Joomla or Drupal: Which CMS handles security best?

Drupal and Joomla contributors and developers weigh in on the security pros, cons, and concerns

By , ITworld |  Security, CMS, content management

Back in February, I wrote an article for ITworld comparing the strengths, weaknesses, and unique features of Joomla and Drupal. But there was one important topic I did not cover in that article: security.

This was deliberate. Both of these open source content management systems (CMSs) had recently pushed out new releases, so the developers I talked with weren't as familiar with them. And within the time-and-length scope of the assignment, I wasn't able to cover everything.

But software security is important -- especially for Web 2.0-type activities, where your company is exposing some write- and perhaps content-change access to non-employees.

And no software -- or its ecosystem and the sites created using it, and the people administering and using it -- is without some security flaws or concerns.

"If you look at the total number of security issues raised -- for example, on Packet Storm, from 2005, with Drupal, there were about 470 exploits or security issues raised, about twenty this year, mostly being within contributed modules, some within Drupal core. For Joomla, there are about 1,400 since 2006, about 40 so far this year," points out Jason Hill, Co-founder, Dharmatech, a software development and technology firm that uses Drupal.

Here's what some Drupal and Joomla contributors and developers have to say about the security pros, cons, and concerns for these two popular Open-Source content management systems.

Defining CMS security

Security issues for CMSs like Drupal and Joomla fall into several main categories:

  • "Core code" -- the modules you get when you download/install Drupal or Joomla, as developed by the team.

  • Third-party extensions -- add-ons written by Drupal/Joomla developers, made available to others (either free or for a price, depending), typically through central directories

  • Custom per-site coding -- done by design firms and other developers (who might also be the "customer")

  • Admin configuration and other settings -- setting access permissions for groups, users, articles, etc.

And, of course, there's also the security aspects of the physical server and its OS, and the rest of the IT environment, but that's way outside the scope of this article.

Tackling security

Both the Drupal and Joomla project teams, and their associated communities, do, of course, pay strong attention to security issues.

Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

Ask a Question