Drupal as a CMS and Commerce Platform: The Ultimate Guide

Drupal as a CMS and Commerce Platform: The Ultimate Guide

The three main players in the traditional, monolithic CMS space are WordPress (which accounts for 27+ million live sites), Joomla (1.8 million), and Drupal (630,000.)

WordPress, which heads up the pack, now powers a staggering 30% of the internet, yet Drupal is still the CMS of choice for many of the world’s largest organizations. Why?

Before you opt for Drupal, you need to know the facts, and that’s what we break down below. What is Drupal? What’s it used for? And, what are the challenges you’ll face along the way?

Considering Drupal as a CMS and commerce platform? Here’s what you’ll learn in this article:

Ecommerce business guide

Choosing an eCommerce platform?

Download our definitive guide to choosing the right eCommerce platform. Plus bonus questions to ask your vendor.


What is Drupal?

Drupal is a free, open-source CMS (Content Management System) that’s been used by some of the world’s largest organizations to build some of the most popular websites, such as whitehouse.gov, bbc.co.uk, nbc.com, and cityoflondon.gov.uk.

It’s versatile, flexible, and customizable in the right hands, but it doesn’t come with as many out-of-the-box features as WordPress, which is Drupal’s main rival in the traditional CMS space.


What is Drupal (mostly) used for?

Drupal is mostly used for complex, content-heavy, high-traffic sites with large resource libraries and databases - think government agencies, non-profits, and large corporations. But, it can also be used to make eCommerce sites and as the back-end for mobile app development.

Drupal can essentially do everything, but therein lies the problem: Just because you can, doesn’t mean you should!

Too many people are using Drupal when a simpler, more secure, more manageable solution would be far more suitable, not to mention cost-effective.


How secure is Drupal?

Drupal is open-source, which some people believe makes it less secure than proprietary software - after all, anyone can read the code and take advantage of the bugs!

Alas, it doesn’t quite work like that. If you study how people break software, you’ll find they commonly use IDA Pro rather than the source code.

According to Dr. Ian Levy, technical director with the CESG, a department of the UK’s GCHQ intelligence agency, good open-source is just as secure as any good proprietary software.

Drupal, like other popular open-source software, has a highly active community that’s always on the lookout for bugs.

Drupal community

Drupal also has a dedicated Security Team that issues patches, notifies users of vulnerabilities, and provides advice and support to developers around writing secure code and building safe sites.

But you can’t rely on others. To stay secure, you have to continuously update code both within Drupal and across your hosting infrastructure. You can’t set up a secure Drupal web application server and leave it to do its job.

Security updates are released every Wednesday, and users have to stay on top of them. It’s a big responsibility for whoever’s in charge.

It’s worth bearing in mind too that Drupal does have a somewhat chequered past when it comes to security, having experienced two breaches of legendary proportions.

In 2014, hackers compromised 12 million websites in an event comically coined ‘Drupalgeddon.’ The attackers took control of servers and seeded sites with malware.

Then in 2018, we bore witness to Drupalgeddon2, where hackers took complete control of Drupal 6, 7, and 8 sites.


This is why most people opt for a SaaS content and commerce platform. With a SaaS content and commerce platform, there is nothing to install, update or maintain. The vendor takes care of all technical issues so you can focus on creating and managing content


13 things you need to know before using Drupal as a CMS and commerce platform

Drupal CMS and Commerce Platform: What do I need to know?

Here are some things you should know about before using Drupal as a content and commerce platform:


1. You need to maintain the code so that it’s always updated

In the words of the Drupal Security Team, “eternal vigilance” is required to keep your Drupal site secure and functional. This means updating code, both within Drupal and across your hosting software, on an ongoing basis. It’s time-consuming, and a big responsibility.


2. You need to hire back-end developers to manage the system

With an all-in-one digital platform like Core dna, there’s no need to hire back-end developers to manage the system. That’s not the case with Drupal. While little programming skill is required for basic use, Drupal’s sophisticated programming interface and steep learning curve requires technical expertise to master.


3. You’re reliant on “versions” and system updates

To take advantage of the latest features and updated security, users have to keep Drupal core updated, which is difficult, time-consuming, and expensive.

Fun fact: Core dna is never versioned, so as you grow, Core dna grows with you. The platform is updated and gets better every day without interruption to your website.


4. There can be compatibility issues

A module installed in one version of Drupal might not be compatible with later versions, and you often don’t find out until it’s too late or you have to do a test migration before running it on the live system, which also takes time.

