Support

Admin Tools for WordPress

#30163 Has AdminTools Pro overcome Wordpress fundamental security issues?

Posted in ‘Admin Tools for WordPress’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

WordPress version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by webinfinitynz on Monday, 03 September 2018 20:01 CDT

webinfinitynz
Hey all.

Back in 2015, someone asked about if Admin Tools Pro was ever going to be released for Wordpress.
Nicolas kindly replied (https://www.akeebabackup.com/support/admin-tools/Ticket/22582-admin-tools-pro-for-wordpress.html) with details explaining maybe but WP has some fundamental security flaws which makes it difficult to make an effective Admin Tools Pro for WP.

I can see that there is now a beta version of Admin Tools for WP. I was just wondering if you have managed to work around these fundamental flaws (or maybe WP has been improved security wise)?

I know it's in Beta but I'm just trying to get a picture of where the product will be when it's released, in regards to its ability to protect a site vs the Joomla Admin Tools Pro.

I guess this is difficult to answer but any feedback / opinion is appreciated.

I'm mainly asking as I currently develop my sites in Joomla and tempted to move over to Wordpress (mainly for the easy of development with template systems like DIVI) but I have concerns about the security aspects of Wordpress.

Thanks.

nicholas
Akeeba Staff
Manager
Yes, for the most part.

The major drawback of WordPress is that, unlike Joomla!, it does not route all requests through one file (index.php) but several .php files which are scattered around the filesystem. We have now mapped and cataloged these files which allows us to provide a .htaccess Maker for WordPress. There is a caveat, though.

First, the wp-admin folder's .php files cannot be reasonable cataloged since they can change between releases. Therefore the .htaccess Maker has to allow executing all .php files inside those folders. As long as you use the "Administrator password protection" feature in conjunction with .htaccess Maker you are protected. If you use one but not the other it's possible -depending on your host- that a hacked subdomain (or even a different site altogether) may be able to put malicious files in your wp-admin folder and bypass security measures. This is a risk which does not exist on Joomla! as long as you're using both the frontend and backend protection feature of the .htaccess Maker.

The other fundamental flaw has to do with the code quality of third party plugins. Most of these plugins are written by people who are not professional PHP developers. In fact, since the WordPress plugin directory forbids listing for-a-fee software and demands plugin owners to provide free support it's extremely unlikely that you will find good code written by professionals in there. The exceptions are those who sell software-as-a-service or those who push their paid code through a free plugin. Most of the plugins you will find in there range from moderately dangerous to "COME AND HACK ME". Admin Tools for WordPress will stop most of the damage made possible by shoddy plugins. I would still recommend caution on what you install, though, and keeping both backups and an eye for any anomalous activity on the site.

Speaking of the WP Plugin Directory, I have seen takeovers by unsavory people. Semi-popular plugin written by a sole developer who's making no money and has to do free support (thanks for nothing, WP Plugin Directory!). Someone comes and asks to buy the plugin for $10,000. Developer says "hell, yeah". Unsavory dude lays low for a few weeks. Then he pushes a minor update with a few bug fixes and a minor new feature... and some nasty spyware, malware or spam code to make things more spicy! The unsuspecting site owner installs the update, ostensibly from the reputable developer of the semi-popular plugin, and their site is effectively hacked from the inside, bypassing all security measures. This is not possible with the Joomla! Extensions Directory for many reasons. With WordPress? The view of the Directory is that this kind of behavior will lead to bad reviews and eventually people will stop using the plugin. So, please, please, please be careful what you install ESPECIALLY if it comes from the WordPress Plugin Directory.

So, would I use WordPress? Yes, for some sites. Small business sites are better off using WP than anything else and your clients can update the pages without you having to take 100 calls per page changed -- oh, you will still make money fixing their bad edits, don't worry about that. I would use it for news / blog sites -- as long as the editors are willing to put up with the rolling dumpster fire that the soon-to-be-obligatory Gutenberg editor is. Really, before considering WP try out Gutenberg and keep in mind that it will be the obligatory default editor in a few short months. This is what convinced me to NOT convert my blog to WordPress (currently it's Joomla). I kid you not. You have to see it to believe it. Oh, yes, of course: the main use case for WordPress nobody admits to is e-commerce sites on the cheap. Back in the early 10's we were using Joomla + VirtueMart. Now people use WordPress + WooCommerce. It's the same idea: e-commerce quick and easy and may God have mercy on our souls. As for more complex sites I would definitely consider all options depending on the client specifications, scope, budget, deadlines, the experience of the team building the site, the experience of the build managing the site etc.

Just remember that security is not a black/white situation. WP + Admin Tools is not that much more insecure than Joomla + Admin Tools. It's still easy for someone managing a site to install the wrong plugin and undo your security. With Joomla! you can disable that feature or use ACLs to lock down the site. With WP you can't remove installing plugins but you can use Roles to prevent the inexperienced manager from screwing up. In the end of the day you have to do the balancing act of security.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

webinfinitynz
Hey thanks Nicholas for the detailed info.
I've been reading up on Gutenberg today and wow, a lot of people don't like it! I'll certainly check it out.

Anyway thanks again for the info.