ACSC warns of large-scale attack hitting Australian WordPress sites
The Australian Cyber Security Centre has issued an alert about a global exploitation campaign targeting content management systems — and many Australian small businesses have already been hit.
Attackers are scanning websites for known vulnerabilities in WordPress plugins, Joomla, Craft CMS and other platforms, then deploying webshells — small scripts that give them persistent remote access to your web server. Once a webshell is in place, an attacker can steal credentials, plant malware, deface pages or use your server as a launchpad for further attacks.
The list of targeted WordPress plugins is long: Ninja Forms, Gravity Forms, WPvivid Backup, Breeze Cache, GutenKit, and over a dozen others. The ACSC notes the campaign may be AI-assisted, allowing attackers to exploit newly disclosed flaws faster than ever. As BleepingComputer reported, the vulnerabilities being exploited are all public and have patches available — the issue is that many site owners simply haven’t applied them.
This is a pattern we see constantly across Australian SMB environments: a WordPress site gets built, a handful of plugins are installed, and then nobody touches the software again until something breaks. That gap between “installed” and “maintained” is exactly what this campaign exploits.
What to do now
Log into your WordPress dashboard (or ask whoever manages your site) and update every plugin, theme and WordPress core to the latest version. Remove any plugins you’re not actively using — they’re just extra attack surface. Enable automatic updates where possible. If you’re not sure whether your site has already been compromised, ask your IT provider to check for unfamiliar files in your web directories.
If your business website is part of your managed IT environment, your provider should already be handling this. If it’s not — that’s worth a conversation.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
