What is a webshell? The silent backdoor on hacked websites
You’ve probably heard the term “webshell” pop up in cybersecurity news lately — including in the ACSC’s recent alert about CMS exploitation. But what actually is one, and why should a business owner care?
A webshell is a small script — usually just a few lines of code — that an attacker uploads to a web server after finding a vulnerability. Once it’s there, it acts like a hidden control panel. The attacker can visit a specific URL, type commands, and your server executes them. No login required, no alarm bells ringing.
Why they’re hard to spot
Webshells are designed to blend in. They often have innocent-sounding filenames like config.php or helper.js and sit quietly among thousands of legitimate files. They don’t consume noticeable resources, they don’t slow your site down, and they don’t change what visitors see — at least not at first. A webshell can sit dormant for months before an attacker decides to use it.
What an attacker can do with one
Once a webshell is active, an attacker can steal customer data, install ransomware, send spam from your mail server, deface your website, or use your server to attack other organisations. It’s essentially full remote access disguised as a web page.
How to protect your business
The best defence is keeping your CMS, plugins and themes up to date — most webshells get planted through known vulnerabilities that already have patches available. Remove plugins you’re not using, use a web application firewall, and have your IT provider run regular file integrity checks. If your website isn’t part of your managed IT environment, it’s a blind spot worth addressing.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
