Please stop the FUD about WordPress.

I came across this posting from a web services company with a brief comparison of different cms options.

Craft — Very secure

WordPress — Can be difficult to secure properly (frequent vulnerabilities due to popularity)

Drupal — Very secure

Clients and co-workers come in with this “wordpress is insecure” opinion largely because of misinformed opinions from “experts”.

Better summaries for their security would be;
Craft – So far; secure with regular updates and careful plug-in selection.
WordPress- Secure with regular updates and careful plug-in selection.
Drupal – Secure with regular updates and careful plug-in selection.

Lets look into that a little bit; shall we.

Craft CMS
They do list all the security best practices they engage in which is great.
The Common Vulnerabilities and Exposures database has 11 reported issues with “Craft CMS” since 2017 with 3 in 2019. It doesn’t look like they engage in any kind of project level security review of this code. While I’d say given that low number of issues it probably deserves being called “secure”; more expert eyes looking in a regular way would be better.
They do benefit from the efforts of the Yii2 project its built on and aren’t likely to experience issues with any of their components. It’s smaller ecosystem than say Symfony but still relevant.

WordPress
A quick search of the CVE shows that plug-ins and themes are 99% of all the WordPress related vulnerabilities. WordPress core had 11 reported vulnerabilities in 2019. The WordPress core has security team which reviews its code base. It’s active user community reported most of those; not its security team. The push button nature of WordPress updates is its greatest feature. I’d have no trouble trusting a client to apply updates to their site which to me means its likely more secure than other options.

Drupal
I’d argue that Drupal is less secure than WordPress.
11 vulnerabilities were reported in Drupal in 2019. Plug-ins are also the majority of their issues. Drupal also has a security team which is constantly reviewing its code base and its most popular plug-ins. With version 8; they’ve chosen to use standard components provided from the Symfony project which should eliminate a lot of their potential security issues with core components. Updates are still a pain point; although its much better in version 8. Updates are often more complicated than pushing the “update button” I’d wager that your average client isn’t going to do that very often.

And while we’re on the topic.
The section on “License” is misleading.

Craft is offered under the “Craft” license. It is proprietary open-source software.
You can’t run it without a license and should pixel and tonic go out of business; you won’t be able to run craft.
(Granted; that will likely never happen but it could.)

WordPress and Drupal are licensed under the GPLv2 license. This is free (as in freedom) open-source software which can be used for derivative works.
https://wordpress.org/about/license/
https://www.drupal.org/about/licensing

I likely put more though into this posting than the original author. I understand the demands of making materials accessible to a client but I’m also tired of folks bagging on WordPress. I love php and for better or worse; WordPress is really why we’re still talking about php in 2020.

Stepping down from the soapbox now.