Tailored Digital Solutions · For Australian Clinics
Medlink Connect™ · New ASD ACSC Critical Alert · 9 July 2026

Your practice website is now a target. Hosting alone won't protect it.

The Australian Signals Directorate has issued a critical alert: attackers are running a large-scale, AI-accelerated campaign against website content management systems — and many small Australian businesses are already compromised. Keeping a practice website patched, monitored and secure is now a real obligation, and it sits outside your hosting. SENTRY is the Medlink Connect service that takes it on.

01 · What's happening

A national alert, aimed squarely at websites like yours

On 9 July 2026, the ASD's Australian Cyber Security Centre issued a rare Critical Alert — Act Now. Attackers are scanning the internet at scale for vulnerable content management systems and planting webshells — hidden backdoors that hand them remote control of the web server.

Once a site is compromised, the alert warns, they use it to deface or disrupt the website, capture data entered by your website's users, serve malware and scams to your own visitors, and use that foothold as a pathway deeper into your network. The exploited vulnerabilities span dozens of common WordPress plugins and CMS platforms — the everyday building blocks of ordinary business websites.

~5 hrs
Median time in 2025 from a WordPress vulnerability going public to the first attack (Patchstack)
16+
CMS platforms & plugins named in the alert with actively-exploited vulnerabilities
SMBs
Small & medium Australian businesses are explicitly named as impacted
AI
Five Eyes agencies warn AI is accelerating the speed and scale of these attacks

The critical shift is speed. A newly-disclosed flaw is now exploited in hours, not weeks — and a "we'll update it next month" cycle can't keep pace.

1. Automated scan finds a vulnerable plugin 2. Webshell uploaded to the server 3. Remote control established 4. Data captured · patients targeted · network breached

02 · The gap you may not know exists

Where website hosting ends, and security maintenance begins

We host your website on secure, backed-up infrastructure. But hosting has never included the ongoing security maintenance of the website software itself — and that distinction matters more now than it ever has. Here's exactly where the line sits.

Included in your hosting

Keeping the site online, on our infrastructure

  • Server & infrastructure uptime
  • Data-centre & physical security
  • Backups of the hosting environment
  • SSL certificate provisioning
  • Bandwidth & availability

Not included — needs active management

Keeping the site safe, at the software layer

  • WordPress / CMS core updates
  • Plugin & theme updates
  • Malware & webshell scanning
  • Vulnerability patching
  • Login & MFA hardening
  • Security-header configuration
  • Active threat monitoring
  • Incident detection & response
In plain terms Everything in the right-hand column is the responsibility of the website owner. For most practices, that work simply isn't happening — not through neglect, but because it takes specialist attention and continuous monitoring a busy clinic can't sustain in-house. SENTRY takes ownership of that entire column.

03 · Why it matters for your practice

A practice website is a patient-trust surface — and a compliance obligation

Your website carries your practice details, appointment and new-patient forms, and often collects information directly from patients. If it's compromised, the consequences aren't abstract.

Attackers can capture what patients enter, deface your public face, quietly serve scams and malware to the people who trust you, or use the site as a stepping stone toward your wider systems. Beyond the operational damage, an unmanaged, known-vulnerable public website is difficult to reconcile with a practice's information-security obligations.

How this maps to accreditation

  • RACGP C6.4 Information security — practices must protect the confidentiality, integrity and availability of health information.
  • C6.4A A named person responsible for the security of your electronic systems — a role SENTRY supports directly.
  • C6.4D A business-continuity and information-recovery plan — underpinned by verified, immutable backups.
  • RACGP CISS The Computer & Information Security Standards framework that sits behind C6.4.
  • Privacy Act APP 11 requires reasonable steps to protect personal information; a breach may be notifiable under the NDB scheme.

SENTRY's monthly report is designed to serve as ready-made evidence for your accreditation file.

04 · Introducing the service

Medlink Connect SENTRY

A single monthly service that takes full ownership of your website's security — continuously monitored and patched, hardened against attack, backed up, and reported on in plain English. It's driven by an AI-assisted monitoring platform, with our engineers making the judgement calls and doing the remediation.

Pairs with ThreatIQ

SENTRY guards your website. ThreatIQ trains your team. Together they close both sides of the ACSC's warning — the technical layer and the human layer — under one RACGP-aligned Medlink Connect umbrella.

Firewall & malware protection

A managed web application firewall and content-delivery layer filters malicious traffic before it reaches your site, plus continuous malware and webshell scanning.

Managed patching

Core, plugin and theme updates monitored, tested and applied — with actively-exploited vulnerabilities prioritised and patched fast, not left for a monthly cycle.

