Picking the right CMS platform or making a change is a big choice. A platform is the foundation of your website, so it’s a decision worth mulling over.

With so much information out there, it’s difficult to pick the perfect CMS for you. For every Drupal defender out there, there’s a WordPress advocate.

Picking a victor in the WordPress vs Drupal battle and figuring out which one works for you can initially feel impossible.

While we at Illustrate Digital are passionate about WordPress and think it’s the best thing to happen to the internet since, well, the internet, we do realise alternatives exist.

We’ve previously analysed WordPress and Joomla, as well as WordPress and Umbraco, so now it’s time to see how another big competitor sizes up.

Below, we’ve impartially measured WordPress and Drupal in usability, security, customisation, community and content management.


The barrier of entry is important when it comes to a CMS. Nobody wants to be put off creating a great website because of a needlessly complicated set-up process, nor do they want to feel like there’s a constant uphill battle between what they want to make and the features and eccentricities of a CMS.

While accessibility may seem like a small matter, in the long run, a content management system needs to cater to everyone – a malleable platform is better than a platform that only caters for seasoned developers.

WordPress and Accessibility

WordPress is ideal for beginners. You can go from not knowing anything about building a website to having a functioning (albeit barebones) one quite quickly.

As far as the code goes, WordPress is more adaptable and easier to get into than Drupal. WordPress is comparatively kinder on new users, offering simple-to-understand instructions and an intuitive user-interface.

Finding themes, layouts and important updates is easy, with updates like the Gutenberg editor only serving to improve WordPress’s reputation as the go-to platform for new or time-starved users.

The name of the game for WordPress is providing a platform that makes creating good, memorable content simple.

Drupal and Accessibility

Once you learn how to use Drupal, it feels intuitive and easy. However, “once you learn” isn’t spending a few hours getting used to things like in WordPress – it’s a long-term process.

Drupal is a CMS for people who can get over the high barrier of entry with more advanced coding knowledge; it’s the platform for intermediate-level coders and CMS experts, not the platform for everyone.

This means individuals need to take a lot of time to get up to speed, and agencies typically need to charge more for Drupal sites as set-up times are higher than with WordPress.

While Drupal’s number of options is great when you’re an expert, as a novice it’s simply overwhelming.

WordPress manages to balance accessibility with customisation, whereas Drupal goes all out on its scope to provide bespoke, hyper-specific options at the cost of ease-of-use (and actual cost).


Security is one of the most important aspects of a CMS. Above functionality and accessibility, users want to ensure their content, data and sensitive information is secure.

No CMS wants to have a reputation for being porous, especially when competitors are always updating their security infrastructure.

If a CMS is slow or lags with security, it can end up losing trust with its user base. That trust, as WordPress found out, can quickly evaporate, even if it’s not the CMS’s fault.

WordPress and the Security Myth

WordPress is secure. You cannot rise to the level of the most popular CMS in the world on an insecure framework – it simply isn’t sustainable.

35% of the market and over 27 million live sites use WordPress, so this would mean a huge chunk of the internet is currently sat there, insecure, waiting to be exposed. This isn’t the case.

However, while WordPress itself is secure, its website owners and the number of third-party plugins they use can leave gaps. The vast majority of hacks and breaches on WordPress sites come from plugin developers and website owners taking their security for granted.

For example, back in 2017, WordPress released its 4.7.1 update. This update contained some vulnerabilities. Thankfully, the WordPress team quickly patched them up with the 4.7.2 update.

Now, this update wasn’t sent across to all users. Some users blocked automatic updates, meaning they were still using a compromised version of WordPress and this led to thousands of sites becoming defaced. Updates are essential to keep hackers at bay, but this breach was an example of users either being ignorant of or resistant to them.

Out-of-date plugins can provide opportunities for hackers too. Plugin vulnerability occurs for three key reasons:

  1. A plugin is popular, but the developer has stopped working on it. This means the plugin isn’t updated in line with WordPress, so it becomes compromised.
  2. A plugin has a key vulnerability, but the third-party developer lacks the expertise or time to detect it.
  3. Users neglect to install a plug-in security update.

So, the security issues with WordPress are not the fault of the CMS, but principally on users and third-party developers.

WordPress is secure, but its users need to know how to use plug-ins and ensure that they are keeping within security best practice. It consistently employs security vectors to find any issues in its architecture and rolls out an update after an issue is found. Though, on the whole, it is the user’s responsibility to install the updates made available to them.

The CMS does all it can to stay secure, but it’s as secure as you allow it to be.

(Side note: good WordPress agencies, like Illustrate Digital, help keep your site secure. We maintain plugins for you, or write custom code, so you won’t have to rely on compromisable third-party software.)

Drupal and Security

Drupal is a very secure platform. To power 3% of content managed websites in the world, you need to be watertight. Some of the most data-sensitive websites, including by Tesla and NASA, use Drupal for this reason.

Drupal’s code is secure and regularly updated. The community – thanks to their aforementioned familiarity with coding – contributes with very secure modules and add-ons; compared to the majority of CMS platforms, Drupal’s community assesses modules with a larger degree of scrutiny.

For this reason, it lacks the severity of third-party security issues of platforms like WordPress. This doesn’t mean Drupal is perfect, however. The aptly named “Drupalgedden” is a bug that consistently resurfaces on the platform.

This bug left over a million websites exposed and, even after patching, a significant portion of these websites were still compromised. Attackers could target multiple vectors on a Drupal site, leaving it potentially compromised.

So, Drupal may edge WordPress in terms of security, but it is largely down to the user.

The WordPress and Drupal core softwares are both extremely secure but are both still open to a rare attack, and WordPress’s problems mostly lay with plugin developers.

