Updated 10 April 2026.
The Hacker News and mySite.guru frequently publish articles warning Wordpress CMS users of security concerns.
Why so many? Wordpress is used by many more users globally than is the Joomla! CMS making the former a much bigger juicer target for hackers.
Joomla! CMS users should however not be complacent.
They should instead review and tighten their website security.
The Hacker News usually recommends in its articles that CMS owners should:
- add Multi-factor Authentication to their website's Dashboard, and
- check they are using the latest version of CMS and any extensions
to reduce the risk of their website being compromised in this way.
Recent mySite.guru articles
10 April 2026.
"Smart Slider 3 Pro version 3.5.1.35 was a malicious release".
"Not a vulnerability, not a coding mistake, not a missed capability check. An unauthorized party pushed a backdoored build through Nextend’s own update infrastructure".
mySite.guru Blog: Smart Slider 3 Pro version 3.5.1.35 was a malicious release
26 March 2026.
"A vulnerability disclosed this week lets any registered user on your site - even a basic subscriber - download your wp-config.php and every other file the web server can read. Over 800,000 WordPress sites are affected, and the same vulnerable code ships in the Joomla version too. If you run Smart Slider 3, update to version 3.5.1.34 now."
Read more: Smart Slider 3 Hack Allows Any File to Be Downloaded
Recent Hacker News articles
10 April 2026.
Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress ... to push a poisoned version containing a backdoor. The incident impacts Smart Slider 3 Pro version 3.5.1.35.
Read more: Backdoored Smart Slider 3 Pro Update distributed via compromised Nextend servers
15 January 2026.
A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack.
Read more: Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access
8 December 2025.
A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence.
Read more: Critical security flaw in the Sneeit Framework plugin for WordPress
9 October 2025.
Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites.
Read more: Hackers exploit WordPress sites to power next-gen ClickFix Phishing attacks
24 July 2025.
Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions.
Read more: Hackers deploy stealth backdoor in WordPress Mu-Plugins to maintain admin access
29 May 2025.
Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.
Read more: 100,000+ WordPress sites at risk from critical CVSS 10.0 vulnerability in Wishlist Plugin
7 May 2025.
A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild.
Read more: OttoKit WordPress Plugin with 100K+ installs hit by exploits targeting multiple flaws
1 May 2025.
Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin.
The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code.
Read more: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
What can you you do to protect your Joomla! CMS?
Inclusion of Multi-factor Authentication in the Joomla! 5 CMS (first introduced with Joomla! 4) is a useful initiative by The Joomla! Project.
Using one of the available plugins with your website is now made relatively straightforward.
Read more: Multi-factor Authentication.
You should also password protect your website's Administrator directory.
This can be achieved via the Hosting Control Panel included with your Hosting Account.
Example: cPanel users can enable Directory Privacy via the Files panel of the cPanel Dashboard.
Be bold, add a Web Application Firewall to your website.
Akeeba Admin Tools PRO supports password protection and the use of a secret URL to cloak your website's Administrator directory URL.
It also includes a host of other security enhancements.
Read more: Web Application Firewall.
Make Joomla! CMS Security your #1 Priority
We help and support managers responsible for Joomla! CMS websites in UK business and third sector organisations across Cheshire, Greater Manchester, Merseyside and North West England.
Your personal data is nobody's business.