WordPress and Joomla take the biggest share in content management systems and their popularity makes them a prime target for attack. Because of this, the systems have been developed over time to be extremely secure. Individually, they all offer a different take on security. The major security vulnerability with both CMS, is the entry points created using third party plugins and extensions, which make up more than 56% of known vulnerabilities.
To compare the extent of security vulnerabilities we referred The Common Vulnerabilities and Exposures (CVE) system which provides a reference-method for publicly known information-security vulnerabilities and exposures. The CVE is funded by the National Cyber Security Division of the United States of Homeland Security and is considered to be one of the most reliable sources of cyber security assessment. According to CVE data, if you compare market share to incident rate, Joomla has had the most amount of found vulnerabilities.
Joomla’s vulnerability percentage is made up mostly of code execution flaws (54%) – vulnerabilities that allow the execution and injection of shellcode to give an attacker the ability to manipulate a system into granting administrator privileges. Joomla has also struggled with SQL injection attacks (40% of total vulnerabilities) – in which SQL statements (database queries) are inserted into an entry field for execution by the attacker, giving them means to carry out such actions as dumping database contents to the themselves for further investigation. According to the same report by CVE WordPress fares better in defending itself against both code execution and SQL injection attacks.
Thus, our conclusion is security depends not primarily on the CMS but rather if the best practices is used or not. With the right implementation of security, it is valid to use any of the two CMS based on business requirements. Security on both platforms can be ensured if the initial configuration is done right, extensions are carefully audited, the platform is well maintained and security updates are made regularly and most of all if a security as a service is available.
With all this consideration we’ve made the following recommendations
We love WordPress, its just the best in terms of extension availability, awesome and helpful community and so on. So first
- Audit each extension before installing,
- Make recommended security configurations and harding,
- Setup Firewall and IP filtering,
- Setup DoSS attack protection,
- Introduce user password policy
- Turn on automatic plugin & security updates
- Setup JetPack for enhanced performance and security
If you have extra buck to spare you can also consider using premium services such as JetPack(a WordPress™ company) or WordFence or Sucuri.