Support

Hello Filip,

I have actually considered this, but I can't give you an answer to your question yet. I can tell you what I have in mind, though.

Joomla! is a much better designed system when it comes to security. All requests have to go through the index.php file of the back-end or the front-end. When a developer uses a directly web accessible .php file They Are Doing It Wrong. Moreover Joomla! has predictable directory names for extensions' media files, images and so on and so forth. Moreover, Joomla! has a predictable collection of plugin events which are fired by the core in predictable ways.

WordPress, on the other hand, is what we can best describe as chaos, anarchy and havoc. WordPress itself has a gazillion directly web accessible .php files all over the place. Its plugins do the same and, worse, are expected to do that. The wp-content folder is a complete security clusterfuck, hosting code installed by the administrator (plugins, themes), core code (upgrades) and user uploads (in the uploads subdirectory). Three sources with different trust levels under the same folder. The plugins subdirectories also have a mix of executable code, directly web accessible files and media. Adding insult to injury, about half of WordPress' hooks are not launched by the core but by the theme itself. And no, there is no hook which is guaranteed to run before anything else in way that would make a web application firewall practical.

Basically, it's a losing battle. Over the last year or so I've concluded that WordPress cannot be secured as tightly or easily as Joomla!. If we start with a security model which allows by default WP plugins to operate unhindered we have a TOO LAX model which allows hackers to upload and execute malicious files (hack scripts), the number one cause of hacked WP sites. If we start with a strict security model it will take a hell of a lot of effort for users to come to a working setup and it STILL comes down to how much you trust the developer of your plugins. After all, you'll have a lot of directly web accessible .php scripts which completely sidestep WordPress and, by extension, any security solution you've got installed. Remember a few years ago when tons of WP sites were hacked because of extensions using an old, vulnerable version of TimThumb? Admin Tools for WP could never protect you from that for the reason I just mentioned.

Since we also lack a suitable hook which guarantees execution at an early load stage we can't even be sure that we'll be preventing things like SQL injections and CSRF attacks. Actually, since WP has a very thin API we can't realistically offer features like UploadShield, XSSShield, DFIShield etc. The norm in WP is to have subpar code directly reading from the $_FILES, $_GET, $_POST and $_REQUEST superglobals directly. In Joomla! this code is considered shoddy at best: all developers MUST go through JInput to get access to the request data.

Then we have the way the core of each CMS operates. A recent attack in WP comes from the fact that it neither filtered nor escaped the comments entered by users when they're longer than the comment body database field length. This is a childish mistake. The Joomla! core is so much better at preventing this kind of attacks, mainly because there are centralised points of enforcing content security. Again, a security solution for WP couldn't catch those attacks (OK, maybe XSSShield could catch this one, but that's a big MAYBE...)

On top of all of that I have to keep in mind that WordPress is very popular. So we have a popular, impossible to secure web platform. If it sounds like a hacker's wet dream, it is. They will attack it relentlessly. Considering the subpar quality of the code of most plugins I've seen (some of the most popular ones!) and the abysmal code quality of the themes commonly used (see: ThemeForest) we're talking about a security nightmare.

Sure, I could write a security plugin for WordPress just like other companies have done. The difference is that the other companies are in it for the money, our company actually wants to offer good quality software that really works. A security product for WordPress is doomed to offer a very partial level of protection at best. It can never live up to the quality standards I have for our code. Additionally, since it's doomed from the onset, it would cause a lot of support requests and a lot of lost user trust when their site is hacked not because our code failed but because our code was entirely sidestepped by a shoddy plugin or theme. I can't prove I'm not an elephant. With Joomla! we had to do that very few times and it was almost always apparent which 3PD extension acted as the backdoor (typically written in such a way as to sidestep critical protections offered by Admin Tools).

For all these reasons I'm not inclined to spend any of our time writing a security plugin for WordPress. If we did we'd have to charge a lot of money and spend disproportionally lots of our time on it, always knowing that it would never make WordPress as secure as Joomla!. That would act as a distraction and eventually lose us money. So no, most likely you won't see Admin Tools for WordPress in the foreseeable future. You have to live knowing that having a WordPress site is like driving a car with one NCAP star: it may drive fine but if you crash you're unlikely to survive.

PS: I am considering moving my blog from WordPress back to Joomla!. The last security issue made me shut down comments, so why should I use WordPress at all?

Drupal is not for the faint at heart... or non-developers for that matter. Drupal requires massive amounts of custom coding. As for security, it's hard to discuss about "Drupal security" because by definition it makes no sense. Core Drupal won't get you far, not even nowhere close where core Joomla! can. Drupal 3PD extensions (modules) are frameworks for building things, not out of the box solutions. So it always comes down to the quality of the code you are writing for your own site. So, with Drupal I'd say that when it comes to security it depends ONLY on those who created the site AND administer the server (hosting a Drupal site on a shared host, while not unheard of, it very uncommon).

You know what is the FOSS PHP CMS with the best balance between popularity, usability and security? Joomla. I kid you not. I don't like many thing in Joomla!, just like you. There are things which are "obviously"* missing or don't make sense. There is a lot of room for objective improvement. Out of the top of my head workflow management, CDN integration and a solid media manager (not images manager!) are on the top of my list. But having used WordPress for a year and tried to use Drupal I can tell you that Joomla! is not too hard to use, not too limited once you understand what you're doing and not difficult to secure very tightly. It's the best compromise. If you don't care about security and flexibility you can swing to WordPress. If you don't care about ease of use –and have the money to hire a team of more than 30 people to realistically manage a site– you can go to Drupal. Or you can stick with Joomla! and make a very decent living without much effort and without much headache.

* "obviously" really means "according to my very own use cases which may be radically different than yours or anyone else's"

PS: I won't ever write a blog post about this. CMS are like religions for most people. If you say something bad about their preferred CMS, no matter how rooted in facts the criticism is, they tend to overreact. I love my sanity too much to subject myself to zealots.

Developing your own CMS from scratch is unwise. We've all done that when we were young, foolish and –frankly– didn't know better. A CMS is like a car. Sure, you can cobble together your own chassis, a motor, some basic instruments etc. Is this really a safe car? You will only know once you crash it and this will probably be the very last thing you do in this life. Same with a CMS. Been there, done that, how do you think I ended up working with Joomla!? :D

Take my advice and stick to existing CMS unless someone pays you to be part of a team building a bespoke solution. Trust me on this.