The next wave of zero‑day attacks will absolutely include Joomla, Helix, SP Page Builder, and many other widely used Joomla components. The reason is simple: Joomla has fallen from one of the strongest CMS platforms to the 6th or 7th place, largely because of its complicated upgrade process — from the core CMS all the way down to templates, components, and plugins.
We’ve already seen what happens when something breaks, like the recent Helix 3 issues. Nothing is compatible with anything. The template collapses, dozens of errors appear during upgrades, you update SP Page Builder and the entire website layout breaks, you update Joomla and suddenly another extension stops working. It’s endless.
People didn’t stay on Joomla 3 out of comfort or laziness. They stayed because upgrading to Joomla 4 requires new components, new plugins, a new template, a new SP Page Builder version — essentially, you have to charge the client as if you’re building a brand‑new website. And same story with Joomla 5 which again is not a simple one‑click upgrade but a chain of changes, fixes, and compatibility adjustments. Then Joomla 6 the same story. In just a few years we’ve gone from Joomla 3 to Joomla 6. Who can afford to pay hundreds of euros every few months for upgrades, especially for large and complex websites?
I maintain both Joomla and WordPress websites. WordPress updates automatically without breaking the homepage, menus, or layout. The same goes for plugins — they update smoothly. Try doing that in Joomla. Just the other day I updated Helix 3 from 3.1.1 to 3.1.2 and the homepage crashed instantly.
The point is: there are thousands of Joomla websites on the web that are outdated and unmaintained simply because maintenance is expensive. We are not careless — clients cannot or do not want to pay for constant upgrades. And how do you explain to a client that they must pay several hundred euros every few months just to keep their site updated?
Everyone else in the industry has spent years simplifying things, while the Joomla ecosystem kept demanding that a web designer also be a Linux server administrator, an Apache/PHP technician, and a cybersecurity specialist. When I talk to colleagues who work exclusively with WordPress, they have absolutely no idea what I’m talking about — nor do they understand the kind of stress I’m under when I need to upgrade something as simple as a page builder from version 6.1.1 to 6.6.2.
For them, an update is a non‑event. For us, it’s a potential disaster.
So yes, attacks on Joomla will continue, just like attacks on all its components, plugins, and frameworks. The ecosystem practically invites it.