Your Joomla database holds every email address, password hash, and order record your site has ever collected — and whoever migrates it has unrestricted access to all of it.
Your Database Is Not Just Files
Site owners often think of a Joomla migration as moving pages and images. What is actually moving is a MySQL database that contains everything your site has ever collected about its users. Even a modest community site will have registered user records with email addresses, hashed passwords, IP addresses used during registration, and session data. An e-commerce store adds customer billing information, full order history, and shipping addresses. A membership site adds subscription history and payment method tokens. A government or nonprofit portal may have legally protected personal data under GDPR, HIPAA, or CCPA.
Whoever you give your database export to, whoever you give your cPanel or SSH credentials to, whoever runs your migration has access to that data. For the duration of the job and, in most informal arrangements, for as long as they choose to keep it.
What Has Actually Gone Wrong
These are not theoretical scenarios. They are documented incidents showing what happens when data moves without proper security governance.
A contractor turned off the firewall for ten minutes while migrating data to ElasticSearch. This move exposed the database to attackers who breached over 5 billion data records.
Keepnet Labs breach, documented by Caylent security research
Ten minutes. No malicious intent from the contractor. Just a standard operational shortcut during a migration window. The result: five billion records compromised. The incident became a textbook case for why data transit security cannot be improvised.
Customer credit card data intercepted during a cloud migration, personally identifiable information exposed due to misconfigured permissions in the new database, medical records accessible to unauthorized users because role-based access was not properly replicated. These are not hypothetical scenarios. They result in regulatory fines, lawsuits, and destroy customer trust.
Monte Carlo Data, Data Migration Risks and the Checklist You Need, September 2025
The malicious clone of the Salesforce Data Loader tool is a textbook example of how trust in familiar-looking software can be weaponized to access sensitive credentials. Misconfiguration: even with legitimate tools, a poorly scoped OAuth setup or unsecured endpoint can leave the door wide open.
Conemis security research, August 2025
CMS-to-WordPress migrations are not immune to any of this. Your Joomla site credentials (admin login, database username and password, FTP or SSH access, cPanel login) are the keys to your entire hosting environment. Anyone who holds them has access to everything hosted on that server, not just your Joomla site. If those credentials are transmitted unencrypted, stored on a shared system, or retained after the job, the exposure window stays open indefinitely.
The Real Problem With Cheap Migrations
The internet is full of freelancers offering Joomla to WordPress migrations for $50 to $200. Some of them do technically acceptable work. Almost none of them have a formal data handling process. Here is what you typically do not get when you hire a freelancer or use an automated migration tool.
- No Data Processing Agreement (DPA). Under GDPR Article 28, if a third party processes personal data on your behalf, you are legally required to have a signed DPA in place before any data access begins. Without one, you are in violation regardless of what the contractor does or does not do with the data. Most freelancers have never heard of a DPA.
- No deletion guarantee. When the job is done, what happens to your database export sitting in the contractor’s Downloads folder? Or on a Fiverr seller’s shared hosting account? There is typically no answer. No policy. No timeline. No audit trail.
- No encryption guarantee. Your database may be downloaded over an unsecured connection, stored on an unencrypted laptop, or sent to you via email. All of these are GDPR violations if the database contains personal data from EU residents.
- No breach notification obligation. If a freelancer’s system is compromised after holding your data, they have no legal or contractual obligation to tell you. You would not know until your users started reporting problems.
- No accountability structure. A freelancer account on a marketplace can be deleted. A migration tool company can pivot, get acquired, or simply stop operating. The contractual obligations disappear with the business.
- No professional liability. If the migration goes wrong and you lose data, rankings, or suffer a security incident as a result, a freelancer has no insurance and no legal exposure in most jurisdictions. You absorb the cost entirely.
Automated Migration Tools: Not a Security Solution
Tools like FG Joomla to WordPress, CMS2CMS, or similar automated services introduce their own category of risk. Here is what you should know before using one.
Most automated migration tools work by asking you to install a plugin or connector on your source site, then routing your content through their own servers for processing before importing it to your destination. Your database contents pass through a third-party infrastructure you have no visibility into, have not audited, and have no contractual relationship with regarding data protection.
These tools also frequently fail on anything beyond standard article content. K2 items, VirtueMart product catalogues, Kunena forum threads, custom component output, ACL configurations, and extension-specific metadata are either partially migrated or silently dropped. The result is a “completed” migration that is missing 30% of the site and has no audit trail to tell you what went missing.
If your Joomla site has EU users and you use an automated tool without a signed DPA with that tool’s provider, you are processing personal data outside a lawful data sharing framework. GDPR fines for data processing violations start at 2% of annual global revenue or €10 million, whichever is higher. They apply regardless of whether a breach occurs.