In the words of WordPress, “security is about risk reduction, not risk elimination, and risk will never be zero.” This is why we’re careful when it comes to plugins, only recommending the best on the market which update regularly.

By balancing custom code with well-coded plugins, WordPress security is on par with competitors like Drupal. For further reading on using the right or wrong plugins, read our article on WordPress plugins that could be worth avoiding (and what to use instead).

Content Management and Customisation

Content management and customisation need to be intuitive and easy to use. It’s the difference between a website that runs like a well-oiled machine and another which is too slow to keep up-to-date.

When choosing a CMS, you need to ensure it can manage content and has enough customisation options for your site. Committing to a CMS without checking it has enough options to accommodate future growth is a route to disappointment.

When picking a CMS you should consider not only what you wish to do now, but what you may want to do a few years down the line.

Content Management, Customisation and WordPress

Content management and customisation are as simple as possible so WordPress can stay accessible.

Organising menus and creating pages takes little to no coding knowledge, which benefits both new users and experts alike. New users can intuitively learn how to create menus and navigation structures, whereas experts can efficiently create these without much fuss.

Editing WordPress menus

Drupal, on the other hand, takes more time to set-up navigations and menus. In general, organising content on WordPress is vastly easier, saving a user time or, if they’re employing an agency, money.

This means when employing the expertise of an agency, they can spend more time writing custom code, fixing technical issues and creating bespoke integrations as opposed to spending a lot of time managing content and fine-tuning the navigation structure. In other words, spending your budget where it matters.

When it comes to customisation, WordPress has many more themes and plugins available than Drupal. While Drupal has a modest amount, the size of the WordPress community means it will always have the edge when it comes down to aesthetic customisations and plugin integration.

WordPress combines customisation with accessibility, and the result is a CMS that works for everyone. Particularly those responsible for editing and adding content.

Content Management, Customisation and Drupal

Drupal has fewer themes and modules than WordPress, so there aren’t as many options to differentiate yourself from other Drupal sites. The CMS does have hundreds of thematic options, though, so you won’t be painting yourself into a corner of bland presets if you opt for Drupal.

While Drupal sites can be quick and lightweight, when compared to WordPress, they can feel more bloated.

Editing menus in Drupal

Creating an effective navigation structure is significantly easier with WordPress, so Drupal users may need to spend more time – and money – compared to those who use WordPress on the basic, foundational levels of creating a site.

That means the barrier to managing content is higher on Drupal and more difficult to access.


A supportive community can mean the difference between getting a problem sorted out quickly and simply shouting into the void.

A diverse, helpful community can help elevate a CMS from a status of being merely functional to one that grows and develops in tandem with its users.

There’s no better feeling than coming across a problem, then working it out with someone passionate about the platform. From forum discussions to Meetups, community is a glue that keeps CMS platforms together.

WordPress and Community

As a truly open source platform, WordPress developers, contributors, Meetup organisers and WordCamp champions are the heartbeat of its development.

By discussing, helping and critiquing the software, they help to facilitate the growth of a platform that is built for users. As such, WordPress gets its reputation for accessibility, ease-of-use and scalability as a direct result of community engagement.

For users, this means there will always be someone, somewhere, who can help. Plus, with a user base that consists of 35% of the internet, it’s very likely that nearby there are Meetups to discuss ideas, bounce problems around and get embedded in the community for yourself.

(Side note: we run WordPress Meetups in Cardiff and Bristol to help bring the community together. Through a selection of talks, Q&As and networking, we help people to learn and feel welcomed in the ever-growing community.)

When Illustrate Digital started in 2013, we relied on support from the community to adapt to and learn WordPress. Without the community, agencies like us simply wouldn’t be here, let alone be considered now as experts in the technology.

No matter what issues you run into – whether it’s plugin trouble or some teething issues learning PHP – there’ll be a WordPress advocate somewhere who can help.

That’s why we, and many others, truly believe it’s the best open source platform in the world.

Drupal and Community

Drupal, too, has a passionate community that helps users. With a user base that is more used to coding than the average, it tends to be a little more specialised than other CMS user bases.

With that in mind, Drupal has a significantly smaller user base and market share than its CMS competitors, especially WordPress.

This doesn’t mean you’ll be struggling to find communities and people to engage and discuss problems with, but it does lower the pool of people you can connect to, considering Drupal has just over a million active users.

These users, though, are usually passionate about Drupal and know their stuff. So, if you do choose to opt for Drupal, you won’t be alone.

All CMS platforms have groups of people who help lift them up, but you’ll struggle to find the same volume of support as the WordPress community anywhere.

So, Drupal or WordPress?

It comes down to you. We’ll always stand by WordPress, but encourage you to carefully consider and choose the CMS that will work best for your marketing and technology needs.

Whilst Drupal can have an advantage over WordPress in customisation from scratch, it does take a lot more effort to get to a basic level of entry at which WordPress already has usable features and functionality at its core. For marketing and technology managers alike, this can mean higher budgets are required just to fulfil basic requirements.

That’s one of the many reasons we love WordPress, the understanding that a team of expert UX designers and developers can spend your valuable time and budget on building the additional functionality, features and user journeys that you really need. By comparison Drupal can fulfil a developer’s need to do it all themselves from scratch which can be a blessing for those with the patience or a curse for those who get it wrong.

Need Help?

We’re here for you. It can be especially stressful choosing the right CMS platform, let alone before you get into building your dream site with an aim to meet your marketing goals.

Employing the services of an expert WordPress agency can remove the worries around platform sustainability, usability performance and security. Though even if you’re not quite ready to get started, we’re here to help talk you through the ups and downs of operating a website across the various platforms available.

Talk to us today, to see how we can help.