By any measure, WordPress is the most popular content management system on the planet. But that distinction also makes it especially popular with hackers and attackers.

Early this month Menifee, Calif.-based security company Sucuri reported a spike in WordPress infections, with a large number of sites getting injected with the same malicious scripts. Sucuri called it "a massive admedia/adverting iframe infection" characterized by the injection of encrypted code at the end of all legitimate .js files.

The rogue code redirects users to domains appearing to be hosting ads. But the malicious pages are hosting the Nuclear browser exploit kit, which tries to infect Windows PCs with Teslacrypt, a strain of ransomware that encrypts certain user files and demands a ransom be paid to decrypt the files.

Copenhagen-based Heimdal Security warned that a disproportionate amount of WordPress powered websites — "hundreds" of them —have been compromised and are spreading infections.

While the attack is not technically malvertising "because the domains used for this campaign are clearly not made to look like an advertiser," noted Jérôme Segura, a senior security researcher at San Jose-based Malwarebytes. However, there is "an ad fraud component for every malicious redirection as we observed the following URL being loaded:"

(To be fair, Google Project Zero just exposed Malwarebytes itself for a security vulnerability that exposes its consumer version of Anti-Malware software to man in the middle attacks. Malwarebytes CEO Marcin Kleczynski apologized, noting "While these things happen, they shouldn’t happen to our users.")

But the news gets worse for WordPress. This week, LoanBase, a bitcoin lending site, warned its users it had been breached by cybercriminals. The attackers reportedly gained access to the company’s SQL database, which houses personal information of users, via a vulnerability in its WordPress CMS.

Do these incidents make you think twice about WordPress or other open source CMS platforms? Tell us in the comments at the end of this article.

Now, for more upbeat news …


PortlandLabs, the company behind concrete5, hired Jessica Dunbar as technology evangelist. A former system administrator at Trivera and marketing lead for Joomla, she brings more than 10 years of experience in the CMS space.

Concrete5 is used for everything from government and educational websites to blogs and custom apps. And it announced recently that it would now be used for all of the US Army Family, Morale, Welfare and Recreation (MWR) program websites. The MWR supports soldiers, families and more than 3 million individuals associated with the Army.

The team recently released concrete5 7.5.4, a maintenance release for all previous versions.


Hippo entered 2016 with a lot of momentum: It was recognized as a leader in content management on EContent Top 100 for the fourth year running, released Hippo CMS 10, generated record growth in North America and was the only open source Java CMS included in the Gartner Magic Quadrant.

Just this week it released version 10.2 of its CMS platform, which combines traditional digital experience management with Content-as-a-Service. Company officials said the release counters the “headless” or a decoupled CMS architecture, where the front-end component of the CMS is removed and the backend delivers content via an API.

The Hippo team compared headless CMSs as "yesterday's silos," and questioned the idea that an effective CMS should simply manage raw, structured content in a single repository.

It claimed a headless CMS often acts as an extra CMS for an organization next to the original CMS, which will create a content silo.

"Some remove this silo by moving all content to the headless CMS and creating a 'new’ one-off delivery tier on top of the headless CMS, but this guarantees future headaches. The marketer will ask for personalization, experiments, actionable insights, template and component management, etc. features ... And the development team is stuck with the maintenance burden of custom software while keeping up with the speed of the WCM software market," Anoop Gangadharan, Hippo's product marketing manager, told CMSWire.


Jahia announced record results for 2015. That includes 90 percent total bookings growth year-over-year (YoY), 100 percent YoY growth for net new customer subscription bookings, 94 percent annual customer subscription renewals and 125 percent YoY increase in multi-year subscriptions.

Jahia also announced the release of Digital Experience Manager 7.1 (DX7), which is intended to "strengthen the partnership between CMOs and CIOs."

Now available both on-premises and on-demand via the Jahia Experience Cloud, DX7 drives both personalized digital experiences and 1:1 customer relationships across all online and offline touchpoints. It also offers focused support for consumer data privacy and protection leveraging the Unomi Project through the Apache Foundation.

Jahia kicked off 2016 with a new sales and account development team in North America, an expanded EMEA sales team and a new global marketing team focused on brand awareness, experience, pipeline and revenue.

Next Thursday, you're invited to join Jahia’s Jessica Sundstrom and Forrester’s Mark Grannan for a CMSWire webinar that examines fundamental questions on digital experience’s evolving mandate. The event will take place at 2 p.m. Eastern time.

Jahia is holding its inaugural customer event in North America, Jahia Experience, April 26 through 28 in Washington DC. It will be an opportunity to hear digital leaders share their strategies, successes and learnings about transformative customer journeys and brand experiences.


The Joomla Project recently released its CMS 3.5 Beta 2. Community members are asked to download and install the package in a non-production environment to provide quality assurance for the forthcoming 3.5 release later this month.

Extension and template developers are encouraged to work with this release to prepare extensions for the stable release of Joomla CMS 3.5, though there shouldn't be any backward compatibility issues.

Joomla 3 is the latest major release of the Joomla CMS, with version 3.5 the sixth standard-term support release in this series. Going from version 3.4 to 3.5 is a one-click upgrade, not a migration — and the same will hold true is for any subsequent versions in the 3 series of the CMS.

Looking for something to do?

  • JoomlaDay UK: Feb. 13 at Microsoft's Cardinal Place offices in London
  • JoomlaDay Florida: Feb. 27 at Hillsborough Community College Ybor City in Tampa


Magnolia made two new C-suite appointments and also hired a product manager and a strategic advisor.

Lars Böddener was appointed Chief Marketing Officer, marking Magnolia’s increasing emphasis on customer experience. He was previously Director Global Content Management at Sony, where he established global brand platforms and regional e-commerce platforms.

Jan Haderka was appointed as Magnolia’s Chief Technology Officer. A Magnolia team member since 2007, he was previously Chief Integration Officer.

Rasmus Skjoldan, a former brand manager of TYPO3, joined Magnolia as a product manager.

Daniel Hinderink joined Magnolia as strategic advisor to the board and management team. He is the co-founder and managing partner of dpool, a Munich-based consulting company focusing on digital marketing processes and custom software development.

Magnolia also released version 5.4.4, which promises to make template use easier in projects especially for front-end developers and developers new to Magnolia. The team said it retains its primary commitment to make AdminCentral easy and comfortable for content authors with key usability improvements.

Key improvements include moving MTE templates to a light module, moving model class logic to templates, adding a Processed Resources app, switching workspaces in the JCR browser and adding public user registration and advanced form in the travel demo.

Magnolia has a number of events on tap.

There will be a series of events in Madrid on the theme of digital transformation. The first event, which is being held in collaboration with CommerceTools, atsistemas, BrainSINS and Grupo Juliá, will focus on e-commerce. It will be held Feb. 16.

Magnolia is working with CommerceTools again to present at the e-commerce trade show, Internet World in Munich on March 1 and 2.

It will continuing its series of 5.4 light development workshops in Berlin on Feb. 24 and 25 and in Zurich on March 1 and 2.

Title image "Hacker Rene" (CC BY 2.0) by  Mr. Cacahuate