What Proper Looks Like: How gConverter Does It
gConverter is a registered US company operating under US business law with full EU GDPR compliance for all European clients. We act as a Data Processor under GDPR Article 4(8), which means we have a documented legal framework for every piece of personal data we handle. Here is exactly what that looks like in practice.
Step 1: Documents before data
Before you share a single credential, you receive a Data Processing Agreement (DPA) to review and sign. For clients requiring higher assurance, a Non-Disclosure Agreement is also executed. No data access of any kind is granted until both documents are in place. This is not a checkbox. It is a legal contract that defines what we process, why, how, and for how long, and makes us legally liable for any deviation.
Step 2: Encrypted credential handling
Your access credentials (admin login, database credentials, FTP/SSH access, cPanel) are transmitted to us via an encrypted channel, never by plain email. They are immediately stored in an AES-256 encrypted vault with access restricted to the single assigned engineer. Credentials are deleted from all systems within 24 hours of job completion. There is no shared folder, no spreadsheet, no Slack message, no email thread holding your keys.
Step 3: Isolated staging environment
Your database is exported and transferred over TLS 1.3 to our staging infrastructure. For standard clients, processing occurs on the assigned engineer’s encrypted machine (Apple FileVault AES-256). For GC-ExtraSecurity clients, processing happens on a dedicated Hetzner EU server in Frankfurt, Germany, keeping all data inside the European Economic Area at all times. Your data is never processed on shared hosting, never stored alongside other customers’ data, and never accessible to anyone outside the assigned engineer.
Step 4: Migration with access logging
Every file access and every database interaction during the migration is logged. The migration is completed on staging and presented to you for approval before anything goes live. Your production site is not touched until you have reviewed and signed off on the result. The staging environment is firewalled, not publicly accessible, and not indexed by search engines.
Step 5: Delivery and deletion
Once you approve the migration and the site goes live, the process of deletion begins. Credentials are revoked and deleted immediately. All customer data on our systems is permanently deleted within 30 days of job completion using secure overwrite deletion, not just removal from the trash. You receive confirmation of deletion. If you have any outstanding deletion requests from your own users during the migration window, those are honoured before the final delivery.
Step 6: Breach protection
In the unlikely event of a security incident involving your data, we notify you within 72 hours as required by GDPR Article 33, and we assist you in notifying your supervisory authority if required. We maintain an internal breach register and an incident response plan that is tested regularly. Our staff all sign binding confidentiality agreements and receive data security training. The need-to-know policy means access is granted only for the specific job, and no team member may copy, share, or retain customer data.
Read the complete GDPR and Data Protection documentation →
Questions to Ask Any Migration Provider
Before you hand access to your site to anyone, ask these questions. If they cannot answer all of them clearly and in writing, that is your answer.
- Will you sign a Data Processing Agreement before accessing my data? If no: they are not GDPR-compliant and you face legal exposure.
- How are my credentials transmitted and stored? Acceptable answers: encrypted channel, encrypted vault. Unacceptable: email, Slack, spreadsheet.
- Where is my database processed and stored during migration? You need a real answer. Not “on our servers.” Where, specifically, and under what security configuration.
- When and how will my data and credentials be deleted after completion? You need a timeline and a deletion method. “We will delete it” is not an answer.
- Do you carry professional liability insurance? If they do not, and something goes wrong, you have no recourse beyond a small claims dispute with a freelancer.
- What is your breach notification procedure? If they do not have one, they have no obligation to tell you if your data is exposed.
- Can you provide references from clients with similar-sized sites? Verifiable references, not screenshots of five-star reviews.
The Technical Migration: Doing It Right Matters Too
Security is the non-negotiable foundation. But the technical quality of the migration also determines whether you come out the other side with a working site or a half-migrated mess that costs months to fix. A complete Joomla to WordPress migration at gConverter covers all articles and pages, K2 content types with custom fields preserved in ACF Pro, VirtueMart and HikaShop product catalogues and customer history, Kunena forum content, user accounts with role mapping, SEO titles and meta descriptions, 301 redirects for every changed URL, menu structure, and a custom WordPress theme that matches your existing design exactly.
For the full picture of what the migration process covers and why organizations are choosing to move off Joomla, read Why Agencies Are Leaving Joomla and How We Migrate Them to WordPress.
Ready to talk specifics about your site? Start with our Migrate Joomla to WordPress page.
The Bottom Line
A Joomla to WordPress migration is a personal data transfer event. It requires the same level of governance, documentation, and accountability as any other processing activity under GDPR. Most providers, freelancers, and automated tools do not meet that standard. Not because they are careless, but because they have never been required to build it.
gConverter has. US-registered, EU-compliant, with a documented security process that has handled hundreds of migrations without a single data incident. Before the job starts, you have a signed DPA and NDA. While the job runs, your data is encrypted, isolated, and logged. When it ends, your data and credentials are gone from our systems. That is what secure migration looks like.