DMA Managed WordPress Customers Are Now Protected by Weekly Patching of Updates

The threat landscape has changed. AI-powered attacks now move from vulnerability disclosure to mass exploitation in around five hours — which is why we moved from monthly to weekly patching across all our managed WordPress sites.

Notices
WordPress Weekly Patching

Not long ago, a monthly patch cycle across our managed WordPress clients felt like solid practice. Once a month, we’d review available updates, test them, and push them out. It had worked for years.

That’s changed.

In June this year, we moved to weekly patching for every site we manage. It wasn’t a minor tweak to our process — it was a deliberate response to a security environment that has shifted significantly. Attacks are happening faster, AI is powering them, and the window between a vulnerability being discovered and it being exploited has collapsed to a matter of hours.

Here’s what we’re seeing, and why it matters for your website.

The Australian picture

The Australian Signals Directorate received over 84,700 cybercrime reports last financial year — one every six minutes. The average cost of a cybercrime incident for a small business hit $49,600 in the 2023-24 financial year, up 8% on the previous year. For businesses overall, that average has since jumped a further 50%.

These aren’t large enterprises getting hit. These are businesses like the ones we work with every day.

WordPress is a specific target

WordPress powers around 43% of the internet. That makes it a concentrated and attractive attack surface.

According to Patchstack’s annual security research, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024 — a 34% increase on 2023. In 2025, that jumped again: 11,334 new vulnerabilities, a further 42% increase.

Nearly all of these — 96% — are in third-party plugins, not WordPress core. The contact form plugin, the booking system, the SEO tool, the slider — these are the gaps attackers are looking for.

What’s changed most significantly is the speed of exploitation. The current research puts the window from vulnerability disclosure to mass automated attack at approximately five hours.

If you’re patching once a month, you’re leaving that window open for 30 days. Attackers are not waiting.

Why AI has made this worse

In May 2026, ASIC issued a formal call for Australian businesses to urgently strengthen their cyber resilience, citing AI as a fundamental shift in the threat landscape. Commissioner Simone Constant put it plainly: “Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk.”

AI tools allow attackers to scan for vulnerabilities at scale, generate working exploits quickly, and run automated attacks with minimal effort. What previously required skilled human attackers can now be done faster, cheaper, and at far greater volume. ASIC specifically called on businesses to “patch systems promptly, recognising AI accelerates vulnerability exploitation.”

For context on how seriously regulators are taking this: ASIC recently took action against FIIG Securities, which was ordered to pay $2.5 million for failing to maintain adequate cyber security controls. The expectation that businesses will take active steps to protect themselves has teeth.

Why we moved to weekly patching

The monthly model made sense when the threat environment moved more slowly. When vulnerabilities are being weaponised within hours of disclosure, it doesn’t.

We now run weekly patch cycles across all our managed hosting clients. Every week, we review and apply available plugin and theme updates, testing for compatibility before deployment. Critical and high-severity vulnerabilities get attention outside the weekly cycle when they warrant it.

It’s more work on our end. But in the current environment, it’s the right standard.

What this means for you

If you’re on our managed WordPress hosting, weekly patching is already running for your site. You don’t need to do anything differently — this is part of what we do.

If you’re not yet a managed hosting customer and you’d like that peace of mind, we’d be happy to talk through your options.

Learn about our managed WordPress hosting →

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *