Skip to content
Devonport, Tasmania · web design for aspiring businesses across Australia
★★★★★ Rated 4.8 on Google Request a chat

Security notice

Large-scale exploitation campaign targeting CMS-based websites

High 9 July 2026 · Australian Signals Directorate, Cyber.gov.au

A coordinated campaign is exploiting known vulnerabilities in popular CMS platforms to compromise websites at scale. Owners and administrators of WordPress and other CMS-based sites should ensure all core software, plugins and themes are kept up to date, that administrator accounts use strong unique passwords with MFA enabled, and server-level protections such as WAF and file-integrity monitoring are in place.

What's happening

The Australian Signals Directorate has issued an advisory about an active, large-scale exploitation campaign targeting websites built on content management systems (CMS) including WordPress and other widely-used platforms.

Coordinated attackers are scanning the public internet for CMS-based sites with known unpatched vulnerabilities, misconfigurations, and weak administrator credentials. Once compromised, affected sites have been used for further attacks, credential theft, SEO spam injection, and hosting of malicious content that damages search rankings and can trigger browser and email warnings for visitors.

You can read the original advisory on the ASD's Cyber.gov.au site for the full technical background.

Who is at risk

What to do if you run a CMS-based site

How we help our clients

We hold a firm view that most small business websites shouldn't be running a high-risk content management system in the first place. WordPress, and platforms like it, have grown into incredibly powerful tools built for large teams publishing at scale, but for the average small business site they add significantly more risk than value, and in most cases are under utilised and more expensive to operate than simpler tools.

Jigsaw, is our in-house solution to this, so there's no CMS runtime to exploit, no plugin ecosystem to audit, and no database or admin login exposed to the internet. Jigsaw allows us to build websites in a unified code base, combining content, media assets and design with none of the risks associated with a complex CMS system.

For clients whose site genuinely needs a CMS, our WordPress management plan covers continuous software maintenance, uptime and integrity monitoring, hourly backups, and active incident response for events like this. But wherever a static Jigsaw build meets the requirement, we recommend it. A smaller attack surface is always the safer starting point.

If you'd like us to review your site's exposure or talk through whether your business actually needs a CMS, request a chat.


Corey Crowden
Corey Crowden Creative and Technical Lead (And director of Tas Web Co)
Back Return to all notices