A comparison of security between software systems can be qualitative rather than quantitative: anecdotal experience and opinion factor into the equation to a large degree. That's no different in comparing the security of DNN vs. WordPress. In many cases, it is less the platform itself and more how it was set up by your web development company.
In this section, we'll defer on recommending one CMS over the other on the basis of security; instead, we’ll point out a few things for you to take into consideration.
WordPress: Popularity Makes it a Common Target
Sometimes being the most popular CMS has its disadvantages. Site security is one of them.
With WordPress handling over 1/3 of all websites, it is the most targeted by malicious hackers and spammers.
The most common entry point for malicious hackers is to find exploits in popular third party plugins. If an exploit can be used to gain unauthorized entry to a site, hackers can scan websites to see if they’re running WordPress.
From there, they can attempt to leverage the exploit. If the site is running a version of the plugin containing the vulnerability, it (i.e., the site) can be hacked.
A similar exposure exists for DNN, since it has an ecosystem of third party modules and themes. In the past few years, DNN websites have been hacked via vulnerabilities in third party DNN modules.
However, there are fewer modules in existence and far fewer sites running DNN. As a result, hackers spend most of their time against the number one target: WordPress.
WordPress being the largest target for hackers and malicious bots, it is more a question of when, not if, the website will be compromised. You don't need to have a popular website to be a target. Hackers will crawl and scan the web for sites with known security flaws to exploit. Keeping your CMS version and plugins up to date in WordPress will go a long way in helping you stay protected.
Security in the Core CMS
In addition to third party plugins and modules, another entry point for hackers is the core CMS itself. Security vulnerabilities have been discovered in the core platforms for both DNN and WordPress.
David Poindexter is CEO of nvisionative. David and team build sites primarily on DNN, but have executed many client projects using WordPress as well. Recently, David wrote about a security issue in the WordPress core.
David notes that via the REST API, “an out-of-box implementation of WordPress 4.7 will expose a list of all USERS via anonymous access, including each user’s name, username, Gravatar link and other associated metadata.”
David continues, “This information can be exposed to and enumerated by both humans and BOTs to harvest sensitive information. With this information in hand, brute-force attacks can be made against the website to gain unauthorized access.”
While some may call this issue a security vulnerability, the official response from the WordPress team is that it’s the expected behavior. In a thread on the WP-API GitHub page, a member of the WordPress API team writes:
"Usernames are already exposed through themes, RSS feeds, etc, and we do not consider them a security issue. You can install a third-party plugin if you would like to limit access to this data."
We don’t agree with this approach to web security; while we wouldn’t block a client’s choice to use WordPress on the basis of this API “opening,” we would advise clients to use whatever means necessary to limit access to their sites’ user data.