#24176 Admintools for Wordpress

Posted in ‘Pre-sales and Account Questions’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

 Hi I'm starting to use Wordpress more than Joomla!

I'm really happy to be able to use Akeeba backup for Wordpress but disappointed I can't also use Admintools. Any plans to launch a Wordpress version of Admintools?

Akeeba Staff
According to my experience with WordPress it's very hard to secure it, at least to the extent you can secure Joomla!.

The first major point is that while Joomla! passes all request through index.php, WordPress doesn't. In fact, WP encourages 3PDs to NOT go through it. This means that there are no hooks guaranteed to be called in all page loads, making a web application firewall implemented in WordPress a rather ludicrous proposition (yes, I am aware other companies do that and I've seen that it's as watertight as a sieve).

Moreover, the abundance of directly web accessible .php files in arbitrary locations, intermixed with static media files as well as .php files not meant to be called directly from the web makes tightening security a nightmare. You'd have to start by disabling access to any .php file and then add each web accessible file one by one to a list. Well, good luck with that. In contrast, Joomla! guarantees that only index.php and administrator/index.php must be web accessible, otherwise the 3PD developer is doing something stupid. Joomla! also separates static media from executable code, therefore has a FAR better security model than WordPress.

Furthermore, WordPress does not have a centralized API for accessing request data, session data or cookie data. Due to the lack of this kind of API it is impossible to correctly filter incoming data in a way that would make a Web Application Firewall effective against real world attacks.

In short what I've seen in WordPress is that it's not possible to secure it adequately. I am still unsure if I want to write a plugin that offers only partial security to your sites. I mean, real world site hacks rarely if ever go through core code. They usually go through a popular plugin's directly accessible .php file that has a gaping security hole. No security plugin for WordPress can catch this kind of attacks. Considering the largely inexistent competence of the vast majority of WordPress plugin "developers" this kind of attacks are quite common. Let me put it this way. If you were a developer like me and saw the code of the most popular plugins you'd be running away from WordPress. Hint: my blog went back to Joomla! (from WordPress) a few months ago when I did exactly that...

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Summer vacations: Our support will be closed for replies and new tickets from August 6th to August 21st, 2022 due to summer vacations.