Drupal as a CMS and Commerce Platform: The Ultimate Guide

• What is Drupal?
• What is Drupal (mostly) used for?
• How secure is Drupal?
• What do you need to know about Drupal as a content and commerce platform
• You need to maintain the code so that it’s always updated
• You need to hire back-end developers to manage the system
• You’re reliant on “versions” and system updates
• There can be compatibility issues
• Migration is a huge pain
• There is a lack of built-in development tools
• There is little-to-no roadmap influence
• The admin interface is cumbersome
• You have to rely on developers to make front-end changes
• There’s a lack of support
• It’s hard to test anything
• It’s not API-centric
• There are too many ‘Drupalisms’
• Drupal vs. Core dna

Choosing an eCommerce platform?

Download our definitive guide to choosing the right eCommerce platform. Plus bonus questions to ask your vendor.

Send me the guide

What is Drupal?

Drupal is a free, open-source CMS (Content Management System) that’s been used by some of the world’s largest organizations to build some of the most popular websites, such as whitehouse.gov, bbc.co.uk, nbc.com, and cityoflondon.gov.uk.

It’s versatile, flexible, and customizable in the right hands, but it doesn’t come with as many out-of-the-box features as WordPress, which is Drupal’s main rival in the traditional CMS space.

What is Drupal (mostly) used for?

Drupal is mostly used for complex, content-heavy, high-traffic sites with large resource libraries and databases - think government agencies, non-profits, and large corporations. But, it can also be used to make eCommerce sites and as the back-end for mobile app development.

Drupal can essentially do everything, but therein lies the problem: Just because you can, doesn’t mean you should!

Too many people are using Drupal when a simpler, more secure, more manageable solution would be far more suitable, not to mention cost-effective.

How secure is Drupal?

Drupal is open-source, which some people believe makes it less secure than proprietary software - after all, anyone can read the code and take advantage of the bugs!

Alas, it doesn’t quite work like that. If you study how people break software, you’ll find they commonly use IDA Pro rather than the source code.

According to Dr. Ian Levy, technical director with the CESG, a department of the UK’s GCHQ intelligence agency, good open-source is just as secure as any good proprietary software.

Drupal, like other popular open-source software, has a highly active community that’s always on the lookout for bugs.

Drupal also has a dedicated Security Team that issues patches, notifies users of vulnerabilities, and provides advice and support to developers around writing secure code and building safe sites.

But you can’t rely on others. To stay secure, you have to continuously update code both within Drupal and across your hosting infrastructure. You can’t set up a secure Drupal web application server and leave it to do its job.

Security updates are released every Wednesday, and users have to stay on top of them. It’s a big responsibility for whoever’s in charge.

It’s worth bearing in mind too that Drupal does have a somewhat chequered past when it comes to security, having experienced two breaches of legendary proportions.

In 2014, hackers compromised 12 million websites in an event comically coined ‘Drupalgeddon.’ The attackers took control of servers and seeded sites with malware.

Then in 2018, we bore witness to Drupalgeddon2, where hackers took complete control of Drupal 6, 7, and 8 sites.

This is why most people opt for a SaaS content and commerce platform. With a SaaS content and commerce platform, there is nothing to install, update or maintain. The vendor takes care of all technical issues so you can focus on creating and managing content

13 things you need to know before using Drupal as a CMS and commerce platform

Here are some things you should know about before using Drupal as a content and commerce platform:

1. You need to maintain the code so that it’s always updated

In the words of the Drupal Security Team, “eternal vigilance” is required to keep your Drupal site secure and functional. This means updating code, both within Drupal and across your hosting software, on an ongoing basis. It’s time-consuming, and a big responsibility.

2. You need to hire back-end developers to manage the system

With an all-in-one digital platform like Core dna, there’s no need to hire back-end developers to manage the system. That’s not the case with Drupal. While little programming skill is required for basic use, Drupal’s sophisticated programming interface and steep learning curve requires technical expertise to master.

3. You’re reliant on “versions” and system updates

To take advantage of the latest features and updated security, users have to keep Drupal core updated, which is difficult, time-consuming, and expensive.

4. There can be compatibility issues

A module installed in one version of Drupal might not be compatible with later versions, and you often don’t find out until it’s too late or you have to do a test migration before running it on the live system, which also takes time.

5. Migration is a huge pain

Drupal has a migration module that can handle the job for small websites, but when it comes to large, complex sites, migrating from one version to the next can be an incredibly complicated procedure, fraught with challenges such as re-indexing searches, deprecated functionality, etc.

6. There is a lack of built-in development tools

The lack of built-in development tools in Drupal means the customers will struggle to achieve the site of their dreams without employing expert help.

7. There is little-to-no roadmap influence

Despite voicing their opinions, sometimes rather vocally, Drupal power-users find, all-too-often, that their views fall on deaf ears and fail to have an impact on Drupal’s roadmap.

With Core dna we regularly chat with our all customers and take feedback on the roadmap and adjust based on the overall demand. Since day one we have seen our customers as the key stakeholder in the decision of what to build into the platform. We have never built a feature that wasn’t needed by a customer straight away.

8. The admin interface is cumbersome

Drupal 8 has faced lots of criticism for its dated admin UI. Even Drupal founder, Dries Buytaert, admits that it needs a major interface-lift. Fortunately, it does seem this issue will be addressed in Drupal 9.

Download this guide: How to choose an eCommerce platform

The definitive guide to choosing the right eCommerce platform for your business.

Send me the guide

9. You have to rely on developers to make front-end changes

The back-end developer is responsible for what goes on behind the scenes, including the server, application, and database. The front-end developer, on the other hand, is concerned with converting data to a graphical interface (i.e. what people see when they visit your site). To create the Drupal site of your dreams, you'll need an experienced front-end developer on-hand.

10. There’s a lack of support

Drupal has a history of dropping support for older versions, leaving users in the dark. And, plenty of older modules are no longer properly maintained.

11. It’s hard to test anything

The Drupal module responsible for testing is called SimpleTest. It was first built back in 2004, later becoming a part of Drupal core. Unfortunately, despite being around for over 15 years, it’s still prone to crashing.

12. It’s not API-centric

Core dna is an API-first solution, meaning content can be distributed to any device. Drupal doesn’t take an API-centric approach, so it struggles to distribute content beyond laptops, smartphones, and tablets out-of-the-box.

13. There are too many ‘Drupalisms’

A ‘Drupalism’ is a non-standard way of working that’s particular to Drupal. Drupalisms are slowly being phased out in favor of OOP standards, but there are still way too many of them, making working with the software frustratingly counter-intuitive at times.

Drupal vs. Core dna