WordPress & Joomla!: Popular ≠ Perfect

We've all got insecurities

Popularity attracts attention to your insecurities – we’ll call it “the cost of success” and the result of occupying real estate in others’ minds: even with a legion of fanbois fawning over your every tweet, others will attempt to undermine your success in any way they can. We’ll remain civil and not name names, but you’re surely aware of some cultural force who’s had a weakness leveraged against them in a public forum.

Such is the case for two Internet darlings: WordPress® and Joomla!® Being two of the most popular content management systems (CMS) available means they attract a lot of attention from hackers, fraudsters, and exploiters. Finding vulnerabilities in one of these apps is a goldmine to these people: their popularity means they have a lot of places to abuse what they’ve found. Including your site.

Stay above the fray

If you’ve already taken care of the basics (strong passwords, SSLs, etc.), you should consider taking the next next step and look into security plugins. These tools add a lot of functionality to your site to protect you – and your visitors – in a number of ways:

Plugins with this feature… Do this to protect you…
Scanning site files Compares files against known compromised
Hiding/Password-protecting admin pages Bolsters security of pages that only you need to access
Setting more secure file permissions Prevents hackers from tampering with files
Firewall/brute force mitigation/blacklisting IPs/.htaccess Controls who can/cannot access the site, inc. those trying to log in who shouldn’t be
Comment SPAM Removes unwanted comments submitted to the site; may inc. malicious links/code
Database security Ensures only those who need access to the database have it
Site monitoring/logs Keeps data about activity on your site
Backups Creates uncompromised copies of your site
Version control Updates software automatically and notifies you when things fall out of date
Multi-factor authentication Creates logins that require more than username and password

Popular security plugins

There are a ton of security plugins out there for both applications and not one of them does everything. To make sure you’ve gotten as much protection as you can, it’s a good idea to stack them atop each other to create a deep defense. Below check out a feature overview of the most popular security plugins for both WordPress and Joomla!

WordPress All In One WordFence iThemes BulletProof Centrora
Scan site files X X X   X
Hide admin location     X    
Password protect admin location          
Set file permission values X   X X  
Firewall X X     X
Brute force mitigation X   X    
Blacklisting IPs X X X   X
.htaccess       X  
Comment SPAM X Pro Version X   X
Database security X   X X  
Site monitoring   X      
Logs     X X  
Backups     X   X
Version control         X
Multi-factor authentication   Pro Version     X
Other features X X X X X


Joomla! Admin Tools Pro Security Check DMC Firewall OSE Secure Centrora
Scan site files X X   X X
Password protect admin location X     X  
Set file permission values X X      
Firewall X X X   X
Blacklisting IPs X X     X
.htaccess X X      
SPAM X       X
Database security X        
Logs X X X    
Backups X       X
Version control   X X    
Other features X X X X X

The wrap-up

Before adopting a security regiment, we do encourage you to check the plugins’ documentation. Look for anything that you know would conflict with your setup – if you haven’t done any custom configuration, though, you probably don’t have much to worry about.

With a good mix of best practices and proactive security measures, you’ll increase the ease of maintaining your site, as well as the quality of your visitors’ experience – not to mention remaining free of any tarnish if the hacker tabloids start running slanderous stories about your favorite CMS.


UPDATE 9/24/14: Removed Joomla! column for Admin Tools Core and replaced with features for Admin Tools Professional.

Also published on Medium.