A coordinated campaign is exploiting known vulnerabilities in popular CMS platforms to compromise websites at scale. WordPress and other CMS-based sites should ensure all core software, plugins and themes are up to date, that administrator accounts use strong unique passwords with MFA enabled, and that server-level protections such as WAF and file-integrity monitoring are in place.
What's happening
The Australian Signals Directorate has issued an advisory about an active, large-scale exploitation campaign targeting websites built on content management systems (CMS) including WordPress and other widely-used platforms.
Coordinated attackers are scanning the public internet for CMS-based sites with known unpatched vulnerabilities, misconfigurations, and weak administrator credentials. Once compromised, affected sites have been used for further attacks, credential theft, SEO spam injection, and hosting of malicious content that damages search rankings and can trigger browser and email warnings for visitors.
Who is at risk
Any website running an outdated CMS, plugin, or theme, especially WordPress installs that:
- Have not applied recent core or plugin updates.
- Use administrator accounts without multi-factor authentication (MFA).
- Include commercial or abandoned plugins that no longer receive security updates.
- Run on shared or unmanaged hosting without file-integrity monitoring, a web application firewall, or automated backups.
What to do if you run a CMS-based site
- Update your CMS core, all plugins, and themes immediately.
- Enforce MFA on every administrator, editor, and author account.
- Rotate administrator passwords using a password manager to generate strong, unique credentials.
- Audit installed plugins and themes, remove anything unused or unmaintained.
- Confirm you have recent, restorable backups stored off the server.
- Check server logs and Google Search Console for signs of unauthorised activity or new indexed pages you didn't publish.
How we help our clients
Our WordPress management plan includes continuous software maintenance, uptime and integrity monitoring, hourly backups, and active incident response for issues like this. Our in-house Jigsaw platform is a static site build, so it has no CMS runtime to exploit, no plugin ecosystem to audit, and no database or admin login exposed to the internet, which sidesteps this entire class of attack.
If you'd like us to review your site's exposure or discuss migrating away from an unmaintained CMS, request a chat.