What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

What Happens When Your CMS Doesn't Get Updated?

Your content management system is one of the most important pieces of software your business runs. It powers your public-facing website, handles form submissions, stores customer data, and in many cases integrates with third-party services. It is also, in our experience, one of the most neglected.

We have written before about the real business cost of running outdated software. This post takes a more focused look at the CMS layer specifically, because the scale of the problem is genuinely alarming - and because the solution is more straightforward than most organisations realise.

The WordPress vulnerability epidemic

WordPress powers roughly 43% of all websites on the internet. That dominance makes it the single biggest target for attackers, and the numbers reflect it. In 2024, security researchers discovered 7,966 new vulnerabilities across the WordPress ecosystem - a 34% increase over the previous year. To put that in perspective, the WPScan vulnerability database now tracks over 64,000 known WordPress security flaws.

The overwhelming majority of these vulnerabilities - around 90% - come from third-party plugins rather than WordPress core. This is important because it highlights a structural problem with the WordPress model. The platform's flexibility relies on a massive ecosystem of plugins built by thousands of different developers, each with their own approach to security, their own update cadence, and their own priorities. When you install a WordPress plugin, you are trusting that developer to write secure code and to patch it quickly when problems are found.

That trust is frequently misplaced. According to Patchstack's 2025 State of WordPress Security report, more than half of the plugin developers they contacted about vulnerabilities did not patch the issue before public disclosure. That means the vulnerability became public knowledge - available to attackers - before a fix was even available to site owners.

The consequences are predictable. In Q1 2025, a critical vulnerability in the OttoKit plugin (formerly SureTriggers) allowed unauthenticated attackers to create administrative accounts on any of the 100,000+ sites running it. The flaw exploited a weak authentication mechanism that could be bypassed by guessing a username. Patchstack's firewall blocked thousands of exploitation attempts, but only for sites that had their protection in place. Everyone else was exposed.

Around the same time, the Bricks theme - a popular page builder with an estimated 30,000 active installations - was found to contain a remote code execution vulnerability that required no authentication to exploit. Attackers could execute arbitrary PHP code on affected sites, leading to complete takeover. The vulnerability had existed in the nonce validation logic, and exploitation attempts were detected almost immediately after disclosure.

These are not edge cases. Every quarter brings a fresh batch of critical WordPress plugin vulnerabilities, many affecting plugins with tens or hundreds of thousands of installations. The Wordfence firewall alone blocked over 55 billion password attack attempts against WordPress sites in 2024.

It is not just WordPress

While WordPress attracts the most attention due to its market share, other CMS platforms have their own histories of exploitation.

Drupal has experienced several high-profile incidents, most notably the "Drupalgeddon" series of vulnerabilities in 2014 and 2018. Drupalgeddon 2 (CVE-2018-7600) was a remote code execution flaw that affected Drupal versions 6, 7, and 8, and was assigned the maximum risk score of 25 out of 25. It allowed unauthenticated attackers to execute arbitrary code on any affected site. The vulnerability was followed almost immediately by Drupalgeddon 3, creating a period where any Drupal site that had not been updated within days was at serious risk. More recently, multiple deserialization vulnerabilities have been discovered in Drupal core throughout 2024 and 2025, some carrying CVSS scores of 9.8.

Joomla, which powers roughly 2.5% of all CMS-driven websites (approximately 2 million sites globally), has faced similar challenges. A vulnerability reported in February 2023 (CVE-2023-23752) was still being actively exploited nearly a year later, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to their Known Exploited Vulnerabilities catalogue. In early 2025, Joomla disclosed further vulnerabilities including SQL injection flaws and access control bypasses affecting versions 4 and 5. The platform's extension ecosystem, much like WordPress's plugin marketplace, presents a large and often poorly maintained attack surface.

The common thread across all of these platforms is clear: known vulnerabilities in outdated CMS installations are being actively and systematically exploited, often within hours or days of disclosure.

Why sites stay unpatched

If the solution is simply "apply updates", why do so many sites remain vulnerable? In practice, several factors conspire to keep CMS installations outdated:

Fear of breaking things. This is the most common reason we hear. Updating a plugin or CMS core version can introduce breaking changes, particularly when the site relies on a patchwork of interdependent plugins. Without a staging environment and proper testing workflow, site owners are understandably reluctant to press the update button on a live site.

No one is responsible. Many business websites were built by an agency or freelancer and then handed over. There is no ongoing maintenance contract, no one monitoring for updates, and no one with the knowledge or access to apply them safely. The site ticks along until something visibly breaks - or until it gets compromised.

