Which CMS should you choose for your web project?

General-purpose CMS or e-commerce: the first question to ask

Before choosing a CMS, you first need to ask the right question: is the main goal of the website to sell products, or to publish content? Feel free to read the article about what a CMS is to better understand the available options.

If the site is primarily an online store, solutions like PrestaShop, Magento, or Shopify are designed for that: catalog management, cart, payments, inventory. They are built around selling, and it shows in every feature.

If the goal is to publish content (articles, pages, news, editorial product pages), a general-purpose CMS like WordPress or Drupal will be much more suitable. The distinction may seem obvious, but it is often overlooked when making a choice, and it can be costly to fix later. In this article, we will focus on the CMS I know and master: WordPress and Drupal.

WordPress vs Drupal: which one to choose?

These are the two most widely used open-source general-purpose CMS in the world. WordPress alone powers 43% of all websites, making it by far the most widespread CMS. Drupal, on the other hand, is less visible to the general public but remains a reference for demanding projects: government websites, institutional platforms, and complex multi-site projects.

Their differences are real and structural:

The point that comes up most often in comparisons between these two CMS, and deserves special attention, is security.

WordPress is the number one target for attacks on the web, not because its core is poorly designed, but because its plugin ecosystem is massive and difficult to control. In 2024, 7,966 new vulnerabilities were identified in the WordPress ecosystem, which is about 22 new vulnerabilities per day. 96% of them came from third-party plugins, not from the WordPress core itself.

Sources: Patchstack State of WordPress Security 2025 - Sucuri - CVE Details

The Sucuri figure is particularly telling: WordPress represents 43% of websites, yet accounts for 74% of the hacked sites analyzed by the firm. The gap is significant.

On the Drupal side, there have been 324 vulnerabilities recorded in total since 2002, over more than twenty years. This is a completely different order of magnitude. The main reason: Drupal natively integrates stricter security mechanisms, more detailed permission management, and its module ecosystem is much smaller and more controlled. This is why it is often preferred by public administrations and organizations that cannot afford to take risks.

That said, no CMS is invulnerable. A well-maintained WordPress site, with up-to-date and carefully selected plugins, can be just as secure. Security depends as much on practices as on the tool itself.

So, how do you choose in practice?

A few simple questions can help guide your choice:

• Who will manage the content daily? If it’s a non-technical client, WordPress will be more accessible.
• How complex is the project? A showcase website or blog does not have the same needs as a multi-site platform with complex editorial workflows.
• Is security a critical issue? For institutional, healthcare, or data-sensitive websites, Drupal is the natural choice.
• What technical team is available? Drupal requires more specialized skills, which impacts development and maintenance costs.

There is no universal answer. But understanding these differences allows you to make an informed decision and avoid having to migrate to another CMS a year after launch.

The figures used come from three different sources:

• Patchstack (State of WordPress Security 2025): 7,966 new vulnerabilities in the WordPress ecosystem in 2024, a 34% increase compared to 2023, with 96% of vulnerabilities coming from third-party plugins. Patchstack
• Sucuri: WordPress represents 43% of websites but accounts for 74% of hacked sites analyzed. Kinsta®
• CVE Details / fixmysite: Drupal has only recorded 324 vulnerabilities since 2002, across all versions. Fixmysite