Your website is a computer too — and its plugins are how attackers get in
A leaked hacker server revealed a target list of 1.4 million websites. Your company site is a computer nobody patches — the 15-minute fix.
Somewhere on a rented server in the US, a hacking crew kept a to-do list with more than 1.4 million websites on it.
We know because the crew made a rookie mistake: it left that server wide open on the internet for three weeks. Security researchers found it in June, and The Hacker News published what was inside on July 10 — the hacking tools, the activity logs, and the target lists of an operation now called WP-SHELLSTORM. Researchers confirmed roughly 25,000 of those websites were actually broken into.
The unsettling part isn't the headline number. It's how ordinary the operation was. No secret techniques, no unknown flaws. The crew took publicly known bugs in website plugins — mostly WordPress — built automated scanners, and fired them at that enormous list. One bug in a single caching plugin was aimed at more than 45,000 sites and, by the crew's own logs, planted a hidden backdoor on over 17,000 of them.
Your website is a computer nobody patches
If your business runs on Microsoft 365, someone — you, Microsoft, your IT provider — is at least nominally keeping it updated. Your website usually has no such someone.
The typical small-business site was built once, by a freelancer or an agency, on WordPress or a similar platform. It was extended with plugins — small add-ons for contact forms, image galleries, page layouts, speed. Then the project ended, the invoice was paid, and nobody has logged into the admin panel since.
But that site is an internet-facing computer: running software, reachable by anyone on Earth, 24 hours a day. Every outdated plugin on it is a known, documented way in.
And "in" means more than a defaced homepage. The backdoor this crew planted — a "webshell" — lets an attacker run commands on your server from anywhere: read what customers typed into your contact form, send spam from your domain, quietly serve malware to your visitors, or host fake login pages under your company's name. When Google notices, your site gets flagged as dangerous, and your email deliverability can sink with it.
Nobody sends you the patch memo
This same week, CISA — the US government's cyber-defense agency — added two website page-builder flaws, both rated the maximum 10.0 out of 10, to its list of bugs attackers are actively exploiting, and gave federal agencies three days to patch them.
Federal agencies get a deadline and a memo. Your business gets neither. The information is public, but it's nobody's job to tell you that a plugin your website has quietly run since 2021 is now a wide-open door.
Being scanned isn't being hacked
One number from the leaked logs is worth keeping: a Joomla bug was fired at more than 560,000 websites and landed on just 77. The other half-million-plus sites were on the target list too — they just weren't running the vulnerable version.
That's the real lesson. These attacks are fully automated and indiscriminate; you can't stay off the list. But they only work on out-of-date software. Being current is most of the defense.
The 15-minute conversation to have this week
You don't have to patch anything yourself. You have to make sure someone does.
- Find out what your site runs on and who updates it. If the honest answer is "nobody," that's the finding — and it's fixable this week.
- Ask your web person one question, by name: "Is the CMS core current, is every plugin and theme current, and are automatic updates turned on?" A good answer takes them ten minutes to verify.
- Delete what you don't use. Every inactive plugin and theme is still attack surface. Fewer parts, fewer doors.
- Confirm a backup exists — somewhere other than the same server. If the site is ever compromised, a clean copy turns a crisis into an afternoon.
The harder problem is the ongoing one: knowing when a newly published flaw affects something you actually run, before a scanner finds it for you. That's what our Vulnerability Watch does — an email the day a new flaw affects the tech your business uses, websites included.
The crew behind WP-SHELLSTORM got caught because it forgot to lock its own server. The next crew won't. The defense doesn't change either way: a website that's kept current shrugs these campaigns off — 560,000 attempts, 77 hits.
AI-researched from public sources, human-reviewed on July 15, 2026. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.