Support

First, I'd like to address a misunderstanding. I never said that the WordPress core in and of itself is insecure. WordPress itself, just like Joomla and Drupal, is developed by a number of competent developers be them volunteers or paid Automattic staff.

The problem with WordPress lies with the culture around its themes and plugins.

Unlike Joomla, WordPress does not offer core APIs that third party plugins could use to safely handle user input, output or database access (granted, there is sort of a database layer but everything else is completely missing). It doesn't have an MVC layer which will protect novice developers from shooting their feet. It doesn't require or even allow requests to go through a centralized index.php file. Combine that with most plugin developers being moonlighting scripters, not actual software developers, and you have a recipe for disaster. That's why you see so many easily preventable vulnerabilities in WordPress plugins. Even worse, the WordPress core lacks a lot of basic functionality (e.g. a simple contact form, a way to send email using anything other than PHP's mail() function, ...) that it's impossible to run a "core only" site, even if it's something basic.

The other problem with WordPress is that the administration and frontend are not separated at all. They are interconnected. The administration doesn't have a single entry point file, it has an arbitrary number of files in wp-admin and adding, removing or changing their names is not considered a backwards compatibility break nor is it documented anywhere. This means that, unlike Joomla, you cannot really tighten up the security of the administration all that much.

These are the reasons I didn't want to deal with WordPress security in 2014 and 2015.

Between then and 2019 things have evolved. Not with regards to WordPress plugins' security but to the market itself. WordPress is better suited for quickly creating a number of sites, from blogs (my own blog is running WordPress) to quick 'n' dirty e-commerce (WooCommerce in the mid-10s / early-20s is what VirtueMart was in the late 00s / early 10s). My clients wanted to use and secure WordPress and even I did too for my own blog. I tried different third party plugins but they were severely overpriced for what they offered, their features were geared more towards an illusion of security rather than the real deal, their code and performance was a hot mess, or a combination of the above. We couldn't tell our clients to use one of these plugins that I wasn't comfortable using on my own relatively low-value blog.

I did make that complaint a lot in our internal communication. Davide made the point that about half of our Joomla features translated well to WordPress and would be easily portable. We would also need a relatively sane amount of R&D for WordPress-specific features, including dealing with arbitrary entry points that bypass WordPress (PHP script preloading for the win). I gave him one year to come up with that and I did my own R&D for the .htaccess Maker feature.

About 7 months in it was pretty clear that the proof of concept implementation Davide had come up with was actually better than third party security plugins. It needed some time, love and care to make it into a product. This coincided with the period where we were launching our own CSS framework in our products. So I thought we could at the very least give it a try.

After some polishing and implementing some features that had come out of my R&D and tested on my own blog we went for a public beta. The feedback was overwhelmingly positive. Therefore Admin Tools for WordPress became a viable product.

To the point, do I think that Admin Tools for WordPress helps you secure your WordPress site? Yes, I do. I practice what I preach. I am using it on my own blog. I trust that between Admin Tools Professional for WordPress, using the minimum number of plugins (by reputable developers) necessary for the task at hand and keeping everything up to date my risk is minimized.

Do I think that WordPress' security is on par with Joomla? No, I wouldn't go that far. Just like I wouldn't say that Joomla's security can even be on par with a custom Laravel application written by a competent developer. WordPress is extraordinarily mass market and treats backwards compatibility as sacrosanct, making concessions with regards to security. The upside of that approach is that it requires minimal maintenance for a long, long period of time – if the site integrator that built the site didn't do anything stupid, that is. Joomla stands in the middle ground and achieves a realistic level of security without sacrificing much of anything. You need a reasonable amount of maintenance in exchange for more robust security that will get you very, very far. A bespoke Laravel app is absolutely not mass market, it has great security (assuming a competent developer!) but backwards compatibility will break in a relatively short period of time and you are looking at a lot of time and money for maintenance.

In the end of the day all I can do is give you the options and lay down the compromises you will have to make. It's up to you to decide which CMS is best for your use case. I'm the first one to tell you that one size does not fit all; after all, my blog in on WordPress and my business site is on Joomla!.