The Age-old Discussion Returns: Drupal or WordPress?

After the Drupal 6 end of life announcement was released, a flurry of activity ensued in the comments thread. While reading these responses, I was surprised to see the number of times people brought up WordPress and its security release structure. Specifically, it was used as a rallying point in favor of WordPress.

Understanding Release Cycles: Drupal vs. WordPress

Core Code Releases

There is a misconception regarding version releases between Drupal and WordPress and while they are the probably two most-compared open-source platforms, they have completely different release structures. Below is an overview of each.

Drupal

With each major release of Drupal, there is always a migration path built in for your Drupal core-related data. This means that if you are running a completely default installation of Drupal your site will always update smoothly from one major version series to another.

However, the major functionality of Drupal, and what makes it so powerful and configurable, has always been its contributed modules. Due to the fact that Drupal is open-source, contributed modules and themes usually lag behind the release schedule for Drupal core.

Drupal is committed to maintain the code and security of its two latest releases. At this time that is Drupal 8 and 7. But it is also committed not to allow old code to bog down newer releases.

Therefore, people adopting Drupal for their web or CMS project should plan for periodic upgrades of their project to the latest major release (every 6 years or so) in order to benefit from the ongoing active support of one of the finest open source development communities.
-Drupal.org, “Backward compatibility for data, not code” (https://www.drupal.org/node/2613652)

For more information on the release cycles of Drupal, visit their documentation page at https://www.drupal.org/core/release-cycle-overview.

WordPress

While Drupal has different versions, each with its own releases, WordPress has always had a single version that is incremented with each new major release. According to their website, any new “micro-release” that is less than the current one is considered to be EOL. This means from the moment a new release comes out until you apply updates, your version of WordPress is considered end of life.

A major WordPress version is dictated by the first two sequences. For example, 3.5 is a major release, as is 3.6, 3.7, or 4.0. There isn't a "WordPress 3" or "WordPress 4" and each major release is referred to by its numbering, e.g., "WordPress 3.9."
-WordPress.org, “About Security” (https://wordpress.org/about/security)

Minor releases are indicated by a third number (i.e. major release: 4.4, minor release: 4.4.2). According to WordPress.org, new major releases are scheduled every 4-5 months and minor releases are used to address security fixes and critical bugs.

Contributed Code Releases

Drupal has modules and WordPress has plugins. With each new release of either CMS, any add-on functionality could be affected. It is up to the maintainers of the contributed code to resolve any errors that may arise as a result of updates to the core codebase. In this regard, WordPress and Drupal are in the same boat.

Security Teams

Drupal and WordPress both have their own teams that address security issues with both core and contributed code. The methods each team takes are similar in their dedication to keep their platform and user base secure.

WordPress

At the time of this writing, the WordPress security team has “approximately 25” members. This list does not appear to be readily available, but WordPress notes about half of this team is made up of employees of Auttomatic.com (makers of WordPress.com). Their method of addressing security issues is stated below.

When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.
-WordPress.org, “About Security” (https://wordpress.org/about/security)

But, as with all open-source, contributed code, it is up to the plugin maintainer to keep their code up-to-date.

Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities.
-WordPress.org, “About Security” (https://wordpress.org/about/security)

Drupal

At the time of this writing, Drupal’s security team has 39 members. These members are all volunteers, but many are employed by some of the top Drupal digital agencies in the world (such as Acquia, Lullabot, and Pantheon). This team regularly reviews reported vulnerabilities for both core and contributed code. Their methods are outlined below (quoted from their documentation for contributed module maintainers).

If you don't fix the issue in a timely manner or progress on the fix seems to stall then the Security Team will publish an advisory urging users to uninstall the affected module and the project will be marked as unsupported (aka abandoned) to facilitate a user of the module taking it over and fixing it. Timely progress means that the maintainer responds and makes progress on code within 2 weeks of being contacted.
-Drupal.org, “Contacted by the Security Team: Now What?” (https://www.drupal.org/node/101497)

Know Your Goals

We are a Drupal shop. But we do not recommend Drupal for every project. There are times when it is just too much for the project at hand. Yes, Drupal can run a blog. And it can do it well. But it can also provide the data framework for a mobile app, run an online store, and integrate with a host of third-party services. Can WordPress do this too? Yes it can! But if you wanted to do something more complex, such as control a user’s access level automatically by a membership system, points, badges, or some other custom ranking system it can get tricky.

Some projects greatly benefit from the wealth of configuration options provided by Drupal. Some projects would be overwhelmed by them.

The discussions and comparisons of WordPress and Drupal have been going on for years. And it will likely continue for the lifetime of the platforms. WordPress is a great solution and runs millions and millions of sites across the globe. But when thinking of how a site should be built, the first questions should not be “What should I build this on?” but “What do I want my site to accomplish?” Knowing the answer to this question should quickly make the decision for you.