Skip to content
Devonport, Tasmania · web design for aspiring businesses across Australia
★★★★★ Rated 4.8 on Google Request a chat

Security alert

Large-scale exploitation campaign targeting CMS-based websites

High 9 July 2026 · Australian Signals Directorate, Cyber.gov.au

A coordinated campaign is exploiting known vulnerabilities in popular CMS platforms to compromise websites at scale. WordPress and other CMS-based sites should ensure all core software, plugins and themes are up to date, that administrator accounts use strong unique passwords with MFA enabled, and that server-level protections such as WAF and file-integrity monitoring are in place.

What's happening

The Australian Signals Directorate has issued an advisory about an active, large-scale exploitation campaign targeting websites built on content management systems (CMS) including WordPress and other widely-used platforms.

Coordinated attackers are scanning the public internet for CMS-based sites with known unpatched vulnerabilities, misconfigurations, and weak administrator credentials. Once compromised, affected sites have been used for further attacks, credential theft, SEO spam injection, and hosting of malicious content that damages search rankings and can trigger browser and email warnings for visitors.

Who is at risk

Any website running an outdated CMS, plugin, or theme, especially WordPress installs that:

What to do if you run a CMS-based site

How we help our clients

Our WordPress management plan includes continuous software maintenance, uptime and integrity monitoring, hourly backups, and active incident response for issues like this. Our in-house Jigsaw platform is a static site build, so it has no CMS runtime to exploit, no plugin ecosystem to audit, and no database or admin login exposed to the internet, which sidesteps this entire class of attack.

If you'd like us to review your site's exposure or discuss migrating away from an unmaintained CMS, request a chat.