Joomla! vs Wordpress for Security

Two boxers facing each other in the ring

Joomla! is a much better designed system when it comes to security

Who wins the fight when it comes to Joomla vs Wordpress for security?

I read a very eye opening tech support issue regarding Joomla vs Wordpress when it comes to security. It was written by a talented and well respected developer that specializes in web based Content Management Systems (CMS) security and backup tools. It would have been great for him to write his own blog post about this topic but he doesn’t want to deal with the potential fallout from Wordpress fans such a blog post may create. I understand his point, people can react in fanatical and negative ways when you criticize their beloved platform. Here at JoeJoomla we don’t have any concern in this regard. Our bias towards Joomla is obvious and there are good reasons we prefer Joomla.

Joomla! is a much better designed system

Way back at the start of our website building journey in 2005 I asked a few developers what their CMS of choice was. Several of them identified Joomla. One developer in particular told me that he had considered building his own CMS but when he reviewed the Joomla code base he discovered that it was very well done and cleaner than any other CMS based software available. There was no point in recreating the wheel so to speak. Joomla already had a large community of developers supporting it including a security team of which this particular person joined to contribute to the project.

Developer best practices for Joomla ensures security is properly addressed

What essentially makes Joomla a better choice for security is the predictable ways that it works. All front and backend web requests must go through an index.php file. Joomla uses predictable directory names for extensions, media files, images and so on. Plugin events are fired by the core in predicable ways. When a developer creates extensions and other things for Joomla there is a best practices method of doing so that ensures security is addressed properly.

WordPress by design is chaotic

By design WordPress has a chaotic structure which allows many directly web accessible .php files and plugins. The wp-content folder is a security nightmare hosting code installed by plugins, themes, core upgrade files and user uploads, all with different levels of trust in the same folder. Plugin subdirectories are directly web accessible for files and media. WordPress themes launch many of the hooks instead of the core and there is no predictability in the sequence of how things are triggered.

Wordpress themes are based on an override system that allows the developer to specialize each content or post type from scratch. That's literally because there is no `index.php` file. There is also no way to ensure you're purchasing a clean or proper template because the `header.php`, `footer.php`, etc. files are just conventions that can be easily broken.

Wordpress coding practices are based on php 3.x standards which if you check on you will see is from over 17 years ago. There is no Object-oriented programming (OOP) at all, and everything is executed in "easy-to-use" but also loose code structures and functions. This also leads to improper code and improper code is easily insecure as well. Having a centralized and messy `functions.php` file in the theme is the best example of this.

WordPress cannot be secured as tightly or easily as Joomla

The number one cause of hacked WP sites are from hack scripts that hackers upload which execute malicious files. It's easier for them because of the inherently poor security model by which WordPress allows. You really want to know a lot about who is creating those plugins for WordPress functionality that you are using. If you are uninformed you are taking big chances with your site. There's just too many points of entry that a hacker can target in a site with poorly done direct web accessible php files.

To make things worse, with the emergence of cryptocurrency technology, WordPress installations are heavily under attack by malicious crypto miners. They are taking advantage of the very popular WordPress platform that is easily targeted for code injection for things such as javascript miners. The injected scripts are named in such a way to make them appear legitimate so that a webmaster doesn’t get alarmed when seeing them. The scripts are designed to use the infected website cpu cycles to mine cryptocurrencies for the hackers. So if you notice your WordPress site seems to be struggling when it doesn't have a lot of visitors this might be a sign that something is amiss in this area.

The Joomla! core enforces content security through centralized points

In Joomla! all developers MUST go through JInput to get access to $_FILES, $_GET, $_POST and $_REQUEST superglobals when requesting data. This prevents a lot of attacks because there are centralized points of enforcing content security.

Some of the WordPress's most popular plugins and commonly used themes would never see the light of day in the Joomlasphere. Joomla forces a level of security that doesn't allow shoddy code. Does that mean there has never been poorly done extensions, themes and plugins for Joomla? No it doesn't. Joomla has had it's share of security issues but the community of volunteers that work with Joomla have been good and keep getting better with regards to website security. This is on top of the fact that Joomla's foundational structure is already security conscious.

It won't be long before we are enjoying the new Joomla 4.x version that the production team is working on. It is designed with an improved code structure and base practices. Joomla versions 2 and 3 are secure but there are improvements being made in the MVC model and in the general structure. Many of the improvements are already available in Joomla 3.8.

WordPress will never be as secure as Joomla

While it is possible that you can have a secure WordPress site, it takes a huge effort to achieve it. You need to be highly conscious of what the code from all those plugins and your theme is allowing. If you are running a WordPress site surely you have qualified people to make those assessments.

Several years ago I toyed with having a WordPress blog, after all WordPress had the reputation of being the darling and heavyweight champion of blogging. All it took for me to run from WordPress was dealing with WordPress themes. I hear from web developers on a weekly basis about the nightmare that WordPress is to deal with in many areas. I also hear about the good things that WordPress has that Joomla doesn't but it isn't nearly enough to make me want to switch.

If you are serious about website security and have a choice to make between one platform or the other Joomla is the right choice.