I got the text on the way to the match. My nephew was competing for a state wrestling championship. My sister and her husband had traveled with the team. I drove the grandparents.

When we arrived, I got them checked in, then ran to the car.

No charger. It hadn’t crossed my mind that I’d be solving a critical hack that day.

I opened the laptop and identified the problem immediately. A bot had injected code into the site’s index.php file. I began stabilization. Then the battery and the match schedule made the decision for me. I locked down what I could and went inside.

The site stayed down overnight. First thing the next morning, I was back on it.

This client had recently transitioned to my company. The platform was not one I built. I had completed the audit. The issue was not something I had missed.

The site had been built and maintained by a large firm using automated tools. Those tools were out of date. The vulnerability lived at the platform level, and I was not yet in full control of the system. That distinction matters.

What the Bot Did

A bot injected malicious code into the site’s index.php file. That is the core file every page on a CMS site runs through. Once compromised, the entire site can be redirected, defaced, or taken offline. That is what happened here.

This is not a rare or sophisticated attack. It is one of the most common patterns bots use against CMS-based websites. The bot was not targeting this client specifically. It was running automated scans across millions of IP addresses, probing for known vulnerabilities. It found one.

This Affects Every Major CMS

WordPress comes up most in these conversations because it powers a large share of the web. But the same attack pattern runs against any CMS with predictable file structures and default login paths.

Joomla installs put the admin panel at /administrator/. Drupal uses /user/login. Magento, PrestaShop, OpenCart, and TYPO3 all have known entry points that bots probe routinely. A default install on any of these platforms has an attack surface that is already documented and mapped.

What About Shopify, Wix, and Squarespace?

Hosted platforms eliminate one category of risk. On Squarespace or Shopify, you do not have access to the underlying server files, so a bot cannot inject into your index.php. The platform manages that layer.

But hosted platforms have their own attack surface. Your login credentials are still a target. Third-party apps can carry vulnerabilities that the platform does not control. Your domain and DNS records sit outside the platform. The email account associated with your store login is often the primary entry point.

Hosted platforms remove one category of risk. They do not remove all of it.

The Client Took It in Stride

She understood that things happen. We got the site restored, cleaned the infection, and got her back online.

The incident clarified where my gaps were around response capability when I am not at my desk. I have been investing in monitoring tools, documented processes, and faster access to clean backups because of it. That is what this series covers.

 

Need a plan? Book a one-hour strategy session and walk away with a clear direction for your website, security, or digital strategy. All sessions are recorded with full transcription. $250 — Book a Strategy Call

Want to get to know me first? Book a free 15-minute intro call. No pitch, just a conversation. Book a 15-Minute Call

 

Cybersecurity Series

  1. The Hack I Couldn’t Fix Between Matches
  2. The Same Tools Powering AI Are Being Used to Attack Your Website —  Coming March 18, 2026
  3. 7 Signs Your Website May Already Be Compromised —  Coming March 22, 2026
  4. Why Small Business Websites Get Hacked (And Why It’s Usually Not Personal) —  Coming March 25, 2026
  5. What It Actually Costs to Clean a Hacked Website —  Coming March 29, 2026
  6. How Bots Actually Find Your Website —  Coming April 1, 2026
  7. Taking Over a Website Means Taking Over Its History —  Coming April 5, 2026
  8. What Website Monitoring Actually Means —  Coming April 8, 2026
  9. What a Real Website Security Audit Actually Includes (And Why Most Sites Never Get One) —  Coming April 12, 2026
  10. Cybersecurity Is a Business Expense, Not a Panic Purchase —  Coming April 15, 2026
  11. Your Website Is Down — What To Do In The First 24 Hours —  Coming April 19, 2026
  12. Why Small Businesses Are Underestimating Automation —  Coming April 22, 2026