NOLA Public Schools — Digital Infrastructure Assessment

Finding 01 — Critical

Someone has full control of your website. Right now.

The pharmaceutical spam links our team discovered are not the threat — they are the proof that a threat exists. To inject server-level code that runs invisibly on every page load, an attacker must have the same depth of access as a system administrator. They are inside your infrastructure. They have been for some time.

Today, they have chosen to run a quiet pharmaceutical spam operation because it is financially motivated and stays hidden. But that is a choice — and it is their choice to make, not yours. At any moment, without warning, that same level of access could be used to:

⚑

Public Defacement

Replace your homepage with political messaging, offensive imagery, or fabricated emergency communications appearing to come from the Orleans Parish School Board.

⬡

Data Exposure

Intercept and capture form submissions from parents providing information about their children — names, addresses, contact details, and school enrollment data.

↗

Full Site Redirect

Redirect your entire domain to any external destination — sending families and staff who trust nolapublicschools.com to a site controlled by the attacker.

✉

False Communications

Publish content or send communications that appear to originate from your district — exploiting the institutional trust your community places in NOLA Public Schools.

⚠

This is not a hypothetical risk. School district websites are high-visibility targets. A public defacement or data exposure event on a platform serving 15,000 students and their families would be immediate, highly publicized, and carry serious reputational, legal, and community consequences. The fact that none of this has happened yet reflects the attacker's current intentions — not their current capabilities.

The evidence: what's happening right now

The active compromise was confirmed by impersonating Google's search crawler. The attacker's code — running on your server — detected the simulated crawler and revealed itself by injecting over 170 pharmaceutical spam links into the page response. This technique is called cloaking: serving different content to search engines than to human visitors. It requires deep server-level access to execute and is invisible to anyone browsing the site normally — including your own team.

The injected links all point to nolapublicschools.org — a domain your organization also owns and operates on the same hosting infrastructure. Both domains are almost certainly compromised. Your own assets are being turned against you.

Verify this yourself in 60 seconds

The following command impersonates Google's crawler and asks your site for its homepage. The output reveals what Google — and the attacker — actually sees.

1

Open Terminal on your Mac

Press Command + Space, type "Terminal," and hit Enter.

2

Run this command exactly as written

Copy and paste the following into your terminal window and press Enter.

curl -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://nolapublicschools.com 2>/dev/null | grep -i "lasix\|propecia\|clomid"

3

Read the output

If the site has been compromised, you will see hundreds of pharmaceutical drug links scroll across your screen — all pointing to nolapublicschools.org. If the output is blank, the attack is not currently active. Based on our audit conducted June 15, 2026, it was active and confirmed.

Terminal — confirmed output, June 15 2026

billdalton@MacBook-Pro ~ % curl -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://nolapublicschools.com 2>/dev/null | grep -i "lasix\|propecia\|clomid"

</div></div></div><a href='http://nolapublicschools.org/online-500-mg-lasix/'>online 500 mg lasix</a>
<a href='http://nolapublicschools.org/order-metformin-without-prescription/'>order metformin without prescription</a>
<a href='http://nolapublicschools.org/propecia-onlina-australia/'>propecia onlina australia</a>
<a href='http://nolapublicschools.org/buy-clomid-for-men-online/'>buy clomid for men online</a>
... 170+ additional pharmaceutical spam links omitted for brevity ...

billdalton@MacBook-Pro ~ % █

ℹ

Why you haven't seen this. The attack is designed to be invisible to human visitors. The compromised code checks whether the incoming request looks like a search engine crawler. If it does, it injects the spam. If it doesn't, it serves your normal page. This is why incognito mode, VPN, and normal browser visits show a clean site — the attack only reveals itself to crawlers like Google.

Finding 02 — Critical

The platform has no security support.

nolapublicschools.com runs on Joomla 3, a content management system that reached end-of-life in August 2023. This means the Joomla development team no longer releases security patches, bug fixes, or updates of any kind for this version. Every vulnerability discovered after that date remains permanently unpatched on your installation.

The current attack is almost certainly a direct result of this. Joomla 3 installations have been systematically targeted by automated exploit kits that scan for known vulnerabilities and inject malicious code at scale. Your site was not individually targeted — it was caught in a wide net cast across thousands of similarly outdated installations.

