times. Whereas, Joomla offers the least amount of security based on statistics and the least amount of people working for their in-house security team. With the popularity that comes with WordPress it’s almost impossible to create a wholly secure environment, but with careful planning and cautious use of plug-ins it’s possible to increase security to a suitable level.