Drupal or Wordpress for my project

It always helps to first understand why the sites where hacked since the CMS software is not the only potential security hole. For example, where all the sites with the same hosting company, are they all on the same server? If either of these is true, there is the possibility the problem was the security of the servers. For example, if on a shared host and some other site has poor security, it is possible for someone to compromise the server and hack your site as a result.

As for Wordpress vs Drupal, I am more familiar with Drupal, but they both seem to try hard to avoid security flaws. In both cases you can break down possible sources in three general groups core, modules/plugins and private code.

Bottom line, though I prefer Drupal, if your only concern is security, I would stay with Wordpress for the existing sites. A good practice is to keep core and contributed code up to date.

I don't know Wordpress well enough to comment, but I can say that I think Drupal has absolutely rock-solid security, as good as any. There are sometimes potential security flaws discovered, but these are usually very quickly identified and a new security release provided.

I suppose Wordpress is pretty secure too, so my guess is that the problem was more likely not so much the system itself as something which you were doing which was less than 100% secure.

Even Drupal will not fully protect you if you do things which are less than 100% secure (e.g. have a weak password on the admin account).

Quite a few years ago now I knew neither Drupal nor Wordpress and had to choose between them. I chose Drupal and have never regretted the choice (well, slightly in the first 6 months when I found things really really hard).

I think if you are not too technical I would recommend you stay on Wordpress, but if you want more power and are ready for something perhaps a bit more technically challenging (but with greater power), then yes, change to Drupal. I presented last year on the basics of Drupal which you find here (including 1 slide on Drupal vs. Wordpress vs. Joomla):
https://docs.google.com/presentation/d/1rSXay89hBSlE6S4ymmxUXsTB3hu2cmLr...

Drupal sites rarely get hacked through code - to the point of almost never. That said, there was Drupalgeddon a few months back where a major security flaw was found, and many hackers exploited this flaw to hack many sites. This was a rarity however, and almost never happens. Drupal also has a dedicated security team, and a process to report security flaws, meaning that security updates are released regularly for modules. Sometimes these security risks are minimal - a user would already need to have elevated permissions before they could take advantage of the flaw, and sometimes they are a little more worrisome. But overall, Drupal security is very good.

You are right that Drupal is a safer option that WordPress. If you have read the wiki information of WordPress, you can know that this CMS has encountered three serious hacking issues, which never happens with Drupal. Besides, both I and my friends haven't encountered a hacking issue yet with Drupal.

As for the security module, of course it is still needed. After all, Drupal is an open source CMS. Maybe you can have a look at https://drupalhosts.org/drupal-security-modules/ and https://www.drupal.org/security.

My website is a community based and I have to be more concentrated on the artists and their portfolios than having a paranoia…

As someone who has been involved in information security as far back as 1968, I suggest you (Prolet) consider this:

1. The entire information security issue is a moving target, and always will be because technical innovation moves on, and continues to improve. Ongoing technical improvements in WordPress, Drupal and every other information solution opens the door to additional security issues, some of which will be exploited.
2. Because of item 1, above, the security of your information is moment-to-moment, and one does well to consider information security as something that has to be managed on a regular basis. That is, one does well to include a "security program" (or effort) as a normal, ongoing process that is just another "cost of doing business."
3. One best serves the community by providing a "safe environment" for the community's information and interaction. Should the community come to the collective opinion that your platforms are risky, the community's use of your platforms will quickly dwindle to nothing. Today, in the Information Age, this means that your security program (formal or informal) for your CMS (or otherwise) platforms is a "critical success factor."

The upshot is that regardless of which platform you use to serve your community, you should include a (formal or informal) security program (or effort/measures/actions, etc.) within your normal maintenance plans and procedures. Saying this another way: getting the platform up and keeping it running is Job One. Keeping it secure on an ongoing basis is Job Two.

This means that one must allocate resources and time on a regular basis to ensure Job Two is accomplished.

I hope this opinion helps...
Harry

If it is only for security there is no point now you learn Drupal and move your sites to Drupal. All of them will be hacked again. You just bypass problem and find shortcuts.

You are doing something very wrong with all your WP websites. And you will make similar mistakes with Drupal regarding security.
WordPress is very secure platform by itself.

Or hosting provider screw, but you will never know that. Read and interpret logs, read more about hack on Google how it manifest itself, it is all sane you can do in your situation.