Drupal Security


The last couple of years have been hard for the Drupal team, with several highly critical vulnerabilities in the Drupal Core. First it came SA-CORE-2018-002 in March 2018, which was commonly known as drupalgeddon2. Not even a month later we had another round with SA-CORE-2018-4. After some other critical vulnerabilities we found another highly critical at the begining of this year: SA-CORE-2019-003.

Yesterday, we had a batch of critical and moderately critical updates that you should patch as soon as you can. It is in these cases where you are glad to be running some sort of WAF that creates an additional layer of protection against attacks.

Drupal vs Wordpress security

One might think that after seeing these Drupal vulnerabilities published it would be better off using Wordpress. After all, you don't see any security advisory from Wordpress. How is that possible? Because Wordpress does not any kind of differentiation between regular and security updates. That means that you don't know if the next update is "highly critical" or just a "minor fix" so you cannot plan accordingly. Updating software always risks to break something so many follow the rule: if it works, don't touch it. However, this rule falls appart when the security of your site and users is at stake, so you better know if it works safely.

Besides that, Wordpress does not have a security advisory page where to publish the security updates like Drupal has. Drupal even has one for its contributed projects. For Wordpress you have to rely on a third party service like wpvulndb that, althought it is awesome, it is a shame that a basic service like this is not offered by Wordpress itself.

Thanks to this control over updates and security, the Drupal admin panel will show the user when security updates are pending and it will let you know very clear that they should be applied as soon as possible.

So if you hear more about Drupal than Wordpress security problems is, in part, because the Drupal team has way more control over their security. For this reason I think Drupal is better at securing their software than Wordpress is.