Over the past few months, we have supported law firms in resolving several security incidents affecting their websites. Different firms, different setups, but the same underlying issue each time: a legacy Joomla installation that had quietly moved out of support and into risk.
This is not an isolated technical problem. It is a predictable pattern and one that is becoming more visible across the legal sector.
The problem is not visibility. It is exposure.
Joomla 3 has now reached end of life. That means no further security patches, an increasing number of publicly documented vulnerabilities, and a steadily declining ecosystem of supported extensions. From a purely technical standpoint, this creates a straightforward dynamic:
- Known exploits continue to circulate
- Automated scanning tools continue to improve
- Unsupported systems remain static
The result is not targeted attacks, but opportunistic ones. Bots do not care which firm you are, they are simply looking for environments that are easy to penetrate.
A legacy Joomla site fits that profile.
A recent example and what it tells us
In a recent case involving a law firm website, attackers were able to exploit legacy Joomla code still present within the hosting environment.
Once inside, they:
- Uploaded concealed backdoor files
- Injected spam and gambling content into legitimate pages
- Redirected users from trusted pages to external, unrelated content
The issue was not immediately obvious internally. It surfaced when users began clicking standard navigation links and landing somewhere entirely different.
This is how these incidents tend to unfold. Not dramatic, not immediate, but highly visible once triggered.
Why this matters more for law firms
For most businesses, a compromised website is inconvenient. For law firms, it is materially different.
Your website is often the first point of trust. It is where prospective clients validate credibility before making contact. If that experience is disrupted, even briefly, the impact is disproportionate.
There are three immediate risks:
- Trust erosion at first touchpoint – users question legitimacy before engagement even begins
- Brand contamination – malicious content appears under your domain
- Wider perception issues – concerns extend beyond the website into how seriously security is managed overall
Importantly, these situations rarely arise because of a recent mistake. They occur because a platform has quietly become unsupported while continuing to “appear” functional.
That is what makes legacy CMS risk so easy to overlook and so damaging when exposed.
Why we recommend moving to WordPress
For firms still operating on Joomla 3, or heavily customised legacy builds, the most effective route is not incremental patching. It is structured migration.
In most cases, we recommend a modern WordPress build.
Not because WordPress is immune to risk – it is not – but because the risk profile is fundamentally different when the platform is:
- Actively maintained with regular core updates
- Supported by a large, security-focused ecosystem
- Backed by well-established hardening practices
This includes:
- Controlled admin access and two-factor authentication
- Ongoing patching and update management
- File integrity monitoring and automated backups
- Mature tooling for firewalls and threat detection
In practical terms, this shifts a firm from a static, unsupported environment to one that can be actively managed and secured over time.
The commercial reality: platform choice affects long-term cost
Beyond security, there is a practical commercial consideration that often gets overlooked: the cost and complexity of maintaining and evolving your website over time.
In our experience, modern WordPress builds typically offer a more cost-efficient and flexible development path for law firms. The platform benefits from a large developer ecosystem and a mature library of supported tools, which reduces the need for fully bespoke development.
Just as importantly, WordPress sites can usually be evolved incrementally. Core updates, design improvements and functional changes can be delivered without requiring a complete rebuild.
This is not always the case with legacy Joomla environments, where major version changes often involve significant redevelopment due to unsupported extensions and template incompatibility.
The result is not just a security difference, but an operational one: firms move from a platform that becomes harder and more expensive to maintain over time, to one that supports continuous improvement without repeated rebuild cycles.
Migration is not just a rebuilt. It is risk reduction.
When we migrate a legal website from Joomla to WordPress, we treat it as a security-led project, not simply a design exercise.
A typical process includes:
- A full audit of the existing environment to identify legacy code and attack surface
- A clean build on a hardened infrastructure from day one
- Removal of redundant or unsupported components
- Credential resets across hosting, database, and administrative access
- Structured launch with monitoring in place
The objective is straightforward: reduce exposure, improve stability, and create a platform that supports growth rather than introducing hidden risk.
If your firm is still on Joomla
If any of the following apply:
- Your website is still running on Joomla 3
- You are unsure which version your site is using
- Your CMS or security setup has not been reviewed in the last 12–18 months
then the risk is no longer theoretical.
At this point, the decision is not whether to act, but whether to act proactively or reactively.
We are currently supporting law firms in exactly this position helping them move away from legacy systems and into secure, maintainable platforms.
If you would like a clear view of your current setup, and a defined path to a modern WordPress build, we can provide a structured review and a fixed-scope migration plan. Please get in touch with Chris Davidson or Jamie Young for more information.
YOUR QUESTIONS ANSWERED
Frequently Asked Questions
No. Joomla 3 is end-of-life and no longer receives security updates. This leaves known vulnerabilities exposed to automated attacks. For law firms, this creates significant risk due to trust, data sensitivity and reliance on website enquiries.
Outdated CMS platforms increase the likelihood of website compromise, reputational damage and disrupted enquiry flow. For law firms, this can directly impact trust, lead generation and revenue if issues occur at the point of client engagement.
Most attacks are not targeted. Automated bots scan for known vulnerabilities across the web. Law firms become exposed when running unsupported systems like Joomla 3, making them easy targets regardless of firm size or profile.
WordPress is actively maintained, widely supported and easier to secure over time. It also enables better flexibility for SEO, conversion optimisation and integration with modern marketing tools, supporting long-term performance and growth.
Your CMS impacts search visibility, conversion rates and how easily your site can evolve. Modern platforms support SEO, AI-driven search (GEO) and data-led optimisation, while legacy systems limit performance and scalability.
It is a strategic decision. Your website underpins visibility, trust and enquiry generation. Platform choice directly affects how effectively your firm can attract, convert and grow through digital channels.
Simon Rankine
Simon Rankine is Front-End Lead Developer at MLT Digital, specialising in WordPress development and leading web projects with a focus on data-driven performance, user experience, and high-converting website builds.
