Drupal, Joomla! or WordPress: which CMS is best?

Which content management system should you use? The short answer is: it depends. This note is not a scientific exploration of each CMS but a summarization of my impressions of each engine, after having used each for production websites.

(You may wonder why I include WordPress — known as a blogging platform — in this article on content management systems. Well. A blog has content. You manage that content through the WordPress system. WordPress has much more power than many blogging platforms. On that basis, I consider it a content management system more than a blogging system.)


Security can be an issue with each of these CMS engines. You can find more information by digging through the IBM Internet Security Systems X-Force® 2008 Mid-Year Trend Statistics (PDF) document.

Lessons learned

There are several fundamental lessons I’ve learned in using these systems, which I share hoping they will help someone else avoid some pain:

  1. Do not assume any content management system is invulnerable to attack or compromise.
    All of them benefit from additional security measures that depend on the operating system you are using, how much you know, and what third-party products you are using to supplement core functionality of
    the CMS.
  2. If underlying systems are vulnerable, the CMS is vulnerable. Yes, I’m talking about your Perl or PHP installation, and your Apache or IIS instance.
  3. Be wary of all third-party products because they can make your CMS vulnerable.
    A pretty website describing the third-party product doesn’t mean the product is well-coded and secure. If you don’t need that product, don’t use it. Do some research. Read forums.
  4. Actively monitor logs for odd URLs and errors, and then adjust your security settings. If you see an odd URL that is returning code 200 (Apache), investigate. It may be innocent…or it may not.
  5. Pay attention to folder and file ownership and permissions. It only takes one folder or file with the wrong settings to create a doorway attackers will find and exploit.
  6. Stay up-to-date with security notices for your chosen
    content management system and for every third-party product you use to
    enhance your CMS
    . Some CMS providers make this easier than others.
  7. Upgrade as new versions are released…but backup your entire site first.
    Depending on the reason for a new version, I sometimes wait a few days to see if the upgrade breaks other websites using that CMS. If the upgrade is to patch a critical vulnerability, I do not wait…but I do backup the entire codebase as installed on my server, and my database tables, because sometimes upgrades break things.

A word about themes and third-party products

Each content management system uses specific terminology to refer to themes or templates, and to third-party products available to enhance the core functionality of a CMS:

  • Drupal calls these themes and modules.
  • Joomla! has templates and extensions, and within the category of extensions you will find plugins (previously called mambots), components, and modules.
  • WordPress has themes and plugins.

Rather than confuse you with talk of modules, extensions, plugins, mambots, components, modules, I will simply refer to these as third-party products.


I remember the first time I gave Drupal a test drive, several years ago. I did not grok Drupal at all, and after fiddling with it for a couple of hours, I threw my hands in the air and gave up. Fast forward to the last couple
of years, and I find Drupal much easier to use, although upgrading is sometimes more challenging than I’d like.


  • Powerful codebase.
  • Potential to use one codebase for multiple subdomains or virtual sites.
  • Friendly URLs.
  • Secure codebase is actively maintained. See their Security Team page for more information.
  • Pretty secure when installed, without doing anything special.
  • Third-party modules are actively monitored for vulnerabilities.
  • A single security mailing list for Drupal administrators is available, which means one source for comprehensive news about security issues and fixes.
  • Tagging of posts, allowing site administrators to provide a richer browsing experience to visitors.
  • Plenty of themes to choose from, both open source and commercial.
  • Plenty of third-party products to enhance Drupal.


  • WYSIWYG is not native. If your contributors are technically oriented folks, this may be an advantage.
  • No native document management solution.
  • Drupal still uses old-school CVS to maintain their code repositories.
  • Upgrading is a convoluted process requiring several steps that are not presented to the administrator in a smooth workflow. Upgrading Drupal is not as easy as WordPress (but see my WordPress comments
  • The administrative backend is still somewhat disjointed, requiring that you know where to go to make particular changes, and sometimes those changes require multiple steps in separate places to accomplish
    your goal. In short: still confusing until you become practiced at administering your site.


What attracted me to Joomla! as a CMS? I first became interested before Joomla! was born, when Mambo was the up-and-coming open source content management system. I recall there was some emerging dissension about direction within the group of core developers, leading to a split. Mambo went commercial, and the codebase was forked. Joomla! remains incredibly active, with a large installed footprint in virtually every country on the planet.

Joomla! forums are very active, and peer-to-peer support is very helpful. Some templates are simply gorgeous.


  • Powerful codebase. Like Drupal, it can do almost anything you want it to do.
  • Wrapper function, which is Joomla!-speak for iframes embedded inside your template to make your website seamless.
  • Search-engine-friendly URLs in older versions required various additional components. The Joomla! 1.5.x series makes this much more transparent.
  • Powerful third-party modules for document management include DOCMan and Remository.
  • The most beautiful templates are made for Joomla! websites. I find more large commercial enterprises actively developing and selling Joomla templates than for Drupal and WordPress.
  • Friendly administrative back end. While it does require practice to become proficient in administering a Joomla!-driven site, the learning curve is not as difficult as with Drupal.
  • E-commerce solutions abound to help you create and manage an online store or product catalog.
  • Good editor for posting content.
  • Plenty of third-party products to enhance Drupal.


