Security notice
Large-scale exploitation campaign targeting CMS-based websites
A coordinated campaign is exploiting known vulnerabilities in popular CMS platforms to compromise websites at scale. Owners and administrators of WordPress and other CMS-based sites should ensure all core software, plugins and themes are kept up to date, that administrator accounts use strong unique passwords with MFA enabled, and server-level protections such as WAF and file-integrity monitoring are in place.
What's happening
The Australian Signals Directorate has issued an advisory about an active, large-scale exploitation campaign targeting websites built on content management systems (CMS) including WordPress and other widely-used platforms.
Coordinated attackers are scanning the public internet for CMS-based sites with known unpatched vulnerabilities, misconfigurations, and weak administrator credentials. Once compromised, affected sites have been used for further attacks, credential theft, SEO spam injection, and hosting of malicious content that damages search rankings and can trigger browser and email warnings for visitors.
You can read the original advisory on the ASD's Cyber.gov.au site for the full technical background.
Who is at risk
- Outdated CMS, plugins or themes. Sites running versions where recent security updates haven't been applied.
- Known plugin or theme vulnerabilities. Sites running any plugin or theme with a published vulnerability, whether or not the author has released a fix yet.
- Abandoned or unmaintained extensions. Sites depending on commercial, abandoned or no-longer-maintained plugins or themes where no patch will be released, and the extension hasn't been replaced or patched in-house.
- Weak authentication. Administrator, editor or author accounts that log in without multi-factor authentication (MFA), or use weak or reused passwords.
- No user account monitoring. Sites without alerting for failed login floods, unexpected new admin accounts, or logins from unusual locations.
- No rate limiting. Login pages, XML-RPC or REST API endpoints without rate limits, leaving them exposed to brute-force and credential-stuffing attacks.
- No malware or file-integrity scanning. Sites without automated scanning to detect injected backdoors, webshells or unauthorised file changes.
- No off-server backups. Sites without recent, restorable backups stored off the server, so a compromise cannot be cleanly rolled back.
- Unprotected hosting. Shared or unmanaged hosting without a web application firewall (WAF).
What to do if you run a CMS-based site
- Update your CMS core, and any plugins or themes with known vulnerabilities, to patched versions.
- Enforce MFA on every administrator, editor, and author account.
- Rotate any administrator passwords you suspect have been compromised or reused elsewhere, and generate strong, unique replacements with a password manager.
- Review every administrator-level user account. Remove any that are unfamiliar, unused, or no longer needed, and drop to a lower role where full admin isn't required.
- Disable plugin installations and in-dashboard file edits by administrators. On WordPress, set
DISALLOW_FILE_EDITandDISALLOW_FILE_MODSinwp-config.phpso a compromised admin session can't install a malicious plugin or write to the file system. - Audit installed plugins and themes, remove anything unused or unmaintained.
- Add a scheduled routine to check the file system for signs of compromise, such as new files in the uploads directory, unexpected changes to core files, or executable files in locations they shouldn't appear.
- Confirm you have recent, restorable backups stored off the server.
- Check server logs and Google Search Console for signs of unauthorised activity or new indexed pages you didn't publish.
How we help our clients
We hold a firm view that most small business websites shouldn't be running a high-risk content management system in the first place. WordPress, and platforms like it, have grown into incredibly powerful tools built for large teams publishing at scale, but for the average small business site they add significantly more risk than value, and in most cases are under utilised and more expensive to operate than simpler tools.
Jigsaw, is our in-house solution to this, so there's no CMS runtime to exploit, no plugin ecosystem to audit, and no database or admin login exposed to the internet. Jigsaw allows us to build websites in a unified code base, combining content, media assets and design with none of the risks associated with a complex CMS system.
For clients whose site genuinely needs a CMS, our WordPress management plan covers continuous software maintenance, uptime and integrity monitoring, hourly backups, and active incident response for events like this. But wherever a static Jigsaw build meets the requirement, we recommend it. A smaller attack surface is always the safer starting point.
If you'd like us to review your site's exposure or talk through whether your business actually needs a CMS, request a chat.