Why Website Security Isn't "Set It and Forget It" in the Age of AI — And What It Takes to Stay Safe

As AI reshapes the landscape, website security has gotten harder — and the threats have changed in ways that "just keep your software updated" no longer fully addresses. Here's what's happening, in plain terms, and how careful, active management keeps sites safe.
I want to share something that's been making headlines in the web security world lately, because it affects nearly every website built on platforms like Joomla and WordPress — which means it affects most of the sites I manage.
The short version up front: so far, not a single site I manage has been compromised. I'm genuinely glad to be able to say that, because this has been a rough stretch for website security. But I also want to be honest — several of the sites I manage have been vulnerable to the issues I'm about to describe. The reason they stayed safe isn't luck. It's the layered protection I keep in place behind the scenes, and I want to explain what that means in plain terms.
What changed
For a long time, website security came down to common-sense habits: keep your software updated, use strong passwords, don't install junk. That advice still matters. But attackers have found a cleverer way in — one that ordinary updating doesn't protect against on its own.
Here's what happened. Most websites rely on small add-on tools — called extensions (Joomla) or plugins (WordPress) — to do things like image sliders, contact forms, countdown timers, email, and security tools. For a lot of site owners, these are set to update automatically and then forgotten about. Automatic updating exists for a good reason — for a do-it-yourself site with no one actively watching over it, it's a sensible safety net, and the vast majority of the time those updates go in cleanly and keep the site protected.
But it's not foolproof. Occasionally an update breaks something — and, as you'll see below, it can even be the very thing that lets an attacker in. (That's why it's not how I handle the sites I manage — I review what each update actually changes before applying it — but for an unmanaged site, automatic updates are usually still better than nothing.)
One of the more unsettling examples: the attackers didn't break in at all. Instead, they simply bought a company that made more than 30 popular WordPress plugins — a legitimate, eight-year-old business with hundreds of thousands of users. Then they quietly slipped hidden malicious code into a routine update, waited eight months so no one would connect the dots, and switched it on. Suddenly, more than 400,000 websites were secretly serving spam and harmful content — and their owners had no idea, because everything looked completely normal.
That's what makes it so hard to catch. The plugin had the same name, the same logo, the same "trusted" reputation. The update arrived through the normal channel you'd never think to question. Nothing looked wrong.
A similar thing happened with a widely used slider plugin that runs on both WordPress and Joomla sites. And a popular newsletter tool had a serious flaw that was publicly described as a "WordPress problem" — when in fact the very same vulnerable code was also running on Joomla sites, leaving those owners unaware they were exposed.
Where AI comes into this
You've probably been hearing about artificial intelligence everywhere, and unfortunately it's showing up on the attacker's side too. Without getting technical: AI is letting bad actors work much faster than before. When a security flaw is announced, attackers can now use AI to figure out how to exploit it — and find vulnerable sites — sometimes within hours, often faster than a site owner could reasonably react on their own.
In other words, the window between "a problem is discovered" and "sites are getting attacked" has gotten dramatically shorter. The days of "I'll get around to that update next month" are over. Staying safe now requires someone actively watching and responding quickly. That's a big part of what I do for my clients.
How your site has stayed protected
Here's the reassuring part. The goal with any website is the same: spot weaknesses early, and block attackers from exploiting them in the meantime. On the Joomla and WordPress sites I manage, two tools in particular do a lot of the heavy lifting:
Akeeba Admin Tools
Akeeba Admin Tools acts like a security guard standing at the door of your site. It watches the live traffic coming in, recognizes and blocks suspicious or malicious activity — things like break-in attempts and repeated password-guessing — and locks down the parts of the site attackers commonly try to reach. So even when a flaw exists somewhere, this layer is actively stopping the bad actors trying to take advantage of it. It's a big reason a "vulnerable" site never becomes a "compromised" site.
mySites.guru
mySites.guru is my central monitoring dashboard, and it works hand-in-hand with the above. It keeps watch across all the Joomla and WordPress sites I manage, so I can see at a glance everywhere an update is needed and stay on top of them all consistently. Just as importantly, it alerts me right away when a new vulnerability is announced for any plugin or extension your site uses — so a newly discovered weakness gets my attention quickly, rather than sitting unnoticed.
What I find especially valuable is that mySites.guru doesn't just wait for vulnerabilities to be announced by someone else — it goes looking for them. The service uses AI to examine popular plugins and extensions for security flaws, and when it finds one, it reports the issue responsibly to the software's developer so it can be fixed properly before bad actors can take advantage of it. That's a real contribution to everyone's safety, not just my clients' — it helps make the whole ecosystem more secure, sooner.
And because of that head start, it often lets me know a site needs attention remarkably early — sometimes even before the software's own maker has publicly announced the fix. In a world where attackers move within hours, that kind of lead time is genuinely valuable.