Aug
2023

Joomla 3 end-of-life — no security updates since

7,289

URLs crawled across both .com and .org domains

1,976

PDFs stored as site content with no document management strategy

✕ Current: Joomla 3 on Bluehost

End-of-life since August 2023 — no security patches
Actively compromised with pharma spam injection
No HTTPS enforcement — site runs on HTTP
Custom page builder creates fragile, non-portable content
Nearly 2,000 PDFs with no document management system
Shared hosting not suited for a district-wide site
Zero accessibility compliance — fails WCAG 2.0 Level A
No active security monitoring or update management

✓ Recommended: WordPress on managed hosting

Actively maintained — security updates released regularly
Clean rebuild eliminates all compromised code
HTTPS enforced by default at the hosting level
Stable, portable, standards-compliant layouts
Structured document library with searchable archive
Managed hosting with automatic updates and security scanning
Built to WCAG 2.1 AA compliance standards from day one
Ongoing maintenance plan with monthly security reviews

⚠

Patching Joomla 3 is not a solution. Migrating to Joomla 4 or 5 requires a full rebuild anyway — there is no simple upgrade path. Cleaning the current infection without rebuilding the platform is also insufficient; attackers frequently leave multiple backdoors that survive cleanup attempts. The only reliable path forward is a clean rebuild on a modern, actively maintained platform.

Finding 03 — High Priority

The site fails federal accessibility law.

Under ADA Title II, public school districts are required to make their digital communications accessible to people with disabilities. The Department of Justice's 2024 final rule established WCAG 2.1 Level AA as the enforceable standard for state and local government websites, with compliance deadlines beginning in 2026.

An accessibility scan of nolapublicschools.com found serious failures across every category that matters to users who rely on screen readers, keyboard navigation, or other assistive technologies. The site received scores of zero in two of the eight categories evaluated.

Category	Score	Priority	Key Issues
Forms	0 — Fail	Critical	Checkboxes and radio buttons have no labels. Form controls change context without warning. Submit buttons are improperly typed.
Landmarks	0 — Fail	Critical	Navigation has no role="navigation" tag. Main content is not in a main landmark. Screen reader users cannot navigate the page structure.
General	41 — Fail	Critical	iFrames missing labels. ARIA menu roles misapplied to navigation, causing incorrect screen reader behavior.
Interactive Content	69 — Needs Work	High	Buttons missing assistive technology tags. Ambiguous links lack context. Broken ARIA attribute references.
Graphics	69 — Needs Work	High	Decorative icons not hidden from screen readers. Functional images missing text alternatives.
Text Content	100 — Pass	None	Emphasis and strong tags are properly structured.
Metadata	100 — Pass	None	Page language, title, and viewport tags are correctly set.
Lists	100 — Pass	None	List elements are properly structured.

ℹ

What this means practically. A parent using a screen reader cannot reliably use your enrollment forms. A staff member navigating by keyboard cannot move through your site's navigation. A community member with low vision may encounter images with no text alternative. Approximately 26% of U.S. adults live with some form of disability. For a district serving 15,000 students and their families, this represents a significant portion of your community — and a growing legal exposure.

Recommendation

What needs to happen next.

These three issues — active security compromise, end-of-life platform, and accessibility failures — share the same root cause: a website that has outlived its platform without active stewardship. The solution to all three is the same: a clean rebuild on a modern, secure, accessibility-compliant foundation, with an ongoing maintenance commitment that keeps it that way.

Immediate

Run the verification command

Use the terminal command in this report to confirm the attack is currently active and document the output for your records and IT team.

Immediate

Notify IT and leadership

Your IT team and organizational leadership should be informed of the active compromise. Consider notifying your hosting provider and requesting a server-side malware scan.

Short Term

Platform migration planning

Begin scoping a migration from Joomla 3 to WordPress. The site has approximately 300 core content pages, 2,000+ news archive items, and nearly 2,000 PDFs that need a structured content strategy.

Short Term

Accessibility remediation

A new build should target WCAG 2.1 AA compliance from the ground up — addressing landmark structure, form labels, ARIA implementation, and image alternatives as core requirements.

Ongoing

Managed hosting and maintenance

The new platform should include managed WordPress hosting with automatic updates, security scanning, and a defined maintenance engagement — eliminating the conditions that allowed this compromise to occur.

Ongoing

Document management strategy

Nearly 2,000 PDFs need a structured approach — a searchable document library, archive policy, and accessibility review for key public-facing documents.

✦

Firefly Marketing Solutions has been serving Louisiana businesses and organizations for over 25 years. We brought this to your attention because we believe every organization — especially one serving 15,000 students and their families — deserves a website that works for them, not against them. We're happy to answer any questions about this report, with no strings attached.