Support

my hoster told me that joomla is unsecure because so many people using it.

So he prefers to have his site hand coded.

What do you think?

Honestly? I believe that your host is the most profound idiot the world had the displeasure to bear. Following his logic all operating systems are insecure because people use it. So you should not use Windows, Linux or Mac OS X. You should hand code your operating system. Phones? Even worse! Do you know how many millions use Android, iOS, Windows Phone, Blackberry, even Nokia's Symbian? Geez! You should hand-code the OS on your phone too. And cars. Do you know how many hundreds of thousands of cars around the world use the same firmware in their engine's ECU? You should hand-code your car's engine firware. OK, now you understand how ridiculous that preposition is. Please tell your host that he's an asshat.

How secure is joomla with admin tools compared to other cms systems?

Or does it depends on the security of each extension?

This is not a question that can be answered within any degree of accuracy. Web security is a function of dozens of things. The CMS is just a tiny fraction of the equation. Joomla!, all by itself, is as secure –if not more secure– than other CMS out there. Actually, open source CMS with a huge installed user based tend to be much more secure than proprietary or niche CMS just because thousands of very skilled developers get to see their code and analyse every bit of them. I'd choose Joomla! over any proprietary crap any given day of the week.

The actual vulnerabilities usualyl come from extensions and the server configuration. Joomla! has many skilled developers who take security very seriously. If you install extensions from the well known Joomla! extension developers and keep everything up to date you have a very secure base system. Admin Tools can also help tightening the security of your site.

Ultimately, the weakest link is the HOST. Lest you have a dedicated server with a dedicated IT team there's a very high chance that your host has done some crappy configuration. Shared servers range from moderately insecure to "swiss cheese". In the best case scenario the host will be running relatively recent versions of the operating system and all server software, with proper ownership/permissions, suPHP, mod_itk or mod_fpm, an active web server-level security solution like mod_security2 installed on the web server and disable FTP in favour of SFTP. This is a passable setup. In the real world, shared hosts tend to use outdated versions of everything, stupid ownership/permissions, no suPHP/mod_itk/mod_fpm, no server-level security solution and have FTP enabled without any brute force protection. Having a host telling you that you should not use Joomla! because it's used by many people convices me that your host is an imbecille who has an abysmal security setup ("swiss cheese" grade or worse) and tries to proactively blame Joomla! because they are sure their crap servers will let your site be hacked in no time at all. You have been warned.

My advice? Take your site and your business to someone who knows what they're doing, e.g. SiteGround or CloudAccess.net. Nothing –and I stress that, nothing– can protect you from the vulnerabilities introduced by a bad server setup. Having a decent, security-oriented host is quite simply a must have. It's the foundation of your site. If a building's foundation is weak it doesn't matter how strong your building is; it will still fall in the next minor earthquake.