Disscussion! Joomla vs Wordpress: what is the best for security?

[Philip Lee]

Hello everyone,

First of all, I would like to say hello to everyone here, I am a new guy in this forum.
Recently, my colleagues almost fought each other when they argued about a topic: Joomla vs Wordpress? Which one is better for security? No one has won in this battle yet so I have to post this thread here to get some votes.
For me, I believe Joomla is the one because Joomla has a rockstar team contributing to its core code every second.This includes vigilant monitoring of security issues and quick responses to bugs and gaps in protection. Joomla actually has an entire team dedicated strictly to running commit reviews on the core, and they’re hyper aware of what’s at stake for Joomla users’ sites.

How about you? Speak to me about your idea so that I can decide among my colleagues, who will be the winner.

Thank you.

[ranwilli]

I'm not confident that my view will be shared by many, or ANY of the folks on this forum, but this is my opinion.

I don't think the matter of site security is a matter of choosing between WordPress and Joomla! I rather think it has more to do with strict adherence to best security practices over the life of the site.

I don't have much experience with WordPress, so I won't comment about that, but I guarantee you that if one develops a Joomla site, then walks away from it, it WILL eventually get hacked. There are issues that crop up after development that need attention, and if they are not attended, disaster will result. I suspect that holds true for WordPress as well.

[sozzled]

Although I entirely agree with everything that @ranwilli has written, this is one of those many ridiculous "how long is a piece of string" topics about Joomla vs. something else. I mean, really! Do we care whether Joomla is more secure, easier to learn, more or less "something" than something else?

I've been working on a new blog post/article entitled "Joomla vs LEGO®" that might see the light of day before the OP replies to this topic (before Christmas 2025). On the other hand, we might all be surprised if the OP ever follows up on this pointless waste of time.

[DaveOzric]

Security is a mindset in my opinion. While any site can likely be hacked if the right people do it, look at Sony, etc. However the webmaster or site admin must look at the big picture when it comes to how the internet operates. Hackers look for vulnerable computers that they can infect with malware. This is usually done with computers that are already infected and used as bots. They scan the web looking for a CMS and then try and determine if it's outdated or easy to hack into. They want to infect them to infect more computers for their various nefarious intended purposes. Or just inject spam or deface the site for fun.

Just check your raw access logs and see what kind of traffic you get. I have a site that is some local site for a environmental group in the USA. For some reason it attracts so much attention I often had hundreds of thousands of hits a month from bots all around the globe. My firewall (Admin Tools Pro) blocked the admin page login and form uploads but they were relentless.

All I can say is like ranwilli said, it makes little difference what CMS you are using. You have to be up to date and have other security measures in place. Strong passwords, good hosting, firewall, well written extensions, etc.

I've taken over clients who were hacked at the server level on Godaddy. The database was full of spam links.

[Pharman]

I agree with the different answers. I also feel that the CMS doesn't decide the security level of a website. It has a lot of other things in the back-end. What server you are running, what version, the kind of database and the current version, if the CMS is updated and so on, the list is never ending.

Even if a website is regularly updated it could be hacked and I think one important aspect to discuss is how the website is backed up and how easy it is to restore it.

If you take an example of the ransomware virus when it hit the companies that were impacted the most were the ones that didn't have good backup routines and access control.

So choose the CMS that makes sense for your needs and no matter which you choose, you need to keep updating your systems and making back-ups. Don't forget to test your backups as well, so you don't just make backups and have no idea if they work when you really need to restore them.