29 May 2025.
The Hacker News frequently publishes articles warning Wordpress CMS users of security concerns.
Why so many? Wordpress is used by many more users globally than is the Joomla! CMS making the former a much bigger juicer target for hackers.
Joomla! CMS users should however not be complacent.
They should instead review and tighten their website security.
The Hacker News usually recommends in its articles that CMS owners should:
- add Multi-factor Authentication to their website's Dashboard, and
- check they are using the latest version of CMS and any extensions
to reduce the risk of their website being compromised in this way.
Recent Hacker News articles re Wordpress security concerns
29 May 2025.
Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.
Read more: 100,000+ WordPress sites at risk from critical CVSS 10.0 vulnerability in Wishlist Plugin
7 May 2025.
A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild.
Read more: OttoKit WordPress Plugin with 100K+ installs hit by exploits targeting multiple flaws
1 May 2025.
Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin.
The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code.
Read more: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
11 April 2025.
A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability ... is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites.
Read more: OttoKit WordPress plugin admin creation vulnerability under active exploitation
6 March 2025.
Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors.
13 January 2025.
Cybersecurity researchers are warning of a new stealthy credit card skimmer campaign that targets WordPress e-commerce checkout pages by inserting malicious JavaScript code into a database table associated with the CMS.
Read more: WordPress skimmers evade detection by injecting themselves into database tables
12 December 2024.
Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks.
Read more: Hunk Companion Plugin flaw exploited to silently install vulnerable plugins
26 November 2024.
Installed on over 200,000 WordPress sites, CleanTalk's Spam Protection Anti-Spam FireWall Plugin is advertised as a "universal anti-spam plugin" that blocks spam comments, registrations, surveys, and more.
Two critical security flaws could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution.
Read more: CleanTalk's Spam Protection Anti-Spam FireWall Plugin exposes 200,000+ sites
18 November 2024.
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress which could allow an attacker to remotely gain full administrative access to a susceptible site.
Read more: Critical WordPress plugin vulnerability exposes over 4 million sites
31 October 2024.
A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability has been addressed in version 6.5.2 of the plugin.
Read more: LiteSpeed Cache Plugin vulnerability poses significant risk to WordPress websites
15 October 2024.
The maintainers of the Jetpack WordPress plugin have released a security update to remediate a critical vulnerability that could allow logged-in users to access forms submitted by others on a site.
Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that offers a comprehensive suite of tools to improve site safety, performance, and traffic growth. It's used on 27 million WordPress sites, according to its website.
The issue is said to have been identified by Jetpack during an internal security audit and has persisted since version 3.9.9, released in 2016.
While there is no evidence that the vulnerability has ever been exploited in the wild, there is a likelihood that it could be abused going forward in light of public disclosure.
Read more: WordPress Plugin Jetpack patches major vulnerability affecting 27 million sites
4 October 2024.
A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.
Read more: LiteSpeed Cache Plugin Security Flaw Exposes Wordpress Sites to XSS Attacks
6 September 2024.
Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts.
Read more: Critical security flaw found in LiteSpeed Cache Plugin for WordPress
22 August 2024.
Critical flaw in WordPress LiteSpeed Cache Plugin allows hackers admin access.
Read more: Critical flaw in WordPress LiteSpeed Cache Plugin allows hackers admin access
21 August 2024.
GiveWP WordPress Plugin vulnerability puts 100,000+ websites at risk.
Read more: GiveWP WordPress Plugin vulnerability puts 100,000+ websites at risk
25 June 2024.
Multiple Wordpress plugins being exploited by hackers.
What can you you do to protect your Joomla! CMS?
Inclusion of Multi-factor Authentication in the Joomla! 5 CMS (first introduced with Joomla! 4) is a useful initiative by The Joomla! Project.
Using one of the available plugins with your website is now made relatively straightforward.
Read more: Multi-factor Authentication.
You should also password protect your website's Administrator directory.
This can be achieved via the Hosting Control Panel included with your Hosting Account.
Example: cPanel users can enable Directory Privacy via the Files panel of the cPanel Dashboard.
Be bold, add a Web Application Firewall to your website.
Akeeba Admin Tools PRO supports password protection and the use of a secret URL to cloak your website's Administrator directory URL.
It also includes a host of other security enhancements.
Read more: Web Application Firewall.
About The Hacker News
"The Hacker News (THN) stands as a top and reliable source for the latest updates in cybersecurity. As an independent outlet, we offer balanced and thorough insights into the cybersecurity sector, trusted by professionals and enthusiasts alike."
Subscribe to The Hacker News newsletter when you visit the following link.
And keep up to speed with the latest security threats affecting your Operating System, Web Browser and Website.
Read more: About 'The Hacker News' Media
Make Joomla! CMS Security your #1 Priority
We help and support managers responsible for Joomla! CMS websites in UK business, academy school and third sector organisations across Cheshire, Greater Manchester, Merseyside and North West England.
Contact WYNCHCO Solutions for personal Joomla! CMS Help and Support.
Your personal data is nobody's business.