24/7 monitoring

Round-the-clock monitoring with AI anomaly detection, watching for the file changes and suspicious requests that signal an attack in progress.

Access hardening

Multi-factor authentication, brute-force protection and login lockdown, so a stolen or guessed password isn't enough to get in.

Encryption & header assurance

SSL/TLS kept valid and correctly configured, with security headers checked and maintained to modern standards.

Vulnerability scanning

Scheduled scans of your site and its components against live vulnerability feeds — so weaknesses are found on our watch, not the attacker's.

Immutable backups & DR

Daily immutable backups plus air-gapped disaster-recovery copies, with test-restores verified — so a clean, known-good version is always ready.

AI threat triage

When a national alert like the ACSC's lands, we cross-reference it against your exact stack and tell you — in plain English — whether you're affected and what we've done.

Incident response

If something does get through, we isolate, clean and restore — and give you a clear account of what happened and how it's been closed.

05 · What you receive every month

Proof it's working — and evidence for your accreditation file

You shouldn't have to take security on faith. Every month you get a plain-English report showing exactly what we did, what we caught, and where you stand — the kind of documentation a surveyor is looking for.

SENTRY · monthly security report · JUN 2026
Security patches applied14 applied · 0 pending
Malicious requests blocked3,812
Malware & webshell scansClean
Vulnerabilities found → remediated2 → 2
Backup test-restore verifiedPassed · 04 Jun
SSL / security headersValid · A rating
National alerts affecting you1 reviewed · not affected
Overall security postureStrong ▲

06 · Why AI-driven

The attackers are using AI. Your defence should too.

The ACSC alert is explicit: AI is accelerating the speed and scale of these attacks. A defence that runs at human pace — checking each site by hand every few weeks — was never going to keep up. SENTRY is built to move at the same tempo as the threat.

Every site, watched continuously

AI keeps every client's site under constant watch at once — not on a rotation, and not only when someone remembers to look.

New threats matched to your exact stack

The moment a vulnerability is disclosed, it's cross-referenced against your specific plugins and versions — so we know instantly whether it affects you.

The disclosure-to-patch window, closed

By triaging automatically, we cut the gap between a flaw becoming public and your site being protected from weeks to hours.

Human judgement where it counts

AI does the tireless watching and triage. Our engineers make the calls, test the fixes and handle remediation. A force-multiplier — not a black box.

07 · Plans & pricing

Straightforward monthly cover, per website

One predictable monthly fee. No long lock-in — just continuous protection and a report each month. Prices are per website; multi-site practices and groups are covered under the Group plan.

Essential
Core protection for a single, lower-risk site
$99/ mo +GST
per website · billed monthly
  • Managed core, plugin & theme patching
  • Malware & webshell scanning
  • Daily immutable backups
  • SSL & uptime monitoring
  • Monthly security report
Choose Essential
Recommended for practices
Practice
Full cover & accreditation-ready reporting
$179/ mo +GST
per website · billed monthly
  • Everything in Essential, plus:
  • Managed WAF & CDN protection
  • Priority same-day patching of exploited flaws
  • MFA / login hardening & header assurance
  • AI alert triage & advisories
  • Accreditation-ready reporting + quarterly review
Choose Practice
Group
Multiple sites or a practice group
$299/ mo+
from · consolidated across sites
  • Practice cover across every site
  • Consolidated multi-site reporting
  • Priority incident-response SLA
  • Named Medlink Connect contact
  • Volume pricing — quoted to your fleet
Talk to us
One-off onboarding — from $350 +GST. Before cover begins we run a full security audit: a malware and webshell scan, clean-up of anything we find, hardening, backup verification and a baseline report. On annual plans, onboarding is credited against your first quarter.
from $350

08 · Our recommendation

We strongly recommend every hosted-website client moves onto SENTRY

Given the current ASD ACSC critical alert and your obligations under RACGP Criterion C6.4, leaving a public CMS website unmanaged is a risk we don't think any practice should carry. For most of our clients, the Practice plan is the right fit.

For practices that don't need a full content management system, there's an even stronger option: we can remove the risk at its source by rebuilding your site on a hardened, static platform with no plugins to exploit — the same approach we've taken with our own sites. We're happy to advise on what suits you.

Where a practice chooses not to proceed To keep the line clear: website security maintenance — CMS and plugin updates, patching, malware scanning and monitoring — remains the responsibility of the website owner and sits outside your hosting agreement. Where a practice declines managed cover, we'll ask you to acknowledge this in writing, so there's no ambiguity about where that responsibility rests.