Fun fact: Core dna’s decoupled architecture is perfect for companies that want to go omnichannel. With our platform your content is managed separately and is front-end agnostic, just like a headless CMS. Yet, it has front-end delivery tools in the box, like templates, if you want to use them.


5. Migration is a huge pain

Drupal has a migration module that can handle the job for small websites, but when it comes to large, complex sites, migrating from one version to the next can be an incredibly complicated procedure, fraught with challenges such as re-indexing searches, deprecated functionality, etc.


6. There is a lack of built-in development tools

The lack of built-in development tools in Drupal means the customers will struggle to achieve the site of their dreams without employing expert help.


7. There is little-to-no roadmap influence

Despite voicing their opinions, sometimes rather vocally, Drupal power-users find, all-too-often, that their views fall on deaf ears and fail to have an impact on Drupal’s roadmap.

With Core dna we regularly chat with our all customers and take feedback on the roadmap and adjust based on the overall demand. Since day one we have seen our customers as the key stakeholder in the decision of what to build into the platform. We have never built a feature that wasn’t needed by a customer straight away.

8. The admin interface is cumbersome

Drupal 8 has faced lots of criticism for its dated admin UI. Even Drupal founder, Dries Buytaert, admits that it needs a major interface-lift. Fortunately, it does seem this issue will be addressed in Drupal 9.


Ecommerce business guide

Download this guide: How to choose an eCommerce platform

The definitive guide to choosing the right eCommerce platform for your business.


9. You have to rely on developers to make front-end changes

The back-end developer is responsible for what goes on behind the scenes, including the server, application, and database. The front-end developer, on the other hand, is concerned with converting data to a graphical interface (i.e. what people see when they visit your site). To create the Drupal site of your dreams, you'll need an experienced front-end developer on-hand.

How to create a new and edit content template in Core dna Digital Experience Platform


10. There’s a lack of support

Drupal has a history of dropping support for older versions, leaving users in the dark. And, plenty of older modules are no longer properly maintained.

Fun fact: Core dna is never versioned, so as you grow, Core dna grows with you. The platform is updated and gets better every day without interruption to your service.


11. It’s hard to test anything

The Drupal module responsible for testing is called SimpleTest. It was first built back in 2004, later becoming a part of Drupal core. Unfortunately, despite being around for over 15 years, it’s still prone to crashing.

Fun fact: With Core dna, you get multiple staging and production environments so you can test any changes made before going live.


12. It’s not API-centric

Core dna is an API-first solution, meaning content can be distributed to any device. Drupal doesn’t take an API-centric approach, so it struggles to distribute content beyond laptops, smartphones, and tablets out-of-the-box.


13. There are too many ‘Drupalisms’

A ‘Drupalism’ is a non-standard way of working that’s particular to Drupal. Drupalisms are slowly being phased out in favor of OOP standards, but there are still way too many of them, making working with the software frustratingly counter-intuitive at times.


Watch video demo


Drupal vs. Core dna



Core dna

Multi-site management
Decoupled architectureLimited
Multi-tenant architectureX
Content personalization
Content management system
eCommerce platform
API supportLimited
Flexible content modelX
System templatingX
Requires internal front-end development teamX
Requires ongoing maintenanceX
Modular applicationsXA collection of applications for content, eCommerce, marketing, and collaboration
3rd party integrationsUsing 3rd party plugin ERP, CRM, Marketing, CDP, payment gateways, shipping providers, logistics engines, tax calculation & remittances, web hooks
Performance/securityManaged by users/customersWAF/DDoS, Geo-redundancy, TSL/SSL encryption, CDN
MonitoringManaged by users/customersPerformance & uptime monitoring, error management
InfrastructureManaged by users/customersAPI/Hooks interface, GIT version control, continuous and parallel development
NetworkManaged by users/customersManaged geo-redundant DNS, Anycast IP range, 45 Edge locations
Best for industryContent-heavy websiteseCommerce, publishing, marketing
Sam Saltis
Sam Saltis

An entrepreneur at heart with over 20+ years of experience in building internet software, growing online companies and managing product development.

Loves all things SaaS, technology, and startups.

You can find him feeding his beloved fish when he's back in Australia.

Previous PostGDPR Fines: Everything You Need To Know
Next PostWordPress & eCommerce: Is Enterprise eCommerce a Step Too Far?