I remember back in the day that you were quite fond of the platform.
I was. To me, Drupal 7 is the Windows XP version and Drupal 8 is... remains to be seen. It's either the Windows 98 version or the Windows Vista version. It has lost a lot of people. One of the top Drupal contributors forked it into Backdrop because he thought Drupal 8 was headed in the wrong direction. This is a guy with
almost 7,000 commits on Drupal.org -
https://www.drupal.org/u/quicksketchIf you'll recall, what I always said about Drupal is: "If Drupal works for you out of the box, then you should be using Wordpress." Drupal always brought a lot of complexity with it, but what it gave was some tremendous capabilities.
The killer feature it has is in handling structured data. You can add "fields" and you can slice and dice them in a seemingly infinite number of ways with "views." It's easy to write a views formatter and you can take your data and turn it into a slideshow, a carousel, a sortable table, a sales report, a tax report, etc., with minimal coding.
Back in the Drupal 6 and 7 days, it was my bread and butter for a fairly simple reason: it was easy for people to get in over their heads. So they would build a site or have it built, and then realize they needed to hire someone to bail them out. As Drupal had a much, much smaller developer community than Wordpress, it was much more lucrative (and I think still is).
What I'm finding with Drupal 8, though, is that it requires a large skillset just to keep the thing running (again Composer, grunt/gulp/bower, git, Drupal Console, drush) and is so prone to breaking that even minor version upgrades are utterly nerve-wracking affairs. If you compare a major version upgrade of Wordpress to a minor version upgrade of Drupal 8, I will take the major version upgrade of Wordpress any day. In my experience with Drupal 8, there is a far better than 50% chance that a minor version upgrade will utter bork your site and get you into a circular dependency trap that is hell to get out of.
If you want some gripping, blow-by-blow dependency hell blogging by yours truly...
https://www.drupal.org/forum/support/upgrading-drupal/2017-10-06/update-to-84-with-composerSo speaking of minimum skills, it is essential that you have a dev -> test -> deploy workflow. That was always a best practice for me on D6 and D7, but I would say half of all Wordpress "developers" don't bother (things like dev, staging and production separation, version control, unit testing, continuous integration, etc., have been much, much slower to come to Wordpress or, for that matter, Sitecore than to Drupal). But with D8, only a fool would do even a minor update on a live site.
Although the frequency of critical vulnerabilities in Drupal seems to be less than WordPress
This is always a tough statistic. I think Drupal takes security much, much more seriously than Wordpress. All Drupal modules that are distributed on Drupal.org are subject to the same vulnerability reporting. So if there's a vulnerability in a module, that's reported in security warnings and emails, even if only a small number of people have the module installed. They also segment normal updates from security updates and you can choose to just install security updates. When there is a security update for any of your modules, Drupal self-reports that and sends you an email the next time cron runs (so at least daily, but usually it checks that hourly).
So there tends to be a lot of reports about vulnerabilities for Drupal, but that's because it takes security so much more seriously than Wordpress (that's just a subjective opinion, not based on any hard data).
With Drupal 8, you get all the benefits of the Symfony community and all the testing they've done too.
I think that explains some of Drupal's growing pains as well. There is so little code overlap between D7 and D8 that it is basically a whole new system. So it's not quite like the switch to Vista, which was built on NT. It's as if after XP, Microsoft had scrapped all their code and built NT and Vista all in one go and released it.
There is discussion in the Drupal community that it has become too hard for people who are not strong with Composer and there's talk of creating a GUI that would interface with Composer and allow a simpler experience.
Nevertheless, I stand by my original. Nobody who does not have either strong skills in Drupal 8 or strong skills in Composer, git, grunt/gulp/bower, and Symfony should be building a Drupal 8 site for anything that matters.
And though I still like Drupal 7 and think it's a great tool, I no longer recommend it. Let's say you start a Drupal 7 project today and Drupal 9 comes out in three years. You are faced with a Drupal 8 upgrade at that point and if the tools still are not in place, that's going to a difficult and expensive project. Major version upgrades in Drupal are frequently 50% to 80% the cost of simply starting from scratch.
They have realized that is a problem and have committed to smoother upgrades from 8 to 9 and beyond, but you still have to hope that by the time you need to get off D7, that the Migrate module will have full coverage for all the modules you have on your D7 site. And generally, since there's no point in using Drupal unless you want significant customization, you will almost certainly have to write your own Migrate submodules... which I found rather hard.
Amazing tool. Increasing headache.
I've also found it to be quite buggy, which is the other thing that killed me. For a while, I felt like every module required a patch. Sometimes there were issues in the issue queue that went back three years, but I had promised that functionality to a client based on the module description. So instead of a 30-minute install, I had a 30-hour debug and patch process.
WordPress (which I refuse to use for my main sites)
Despite all my disparaging remarks about Wordpress security above, I think that if you avoid a lot of plugins and stick with the best and you set Wordpress to update automatically, you will almost never get hacked. Almost all WP hacks are for unpatched sites.
There are now a lot of good options for keeping your site patched in real time, for keeping archived backups, and for having real-time malware defense. Last week you could have defended five sites for life for $49 with MalCare on AppSumo
https://appsumo.com/malcare-recapManageWP makes it easy to keep multiple sites up and running and be able to gracefully back out of a failed update.
Simply put, there is no excuse for a Wordpress site being out of date in general (a recent glitch did actually disable automatic updates in a recent release) and a Wordpress site that is not out of date is very rarely hacked.