Three of the World's Top CMS Platforms Hacked in One Week

There is a familiar pattern in website security. A platform becomes powerful. Then it becomes popular. Then it becomes extended, customised, patched, integrated and depended upon. At some point, the very thing that made it useful also makes it vulnerable.

The last week has offered a sharp reminder of that.

TechRadar reported that more than one million WordPress sites were potentially affected by flaws in Avada Builder, a popular WordPress plugin. One of the issues was a high-severity SQL injection vulnerability that could be exploited without authentication, potentially allowing attackers to extract sensitive data from the database, including hashed passwords. Patches have been issued, but only updated sites are protected.

SecurityWeek also reported that a Ghost CMS vulnerability had been used in mass attacks against unpatched websites. More than 700 sites were reportedly compromised, including sites connected with major organisations. Attackers were able to obtain Admin API keys and alter published articles by injecting malicious JavaScript.

Drupal has also issued an urgent warning ahead of a critical security release, asking administrators to reserve time for immediate updates because exploits could be developed quickly after disclosure. That warning was not just about the existence of a vulnerability. It was about the speed of the modern attack window.

Popular does not mean invulnerable

None of this means WordPress, Ghost or Drupal are bad platforms. They are widely used because they are useful. They let teams publish, edit, extend and manage content with enormous flexibility. But every flexibility has a cost.

A login screen is a door. A plugin is another door. A database is a room full of valuables. An admin API is a set of keys. The more moving parts a site has, the more things there are to guard.

WordPress illustrates the issue most clearly because it is so widely used. Its popularity makes it an obvious target, and its enormous plugin ecosystem creates a large attack surface. Whitehat SEO's WordPress security guide notes that thousands of WordPress vulnerabilities were recorded in 2024, with the overwhelming majority coming from third-party plugins rather than WordPress core itself.

A CMS is not a finished product

That is the part many business owners never see. A CMS website is not something you simply launch and leave. It is not a finished brochure. It is a small software system. It has updates, permissions, dependencies, logins, plugins, themes, databases and integrations. If nobody is actively maintaining it, it does not stay still. It ages.

And on the web, old code does not age like wine. It ages like milk.

Why static websites deserve a second look

This is where static websites deserve a more serious place in the conversation.

A static site is not magic. It can still be badly built. It can still load risky third-party scripts. It can still be misconfigured. But in its simplest and best form, it has one profound security advantage: there is very little there to attack.

There is no public CMS dashboard sitting on the web. No live database behind every page. No plugin stack waiting for the next urgent patch. No server-side code being executed on each request. The visitor asks for a page, and the server gives them a page.

It is wonderfully boring. And in security, boring is often beautiful.

The shop versus the brochure

The difference is not unlike the difference between a shop and a brochure. A shop needs tills, stockrooms, staff doors, alarms, payment systems and keys. A brochure can be left on a table. It may not do everything the shop does, but it is much harder to rob.

For many business websites, that distinction matters. A large number of sites do not need real-time logins, complex editorial workflows, membership systems or dynamic personalisation. They need to explain what the business does, build trust, publish articles, show case studies, rank well in search, load quickly and convert visitors into enquiries.

For that kind of website, a static architecture is not a step backwards. It may be the more sensible choice.

Less maintenance, better performance, lower risk

It reduces the maintenance burden. It reduces hosting complexity. It reduces the emergency-patching panic that follows every critical CMS advisory. It can also improve performance, because pre-built pages are generally faster to serve than pages assembled from database queries, themes, plugins and server-side logic.

Most importantly, it changes the risk profile.

With a conventional CMS, security is often a race: patch before the exploit spreads. With a static site, many of those races simply never begin, because the vulnerable component is not present in the first place.

When a CMS still makes sense

This does not mean every organisation should abandon its CMS. Some websites genuinely need dynamic functionality. E-commerce, communities, membership platforms, complex publishing teams and enterprise workflows may require a CMS or application layer.

But the question should not be, "Which CMS shall we install?"

It should be, "Which parts of this website truly need to be dynamic?"

A smarter hybrid approach

A sensible modern approach is often hybrid. Use static pages for the public marketing site. Use specialist services for forms, search, payments, booking or email capture. Keep the editable CMS, if needed, away from the public-facing layer. Generate the site from approved content, then publish it as static files to a fast, secure hosting environment or CDN.

That keeps much of the convenience of content management while reducing the exposed attack surface.

Complexity always sends an invoice

The recent WordPress, Ghost and Drupal stories are not isolated curiosities. They are reminders of a larger truth: complexity always sends an invoice. Sometimes it arrives as maintenance time. Sometimes as hosting cost. Sometimes as a broken update. Sometimes as an urgent security advisory late in the day.

Static sites are not the answer to every web problem. But for many businesses, they are a quieter, faster and safer answer than people assume.

In a world where attackers move within hours, there is real wisdom in building websites with fewer doors.