In short: mySites.guru keeps me on top of every needed update and, thanks to its proactive AI-driven research, often alerts me to a new weakness remarkably early — while Admin Tools actively guards the door in the meantime. The two together are what keep your site a step ahead.
When one of these situations comes up — a vulnerability is found in an extension your site uses, and an update is released to fix it — I'll send you a quick note to let you know it was found and that I've already taken care of it. I've had clients thank me for the heads-up, and I've had others feel a little uneasy seeing the word "vulnerability" land in their inbox. So I want to be clear about what that note really means: it isn't a sign that something went wrong on your site. Just the opposite — it means a problem was caught and closed before it could affect you.
There's also a recovery layer: solid backups. Every site I manage is backed up daily to a secure offsite location, with an additional weekly and monthly backup kept somewhere separate — and the hosting platform keeps its own backups on top of that. So in the rare event something ever does go wrong, your site can be restored quickly rather than rebuilt from scratch.
I have to be honest with you, though: doing everything right reduces risk dramatically, but nothing online is ever completely risk-free. That's exactly why I take the layered, watchful approach I do — it's the best way I know to keep the risk as low as possible and to respond fast if anything ever does happen.
A word about timing — why I update monthly
You might wonder why I don't just install every update the instant it appears. There's a deliberate reason, and it's about protecting you.
When a brand-new update is released, the very first people to install it sometimes run into unexpected problems — small bugs or conflicts that haven't surfaced yet, simply because so few people have used the new version in real-world conditions. It's not that the update is unfinished, but the earliest adopters occasionally end up discovering issues the hard way. To spare your site from that, I run routine updates on a planned monthly schedule — recent enough to stay current and secure, but with just enough breathing room to let any early hiccups get caught and ironed out first.
This is also why I don't simply let plugins and extensions update themselves automatically. Before I apply an update, I review what it actually changes — what's being fixed, what's new, and whether anything in it could affect how your particular site works. It's a small step that prevents a routine update from quietly breaking something you rely on.
The important exception: if an update exists specifically to close a security vulnerability, I don't wait. Those get applied right away, the moment they're available — because, as I mentioned, the window between a flaw being announced and attackers acting on it has gotten very short. So you get the best of both worlds: the stability of a measured schedule for ordinary updates, and immediate action when security is on the line.
For context, the fully hosted website builders — GoDaddy's website builder, Wix, Weebly, and similar platforms — handle their updates automatically and behind the scenes on their own servers. That's simply how those systems are designed to work. Joomla and WordPress sites are more flexible and give you far more control and ownership over your site, and in exchange, they rely on active, ongoing maintenance to stay secure and up to date.
When an upgrade is a bigger project
Most updates are small and routine. But every few years, a platform like Joomla or WordPress releases a major new version — a more significant step forward than a routine update. These bigger upgrades sometimes involve real work: extensions that need to be replaced, designs that need adjusting, features that need to be rebuilt to work on the new version. That can carry an additional cost, and for some site owners that cost is difficult — occasionally even prohibitive — to take on right away. I completely understand that, and it's a real decision to weigh.
Here's why it matters, though. Once a platform version reaches the end of its life, it stops receiving security patches entirely. The software keeps running, and the site keeps working — but newly discovered vulnerabilities in that version will never be fixed. Over time, that gap widens. This is the core reason staying reasonably current is worth the investment: it's far less about chasing the newest features and far more about staying on a version that's still being actively protected.
If you're on an older version and a major upgrade isn't feasible at the moment, you're not simply left exposed. The same two tools above provide meaningful added protection in the meantime: the firewall layer (Admin Tools) actively blocks the kinds of attacks that target older sites, and my monitoring service includes a patching capability that applies community-maintained security fixes for older Joomla versions even after official support has ended. I want to be straight with you, though — these are strong protective measures, not a permanent substitute for being on a supported version. They reduce the risk significantly; they don't eliminate it. So if you're on an older version, think of this as a safety net that buys you time to plan the upgrade, not a reason to skip it indefinitely.
What you should take away from this
None of this requires anything technical from you. But a few takeaways are worth noting:
- Website security today isn't a one-time setup — it's ongoing, active work. The threats move quickly now, and protection has to keep pace.
- The "set it and forget it" approach is genuinely risky today, even for small or simple sites. Attackers don't skip you for being small; automated attacks hit everyone.
- If you have a website somewhere that isn't being actively monitored and maintained — an older site, a side project, something you've half-forgotten about — now is a good time to make sure someone is watching it.
If you're one of my Joomla or WordPress clients, this protection is part of your package — the backups, the monitoring, the timely updates, and the protection that actively blocks attackers are all work I'm doing on your site's behalf. If you're not sure whether your own website is being actively looked after, I'd encourage you to find out.
As always, I'm happy to answer any questions, technical or not. My goal is simply to keep your site safe, online, and doing its job — so you don't have to think about any of this.

