Why Joomla 3 and Joomla 4 are potentially bad for your business / SEO, and what you can do about it.

last month a customer came to me with the question if I could help him: his site was compromised and his business customers attended him that his joomla website was serving porn. He was losing business... big time when the word spread...

I have created a free plugin to help you get rid of and avoid these bogus links for your website: link below this blog!

I checked his site and could not find anything hacked, but further investigation learned that when googling his site, all kinds of porn and abuser URL’s where pointing to his site, with his domain name as the domain name in the URL. So Google was using porn URLs that when clicked would redirect you to his site.

This ad is inserted via ochCall2Action and displayed via ochAddAds
Looks like Google ran out of ads to serve... or do you have an ad blocker activated?

How is that even possible?

How is it possible that in the Google search results there are links to your website that are not on your website... but that work anyway?

Well it is actually very simple as it turned out. The ‘hackers’ who targeted his site to hurt his business used good old Google and a ‘vulnerability’ in Joomla 3 (that is even present in Joomla 4) to give him a (very) bad online reputation.

So how does it work?

Let’s replicate my customers issue for the joomla.org website...

Let’s target the main joomla.org website as a proof of concept.

Joomla is bad for SEO

Did you know that Joomla actually is the worst when it comes to Search Engine Optimisation, all people looking for tips and best pratices know that. You can read all about it on the Joomla site it self where there is a very valuable blog post addressing this and giving you tips and tricks on how to migrate seamlessly to Wordpress that is way better at SEO and isn’t vulnerable to hacks. Read it on the Joomla site here: https://www.joomla.org/announcements/release-news/5834-why-you-should-never-use-joomla


Hummm, everybody can type this (italics) text on their website, so what is the issue?

The issue is the URL provided! Note that this is a OFFICIAL Joomla.org URL that will resolve without issues (as in a 404). Go ahead, click it!

So the Google crawler visits my site / this article, tries to follow the links on my page to index those and behold... the https://www.joomla.org/announcements/release-news/5834-why-you-should-never-use-joomla resolves okay!

Google will now add that specific (bogus) link to their database WITH the context they found describing that URL.

Because the link comes from joomla.org itself it gets a high authority score and will most likely end up on the first search page for people searching for reasons NOT to use Joomla (as that text is in the actual URL, another high SEO ranking value).

And you know.... when joomla themselves tell you they are never to be used, then it must be true!

So how to prevent this ‘feature’

After finding out this ‘business’ vulnerability, I contacted the Joomla Security Strike team... it took some time for them to respond and they told me that this wasn’t a security issue, so not much they could do...

Then I looked at why this was happening: why is the Joomla router (the part of joomla responsible for resolving the URL to the correct page) resolving ‘bogus’ links instead of stopping them from being indexed?

I did a deep dive into the Joomla router code and found that the Joomla router only looks at the number in the URL, not at the alias that is behind the id. So no matter what alias you type in, as long as the ID is existing it will resolve to the article with that ID. Where you would expect a 404 to be thrown because the alias is not correct.

Next I looked at the Joomla 4 code and found out that there the exact same logic is implemented. So I decided to create a PR for Joomla 4 addressing this issue. My plan was to get this fixed in Joomla 4 and then do a PR for Joomla 3.

That Joomla 4 PR is still pending after weeks and is not likely to get implemented as... for the obvious reasons > the ones deciding do not have the issue because they configured their site NOT to use the ID’s in the URL.

What can you do to prevent your site and business from being hit with this vulnerability.

Make a URL redirect plan, switch your site to the modern router AND disable the ID’s in the URL. Note that the modern router (even the one in Joomla 4) still has this issue when using the article ID in the URL!

Be aware, switching of the ID will change your URL and without doing redirects to the new pages without the ID you will loose your SEO score as that is retained by Google on a URL basis.

If switching to the modern router WITHOUT article ID is no option for you (it wasn't an option for my customer as he has over 90.000 articles and redirects would 'kill' his site), then you need to apply my PR manually (and redo that with every Joomla update).

What if you are hit by this vulnerability and want to get rid of the bogus information about you / your site on Google?

Well good luck then. It is possible to remove URL’s from the Google search index, but for that you need the exact URL’s... no wildcards allowed. and If you do not switch to the modern router without article ID's, chances are high that the bogus links will be back within a week after you removed them from the index.

My customer had thousands of porn URL’s pointing to his site, so it took some time to find these and to remove them from the search index.

So there you have it.

I hope this helps you to keep not only your site safe, but also your business!

Agency Bundle - 12 months
Agency Bundle - 12 months
Get access to and support for all our Joomla! extensions and more!
ochStrictRouter - 12 months
ochStrictRouter - 12 months
Get rid of BOGUS links in the Search Engine Result Pages before the Search Engines get rid of your site!!!

This ad is inserted via ochCall2Action and displayed via ochAddAds
Looks like Google ran out of ads to serve... or do you have an ad blocker activated?

Interesting blog? Like it on Facebook, Tweet it or share this article on other bookmarking websites.

Written by
Pro-BloggerTop BloggerThought Leader

With a solid background in ICT (operational, tactical and strategic) and years of experience in the community life, I see in communities and community thinking the future for companies.

This future requires another way of thinking and doing; both for executives and employees. It's not about me; it's about you. Your well-being and your (personal) growth.

'What comes around - goes around'

In the world of communities, the old 'management laws' no longer work and are even counterproductive.

I coach leaders and organizations in their quest for how new and servant leadership can contribute to communities and community thinking, and as a result to the growth of the organization.

I do this from the following initiatives:


Ruud van Lent's Avatar
Ruud van Lent replied the topic: #1658 3 months 6 days ago
You are welcome Mary,
I have worked as hired project manager in the banking business and before getting contracted these institutes are obliged by law to do a full background check on you.
I am sure that if there where bogus links on my (personal) website found in Google, I would never be hired as my background check would fail.

So there is more to it then meets the eye :S
Mary Nevius's Avatar
Mary Nevius replied the topic: #1657 3 months 1 week ago
Thank you Ruud, for this information and providing Joomla users with a solution.
Ruud van Lent's Avatar
Ruud van Lent replied the topic: #1656 3 months 1 week ago
So found some time to create the plugin: ochStrictRouter
it a free plugin, get it here: onlinecommunityhub.nl/joomla-extensions/...rictrouter-12-months

When subscribing (free) you have access to support on this plugin (via the forum)

This is a first version, when we have some more (mis) matching data, the plugin will be extended (e.g. also match on category alias, etc.)

Discuss this article

INFO: You are posting the message as a 'Guest'

Log In or Sign Up

Forgot your password? / Forgot your username?