Updated 16 January 2026.
The Hacker News frequently publishes articles warning Wordpress CMS users of security concerns.
Why so many? Wordpress is used by many more users globally than is the Joomla! CMS making the former a much bigger juicer target for hackers.
Joomla! CMS users should however not be complacent.
They should instead review and tighten their website security.
The Hacker News usually recommends in its articles that CMS owners should:
- add Multi-factor Authentication to their website's Dashboard, and
- check they are using the latest version of CMS and any extensions
to reduce the risk of their website being compromised in this way.
Recent Hacker News articles re Wordpress security concerns
15 January 2026.
A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack.
Read more: Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access
8 December 2025.
A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence.
Read more: Critical security flaw in the Sneeit Framework plugin for WordPress
9 October 2025.
Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites.
Read more: Hackers exploit WordPress sites to power next-gen ClickFix Phishing attacks
24 July 2025.
Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions.
Read more: Hackers deploy stealth backdoor in WordPress Mu-Plugins to maintain admin access
29 May 2025.
Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.
Read more: 100,000+ WordPress sites at risk from critical CVSS 10.0 vulnerability in Wishlist Plugin
7 May 2025.
A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild.
Read more: OttoKit WordPress Plugin with 100K+ installs hit by exploits targeting multiple flaws
1 May 2025.
Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin.
The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code.
Read more: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
11 April 2025.
A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability ... is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites.
Read more: OttoKit WordPress plugin admin creation vulnerability under active exploitation
6 March 2025.
Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors.
What can you you do to protect your Joomla! CMS?
Inclusion of Multi-factor Authentication in the Joomla! 5 CMS (first introduced with Joomla! 4) is a useful initiative by The Joomla! Project.
Using one of the available plugins with your website is now made relatively straightforward.
Read more: Multi-factor Authentication.
You should also password protect your website's Administrator directory.
This can be achieved via the Hosting Control Panel included with your Hosting Account.
Example: cPanel users can enable Directory Privacy via the Files panel of the cPanel Dashboard.
Be bold, add a Web Application Firewall to your website.
Akeeba Admin Tools PRO supports password protection and the use of a secret URL to cloak your website's Administrator directory URL.
It also includes a host of other security enhancements.
Read more: Web Application Firewall.
About The Hacker News
"The Hacker News (THN) stands as a top and reliable source for the latest updates in cybersecurity. As an independent outlet, we offer balanced and thorough insights into the cybersecurity sector, trusted by professionals and enthusiasts alike."
Subscribe to The Hacker News newsletter when you visit the following link.
And keep up to speed with the latest security threats affecting your Operating System, Web Browser and Website.
Make Joomla! CMS Security your #1 Priority
We help and support managers responsible for Joomla! CMS websites in UK business and third sector organisations across Cheshire, Greater Manchester, Merseyside and North West England.
Your personal data is nobody's business.