I Just Saw a Secure Joomla Site Get Hacked. Here’s What Changed.

A New Kind of Website Threat Is Emerging

After nearly 15 years of working with websites and Joomla specifically, I've seen an increase in problems with security and functionality across my website portfolio in the last 6 months. Joomla 3 recently reached it's end of life and initially I believed this was the issue. But the site that was hacked was Joomla 5.

A very new Joomla 5 website that was behind a firewall was compromised by an SEO injection hacker. I've seen this happen with Wordpress because it's the most commonly used and therefore the most frequently targeted CMS platform. But Joomla attacks are rare and I've never seen the firewall breached. Until 2026.

Hacking and cyber attacks have not just increased in recent months, they've evolved. Threats are no longer exclusively targeting large corporations and political websites. Now, even small and mid-sized businesses are being targeted. So what's up with the new surge in cyber attacks?

AI Has Super Charged Crime

AI now allows hackers to scan thousands of websites for vulnerabilities almost instantly. Then they can test multiple entry points using AI until they find one. Then they can use AI to generate malicious code tailored to specific platforms. In short, everything is faster and easier to do at scale. Additionally, with AI you no longer need advanced computer skills to hack a website.

Small Websites Are Easier Targets

Now that time is no longer an issue, small business websites are the best targets because they are the most likely to have out of date plugins or platforms. On smaller websites, a hack may go unnoticed for weeks or months. Small businesses are also the least likely to pay for increased security like a firewall, maintenance plans or website monitoring. So the website is out of date, unmonitored and unprotected. In other words: an easy target for an AI powered malicious actor.

Invisible Website Hacks

Many of these attacks are designed to go unnoticed. They want to remain completely invisible while doing damage to the website behind the scenes. This includes injecting hidden spam links, redirecting traffic from ads or google search, stealing leads or API codes and using your server to host malicious content.

All of this could be happening while everything on the front end can remain intact and looking completely normal. This creates a serious problem because it's hard to fix a problem that you don't see.

How It Affects Your Marketing Performance

Some businesses may wonder why they should care about a hack that they can't see. If your website is compromised, and you don't know it, then what's the problem?

Increasingly in this world we are worried about the robots and what they think about everything we do. This has always been true on the internet because google bots see a lot of things that we can't. If your website is compromised you could:

• Have your SEO rankings drop or be de-listed from Google
• Your paid ads could be disapproved or perform poorly
• Poor website performance, load times can increase bounce rates
• Leads and conversions will slow down or stop
• If an API or paid ad is compromised you may receive a surprise bill (and it will be expensive!)

So you may not know that your website is compromised but it can absolutely stop working, stop brining you leads and cost you money.

CMS Based Websites Are Targeted Most

Wordpress is an incredibly powerful tool and marketers have been using it to build websites since the beginning. It's been the most convenient option for years... But it's easy to hack and that has been true for a long time.

But here is a secret: Just because Wordpress is easy for website developers doesn't make it the best option for your business. The fact is that the vast majority of small websites don't need to make many changes and don't have the budget to update it literally all the time. (As you need to do with Wordpress.)

The Solution

If your website is running on a CMS such as Wordpress or Joomla, keep it updated. Like all the time. The platform, the themes, and even plugins that are installed but not in use, everything. This is no longer optional. You should also have a firewall and some kind of monitoring set up. This is now just the increased price of owning a website. I can help you find a maintenance plan that makes this process hands-off.

But if your website is small and doesn't need a lot, you should talk to me about developing your website in HTML. Not using a CMS is the oldest method of building on the internet and the hardest to hack. It also helps keep your website accessible without a lot of effort. Plus, it's not a new trend. It's been around since the beginning and it's not going anywhere.

If you're not sure what kind of website is right for your business, contact me for a free consultation. We'll discuss your specific needs and I can point you in the right direction for you.