Websites Hosting Business Email Local Support Based in Cockburn Perth Small Business
Cyber Security

A critical cyber alert just went out about business websites. Here's what it means for you.

Australia's cyber security agency has flagged an active, large-scale attack campaign hitting business websites right now. No jargon, no scare tactics — just what actually happened, why it matters if you run a small business, and what to do about it.

What actually happened

On 9 July 2026, ASD's Cyber Security Centre (ACSC) issued a critical alert about a large-scale, active attack campaign targeting business websites globally — including a significant number of small and medium Australian businesses. This isn't a "you should probably be careful" advisory. It's describing attacks that are happening right now, at scale.

How it actually works, without the jargon

A lot of business websites are built on off-the-shelf platforms with add-on plugins — a sensible way to build fast. But every one of those add-ons is another piece of software that can have an unpatched weak spot. Attackers are automatically scanning huge numbers of websites at once, looking for those known, unpatched weak spots.

Where they find one, they quietly plant a hidden doorway into the website's server. It lets them come and go without anyone noticing, for as long as it stays hidden.

Why this matters for a business like yours

Once someone has that doorway, they can deface your site, quietly redirect visitors to scam pages, capture details customers submit through your forms, or use your domain to send convincing scam emails pretending to be you. For a small business, that's not just an IT headache — it's the exact thing customers rely on as proof they can trust you, working against you instead.

Why it's getting harder to stay ahead of

The heads of the Five Eyes cyber security agencies (ASD among them) recently put out a joint statement about a specific trend behind campaigns like this one: AI is shrinking the gap between a vulnerability becoming public knowledge and someone actively exploiting it. What used to take attackers weeks to notice and weaponise can now happen in hours. "We'll patch it next time we're in there" isn't a safe approach anymore.

Where you already have an advantage

If your website was built by hand rather than assembled from a stack of third-party plugins, you're already carrying a much smaller version of this particular problem — there's no sprawling plugin ecosystem quietly going out of date in the background. That's a genuine structural advantage.

It's not a reason to assume you're untouchable, though. Domain security, email settings, and server configuration still matter no matter what the site is built on — which is exactly what the free health check below actually checks, rather than assumes.

What to actually do about it

  • Keep whatever software your site or store runs on — and any plugins or add-ons — up to date. Don't let "I'll do that later" update emails pile up.
  • If someone else manages your website or hosting, ask them directly whether this alert affects you, and what they've already checked.
  • Run a free health check on your domain and email setup to see where things actually stand today.
  • If anything about your website suddenly looks different — content you didn't add, unexpected redirects, browser warnings — treat it as real and get it looked at straight away, rather than waiting to see if it goes away.

Not sure where your own site and email actually stand? It takes about 30 seconds to find out.

Run my free health check →

Where this came from

This is based on the ACSC's alert "Large-scale exploitation campaign targeting website content management systems (CMS)", first published 9 July 2026 and rated critical. Read the original advisory for the full technical detail, including the specific software involved.