Australia sounds the alarm: hackers are hijacking small business websites at scale

The Australian Cyber Security Centre says a worldwide campaign is planting hidden backdoors on sites running WordPress, Joomla, Craft CMS and more, with small businesses bearing the brunt.

ThreatVectr Newsdesk· 4 min read
Photoreal news-editorial image, 16:9, full frame edge to edge
Share

Key points

  • The Australian Cyber Security Centre (ACSC) warned on its advisory page that a global hacking campaign is breaking into websites built on popular publishing tools, with many small and mid-sized Australian businesses already hit.
  • The attackers are planting webshells, small hidden programs that give them remote control of a website, on servers they break into.
  • The campaign targets at least 17 known flaws across WordPress plugins, Craft CMS, MaxSite CMS, MetInfo CMS and Joomla JCE.
  • ACSC says artificial intelligence may be helping the attackers scan and exploit sites faster than defenders can patch.
  • Site owners are told to update every plugin and theme immediately and watch for unfamiliar files appearing on their servers.

Australia's national cyber agency has issued a blunt warning to anyone who runs a website: attackers are scanning the internet at scale, looking for out-of-date publishing software, and quietly installing backdoors when they find it.

The alert came from the Australian Cyber Security Centre, which sits inside the Australian Signals Directorate. It says the campaign is global, but many Australian small and medium businesses have already been caught out. The story was first reported by BleepingComputer.

The tools under attack are content management systems, or CMS platforms, which are the software packages small businesses use to run their websites without writing code. WordPress is by far the best known. Joomla, Craft CMS, MaxSite and MetInfo are also on the list.

Once the attackers get in, they drop a webshell. Think of a webshell as a hidden control panel bolted onto your website. From it, a criminal can read files, steal customer data, install more malware, or use the server as a springboard deeper into the business network.

How are the hackers getting in?

They are exploiting known bugs in website plugins that owners have not patched. Plugins are the little add-ons that give a WordPress site features like contact forms, backups or file uploads. Each one is a potential door.

The ACSC listed a long roster of specific flaws being abused. On WordPress alone the list includes Simple File List (CVE-2025-34085 and CVE-2020-36847), WavePlayer (CVE-2025-12057), BerqWP (CVE-2025-7443), WPBookit (CVE-2025-7852), Ninja Forms, ThemeREX Addons, Breeze Cache, pay-uz, ACF Extended (CVE-2025-13486), Sneeit Framework (CVE-2025-6389), WPvivid Backup, Gravity Forms (CVE-2025-12352), and GutenKit/Hunk Companion (CVE-2024-9234). Craft CMS is being hit through CVE-2025-32432, a serious remote code execution flaw disclosed earlier this year.

A CVE ID, if you have not seen the term before, is just a public catalogue number for a specific software bug. Each one on that list is a door someone forgot to lock.

This is not a story about clever new hacking. It is a story about neglected websites. Most of these plugins have patches available already. The attackers are simply faster than the site owners.

Was multi-factor authentication any help here?

Honestly, not much. This is my beat, and I have to say it: MFA on your admin login would not have stopped these attacks. The break-ins are happening through vulnerable code on the public side of the site, not by guessing an administrator's password. Different problem, different fix.

The ACSC also flags something worth paying attention to. It believes the campaign may be assisted by AI, letting the attackers scan more sites and weaponise newly disclosed bugs within hours instead of weeks.

What should site owners actually do?

Update everything, today. That means the CMS itself, every theme, and every single plugin. Turn on automatic updates if the platform supports it.

Then do a clean-out. Delete plugins and themes you are not using. Every dormant add-on is an unpatched door.

Admins should also make their web directories read-only where possible, watch for new files appearing that they did not create, and lock down access to sensitive folders. If your web server suddenly starts launching unexpected programs, treat that as an emergency.

For ordinary customers, the practical advice is calmer. If you shop on a small Australian business site and start seeing odd payment redirects, strange login prompts, or unexpected password reset emails, stop and contact the business directly. Use a card with strong fraud protection. And if you reuse passwords across sites, this is your reminder to stop.

© 2026 Threat Vectr