Why CTOs prefer Drupal over WordPress

At least three times a month, I’m asked by either a prospective client or someone new to the content management industry why they should use Drupal instead of WordPress for their CMS needs.

The reality is both platforms are great, but there are a number of reasons why I prefer Drupal to WordPress.


Without proper security, your site is vulnerable to attack. An attacker could deface your site, work to infest your users with malware or even bring down your site completely.

It is recommended that if you are using Drupal, you should only use modules that feature full releases on Drupal.org. That recommendation is because Drupal’s security team monitors every supported module on Drupal.org with a full release for security issues.  When an issue arises with a module, the security team releases a security advisory that includes information about the severity of the vulnerability and how to address it. Finally, the team also works directly with module contributors to address security vulnerabilities they identify.

WordPress, on the other hand, can be more decentralized. While the platform has a security team as well, security advisories are only available for the core code. There is a relatively new process for receiving automatic updates to plugins, but it is inconsistently applied and is a highly manual process for the security team. The use of automatic updates could create issues for a site, especially as it becomes more complex.

Wordpress-big.pngSome of the most successful plugins for WordPress are also not hosted on WordPress.org. Any plugins that are not hosted on the WordPress.org, such as paid plugins, are not subject to the security team’s review. Drupal’s licensing essentially stops any paid modules, so Drupal has been very successful in maintaining modules on Drupal.org because they can be freely distributed. On WordPress, however, plugin developers can choose to require purchase for a plugin, so plugins like Gravity Forms are not hosted on WordPress.org or under the purview of the WordPress security team.

Let’s look a little bit more at plugins and modules

With WordPress, if a plugin creator decides not to maintain a paid plugin anymore, then you, the user, will no longer receive any updates to the plugin. You and your site essentially become dependent on that plugin developer. If they stop updating it, your site could ultimately pay the price.

Drupal, on the other hand, has very strong community support for modules, and since all of the modules are freely available, it makes it a lot easier for someone to pick up where the original developer left off. In fact, many Drupal modules are not maintained by the same person who first developed them. The Drupal community tends to keep the most popular modules going. 

What that means for you is that when you use a Drupal module, there’s less need to worry about what happens if a developer decides to move on from the module. 

CTA 1 - Don't Wait to MIGR8

Don’t Wait to MIGR8

Let Duo guide you on the right path to Drupal 8.


You probably don’t need me to tell you that site speed matters to users. How many times have you sat waiting for a site to load, only to ultimately give up and move on to a different site instead? You don’t ever want that to happen to your users. 

So, what can you do?

If you’re using Drupal 8, you can now benefit from the same type of loading technology that was first developed at Facebook. Drupal’s BigPipe module, which now is included in Drupal core, allows your site to have much better front-end and perceived performance through the streaming of replacements for placeholders.

Background on caching / how a site loads

For performance, Drupal 8 allows for a lot of granularity and control with the caching strategy for top-tier performance. Anything that is renderable within Drupal 8 can include caching metadata that allows really fine-grained control. One example of this are cache tags, which can be added to the site's entities (e.g., content) and configuration. If you update the title of a piece of important content, Drupal 8 can be configured to ensure that relevant caches containing the title throughout the site are also cleared without any intervention from the content editor. A good example would be some breaking news that has a misspelling or incorrect information in the title.

This video helps demonstrate the difference between the traditional method and the method used with the BigPipe module. Site speed is important to more than just your users, though. It also matters to SEO. By featuring faster-loading pages, you’re strengthening how Google ranks your site. 

Back-end user interface

For as long as I’ve worked with Drupal, I’ve heard the complaints that Drupal is not as easy to operate on the back end as WordPress. Frankly, the content developing and authoring experience is the biggest criticism I ever hear about the platform.

The frustrations have been heard and acknowledged, and Drupal now features a variety of improvements to the back-end experience. 

  • The CKEditor WYSIWYG editor features a new drag-and-drop interface and allows users to configure their admin toolbar to best serve their needs.
  • The Quick Edit module allows users to make content edits on the front-end of the website.
  • The new content creation page makes the process of publishing content substantially easier to follow and understand.

Learn more about these and other content creation updates that have changed the back-end experience and made a huge impact from an authoring perspective.

WordPress is a great platform, and in certain situations, it makes a lot of sense. But if you want to have a site that is going to be able to grow with you and you’re going to be able to do anything you want to it, Drupal is a great choice.

If you want a site that is secure and flexible, you can’t go wrong with Drupal. 

CTA 5 - We Build Digital Experiences - Our Recent Work

We Build Digital Experiences

Duo is a web design agency that expertly creates custom web solutions for our clients