A client recently asked us why we would recommend Drupal instead of WordPress for migrating a custom content management system to Drupal. This is a multilingual site for an IPTV company. Below is our answer. Now each client is different, and the factors mentioned below were important to the specific client.
Drupal is more secure than WordPress
Drupal’s security record speaks for itself. Seldom does Drupal have any glaring bugs or security holes that might lead to Drupal-based sites being compromised. The few bugs that it does have are identified by a dedicated security team which identifies security problems in core and in third-party contributed modules. These are usually immediately patched. Current version of Drupal will be supported until Drupal 9 comes out, which should not be for another 3 years as 8 has yet to be released. This essentially means that if you invest in a site, you don’t have to worry about it too much for a few years. With WordPress you essentially have to keep on top of the updates, because of its track record, there may be vulnerabilities that might allow your site to be compromised in a bad way.
Drupal’s security track record
WordPress vulnerabilities
WordPress’s security track record
Drupal core has access control and user roles
WordPress has no support for user defined roles out of the box. The built-in role system is aimed directly at managing blogs or publisher sort of sites. The roles are hard coded, and new roles can not be added to the system. Permissions can not be set for certain content to be viewed by certain roles. There are ways around this by using third party plugins. However, the problem with third-party plugins is that there are many of them, and they all do things in their own way. It’s also the case that those third party plugins are not hosted in a single environment where a security team looks after them for any holes and bugs. Finally, a developer may at any point stop supporting those plugins. As there is no single repository for all the WordPress code, it may be difficult to continue to provide support for that functionality as new versions of WordPress are released.
Drupal, on the other hand, provides user defined roles and permissions in the core install so it’s nothing to be concerned with. Further, access control on a per page content level is provided by third party modules which are hosted in a central repository.
WordPress Roles and capabilities
WordPress User Access Manager
Multilingual capability
Drupal’s multilingual capability, in terms of support and continuing development, is supported by Acquia which is an Enterprise vendor for Drupal. Acquia has received millions of dollars of funding and runs a ton of US government websites. Acquia thinks that the multilingual capability of Drupal is very important for Drupal. Acquia has contributed lots to improving multilingual Drupal and continues to do so. There is only a single way to do multilingual sites with Drupal and Acquia supports that. Generally, every aspect of Drupal supports its multilingual capability from its menus to various blocks and even views — the entire interface can be converted to another language.
WordPress has third-party plugins to do multilingual and there are many of them. As far as we know they are not in any major way supported by any large organizations. Some of them cost money and some do not. The problems cited above about third-party plugins in general applies to these as well.
WordPress’s multilingual abilties
Drupal has a better API for developers
Drupal is better for developers which means that when we cook up a site for you, there isn’t a ton of hacky code that leads to tons of security problems. Drupal has a somewhat complex, but defined way to do everything. If you understand that and follow it, the results are generally secure and bug free. WordPress lets you take many more liberties with custom code. This leads to potentially better UIs and more user-friendly solutions for custom-coded plugins; but at the same time this leads to security problems and hacky code that does not really have to follow any given standard.
Drupal coding standards
Drupal’s API