  • Implementing friendly URLs may require some serious .htaccess fiddling.
  • Not particulary secure “out of the box.” It’s a common mistake to install Joomla and assume the resulting website is secure. Joomla! is reasonably secure but security can be substantially improved if the
    administrator takes time to do some reading and make some configuration changes.
  • Joomla! developers do not check security of third-party mambots, components, or modules. Joomla’s Achilles heal is these third-party products that sometimes make the website vulnerable. Of course, the
    same can be said of all content management systems, but I’ve personally seen more issues with Joomla! third-party products than those for Drupal and WordPress.
  • There is no single source for news about Joomla! vulnerabilities that includes third-party products. To remain on top of a Joomla! installation, the administrator must regularly visit each third-party
    website or subscribe to each product’s newsfeed.
  • No tagging of posts. This is significant. A post can only go into one category. Joomla!, without any third-party products, cannot list an article in more than one category, so creating rich, contextual content
    is very challenging. Joomla! content lives in silos.
  • My experience is meta tagging is  not Google friendly. I notice that some crawlers have problems with my Joomla! sites, resulting in substantial duplication of site content listed in search engine indexes.


I use WordPress for personal blogging and for some work-related websites. I usually select this solution when I’ll have non-technical users posting content, because ease-of-use means they will engage more actively in adding to, and maintaining, their content.


  • Powerful codebase, more powerful than many folks realize. It is not just a blogging system.
  • Rich tagging and categorizing features, allowing content to be presented in a way that more closely follows how many visitors browse websites.
  • Search-engine-friendly URLs usually just work. If they don’t work right out of the box, an older style that appends a friendly string after index.php works.
  • Powerful third-party modules for document management include DOCMan and Remository.
  • Many templates are now search engine optimized, making crawled content more easily accessible and allowing it to rank higher that sites developed in some other content management systems.
  • Spam filtering through Akismet is clean and powerful.
  • A friendly administrative back end. Although different than those used by Drupal and Joomla!, it seems to take less time to learn to use it, and fewer trips to forums and tutorials to figure things out.
  • The code repository is in Subversion, so upgrading a WordPress instance that was installed through SVN can be amazingly easy. I like to install from SVN, and upgrade directly from SVN.
  • Widgets! Third-party products can be embedded in a post or page with a little PHP coding, or can be inserted in sidebars (if your theme supports this) through a simple GUI interface. You add and subtract
    site features with these widgets.
  • Good editor for posting content.
  • Plenty of templates available.
  • Plenty of third-party products available.


  • Slower than Drupal and Joomla!. I wish it weren’t so, because for non-technical users, WordPress is a great solution. I’ve optimized some database queries, removed some extra code (unneeded, in my opinion),
    compressed cascading style sheets, offloaded common Javascripts, and implementing caching…and still my sites are slower than comparable Drupal and Joomla! sites.
  • Many of the templates look so similar that it is sometimes easy to recognize a WordPress site simply by the layout and theme. (The same is true for Drupal sites.) This is changing, with better templates appearing almost daily.

Compare for yourself

Wikipedia has a list of content management systems you can browse. CMS Review provides something called a comparator

that supports side-by-side comparisons for two content management systems at a time…but I did not find Joomla or WordPress in the list provided by the comparator.

The CMS Matrix allows you to select from a huge variety of content management systems and generate a side-by-side comparison of features.

Which CMS is right for you?

If you have a simple personal or company site where you don’t need to maintain a large library of documents or make sales online, consider WordPress. Many attractive WordPress themes are available for both personal and business-style sites. While you can have documents listed in WordPress, and can utilize PayPal buttons and
similar solutions, I don’t find substantial solutions to these needs in the WordPress plugins directory.

If you need an e-commerce solution or an online library, Joomla! may be the ticket. Visit the Joomla Extensions page to begin investigating third-party products to meet your needs. There are many Joomla! themes available. One of my favorite theme vendors is Joomlashack, where well-coded free and commercial themes are available.

If you can invest some time in customizing your template and you need a secure, well-maintained, powerful codebase, Drupal may fit your needs well. There are many Drupal themes available, as well as a large number of powerful Drupal modules.

Posted in Content management and tagged , , . Bookmark the permalink. RSS feed for this post. Both comments and trackbacks are currently closed.

Comments are closed.

© 2017 PugetPro.com and Tom Salzer — PugetPro℠ is a service mark owned by Tom Salzer

Swedish Greys - a WordPress theme from Nordic Themepark.