Abandoned plugins. Some plugins are no longer maintained by their developers. They still function, so site owners keep using them, but no security patches will ever be released. The Kaswara Modern WPBakery Page Builder Addons plugin is a well-known example - abandoned by its developer but still installed on thousands of sites, it was actively exploited to upload malicious files and redirect visitors to scam pages.

Update fatigue. With dozens of plugins and regular core updates, the sheer volume of available patches can feel overwhelming. When everything seems to need updating all the time, it is easy to let it slide. We covered some practical strategies for managing update fatigue in a recent post.

The real-world cost

The consequences of a compromised CMS go well beyond a defaced homepage. Attackers who gain control of a website can inject malicious scripts that steal visitor credentials, install cryptocurrency miners, redirect traffic to phishing sites, add the server to a botnet for launching attacks against other targets, exfiltrate customer data from forms or databases, and inject SEO spam that damages your search rankings and brand reputation.

For businesses subject to UK GDPR, a breach involving personal data can trigger mandatory reporting to the ICO within 72 hours and may result in significant fines. The reputational damage is often harder to quantify but no less real - customers who discover their data has been compromised through your website are unlikely to return.

We explored the broader financial implications of this in our post on the real cost of running outdated software. The figures are sobering.

Choosing a CMS with a sensible update path

Not all content management systems are created equal when it comes to security posture and update management. The architecture and ecosystem design of your CMS has a direct impact on how exposed you are to these risks.

We build with Craft CMS, and security is one of the key reasons. Craft takes a fundamentally different approach to the problems that plague WordPress and similar platforms:

A capable core that reduces plugin dependency. Craft's built-in content modelling, custom fields, and flexible section types mean you can build sophisticated content structures without reaching for third-party plugins. Fewer plugins means a dramatically smaller attack surface. WordPress requires plugins for features that Craft includes natively, and each additional plugin is another piece of code that needs auditing, updating, and trusting.

A curated plugin ecosystem. Craft's plugin marketplace is smaller and more tightly managed than WordPress's. Plugin developers can be contacted directly through the platform, and the overall quality bar is significantly higher. The public CVE database tells the story: WordPress has accumulated over 1,400 recorded exploits. Craft CMS has had fewer than ten minor security issues since its launch in 2012.

Proactive security communication. When a security issue is confirmed in Craft, the team marks the update as critical, which triggers an alert banner across the control panel of every affected installation. Site administrators are notified directly. There is no ambiguity about whether an update is important - the system tells you. Craft also provides a dedicated critical releases Atom feed and a security channel on their Discord server.

A modern, maintained foundation. Craft CMS 6 will be built on the Laravel framework, replacing the Yii framework that has powered earlier versions. For us, this is particularly significant because Laravel is our primary framework for building APIs and web applications. The move to Laravel means Craft will benefit from one of the most actively maintained and security-conscious PHP frameworks in the world, with a massive community and a proven track record of rapid security response.

This is not to say that Craft is immune to security issues - no software is. But the combination of a smaller attack surface, a more controlled ecosystem, proactive communication, and a strong foundational framework makes it a fundamentally more manageable platform from a security perspective.

The case for managed updates

Regardless of which CMS you use, the most important factor in your security posture is whether someone is actively maintaining it. A well-maintained WordPress site is more secure than an abandoned Craft site. The technology matters, but the process matters more.

A proper managed update strategy should include regular monitoring for security advisories and available patches, a staging environment where updates can be tested before deployment, automated checks like composer audit integrated into your deployment pipeline, a defined response time for critical security patches - ideally within 24 to 48 hours, and regular audits of installed plugins to identify any that are abandoned or no longer necessary.

If you do not have someone doing this for your website right now, it is worth asking the question: who is responsible for keeping this secure? If the answer is "no one" or "we'll get to it eventually", that is a risk your business is carrying whether you realise it or not.

Where to start

If you are running a CMS that has not been updated recently, here are some practical first steps:

Check what version of your CMS core you are running and compare it against the latest stable release. Audit your installed plugins or extensions for any that are no longer maintained or have known vulnerabilities. Set up a staging environment if you do not already have one, so updates can be tested safely. Consider whether your current CMS is the right long-term choice, or whether a platform with a more manageable security profile would better serve your needs. If you do not have the in-house expertise to manage this, speak to a development partner about a maintenance arrangement.

Your website is a public-facing asset that represents your business 24 hours a day. It deserves the same attention to security that you give to your office network, your email systems, and your customer data. The cost of keeping it updated is minimal compared to the cost of finding out the hard way what happens when you do not.

If you would like to discuss your CMS security posture or explore whether Craft CMS might be a better fit for your needs, get in touch. We are always happy to talk through the options.