Locked Out & Left Vulnerable: What NZ Small Businesses Must Know About Ransomware and WordPress Hosting

Ransomware attacks are on the rise globally and New Zealand’s small businesses are increasingly in the crosshairs. With 43% of cybercrime targeting SMEs and WordPress powering over 75 million websites worldwide, attackers are actively exploiting weak passwords, outdated plugins, and poorly secured hosting environments.

For Kiwi business owners, the stakes are high: a single attack could lead to critical data loss, financial damage, and lasting reputational harm. Yet many small businesses still believe cybersecurity is an “unnecessary expense” – leaving them wide open to attack.

In this guide, we’ll break down:

  • Why ransomware is targeting NZ small businesses
  • How WordPress sites become vulnerable
  • The difference between secure and vulnerable hosting setups
  • Five key protections every SME must implement
  • What to do if you’re already infected

⚠️ Why NZ Small Businesses Are at Risk

1. High Value, Low Defence

Small businesses hold valuable customer and financial data but often lack the cybersecurity budgets or in-house expertise to protect it.

With over 90% of NZ businesses classified as SMEs, they’re a soft and often lucrative – target for attackers.

2. Ransomware-as-a-Service (RaaS)

Cybercrime has been commoditised. On the dark web, hackers can buy plug-and-play ransomware kits for as little as $300-$1,800. They don’t need to be experts, just opportunistic.

Exploits commonly used include:

  • Brute force login attempts on WordPress sites
  • EternalBlue vulnerabilities on unpatched Windows servers
  • Phishing kits that trick staff into downloading malware

3. Downtime Costs Can Be Devastating

The average ransomware attack costs $5,000 per minute in downtime.

For many NZ SMEs, recovery costs (including data restoration, legal help, customer notification, and brand repair) can exceed $1 million.

🕵️ How Hackers Exploit WordPress Sites

WordPress is a phenomenal platform but its popularity also makes it a frequent target.

Here’s how attackers gain access:

Brute force attacks – Repeated login attempts using weak credentials (e.g. username: “admin”, password: “123456”)

Outdated plugins or themes – Account for 63% of known WordPress vulnerabilities

SQL injection attacks – Hackers inject malicious code via contact forms or search bars

Phishing and malware – Staff click a fake link; ransomware gets installed silently

Compromised shared hosting – One infected site can lead to others on the same server

🏰 WordPress Hosting: Secure vs Vulnerable

Not all hosting is created equal. In fact, your hosting setup can be your biggest risk or your strongest defence.

FeatureLow-Cost HostingManaged WordPress Hosting (Red Jet)
Automatic updates❌ Manual (often missed)✅ WordPress core, plugins, themes
Backups❌ Often same server✅ Nightly, off-site, restorable backups
Malware scanning❌ Rare or DIY plugins✅ Real-time scanning & alerts
Web Application Firewall❌ None✅ Cloudflare WAF, plugin-based firewall
DDoS protection❌ Not included✅ DNS-level traffic filtering
Expert support❌ Generic or limited✅ WordPress-specific assistance

👉 Compare our secure WordPress hosting plans

🔐 5 Must-Do Ransomware Protections for WordPress

  1. Enable a Web Application Firewall (WAF) Block malicious traffic before it ever reaches your server. We recommend Cloudflare WAF, plus a plugin-level firewall like Wordfence Premium or AIOS.
  2. Use Strong Passwords + Two-Factor Authentication (2FA) Never use “admin” as a username. Require 2FA for all administrator logins. A strong password policy is non-negotiable.
  3. Implement Off-Site Backups Follow the 3-2-1 rule:
    • 3 total backup copies
    • 2 stored on different mediums
    • 1 stored securely off-site (e.g. Amazon S3, or your hosting provider)
  4. Keep WordPress Updated Hackers love outdated plugins and themes. Set up automatic updates or use a managed host like Red Jet that handles it for you.
  5. Train Your Team Human error causes over 43% of cybersecurity breaches. Teach staff to recognise phishing emails and avoid clicking unknown links.

🆘 What to Do If You’re Hit by Ransomware

  1. Immediately isolate infected devices – disconnect from the internet to prevent further spread
  2. Restore your site from clean, off-site backups
  3. Do NOT pay the ransom – only 1 in 4 businesses recover data after paying
  4. Report the attack to CERT NZ at www.cert.govt.nz or call 0800 2378 69
  5. Get professional help – Use a trusted provider to fully clean, audit, and harden your site

👉 Fix a hacked WordPress site now

✅ Final Takeaway: Prevention Beats Panic

Ransomware is no longer a hypothetical, it’s a reality for New Zealand’s small businesses. But with proactive steps and a secure hosting partner, you can dramatically reduce your risk.

By choosing a secure hosting platform, enforcing strong login policies, and educating your team, you protect not only your site but your customers and your reputation too.

🔎 Next Steps

✔️ Compare secure WordPress hosting plans

✔️ Request a free WordPress security audit

✔️ Fix a hacked WordPress site

Don’t wait until it’s too late – secure your WordPress site today with Red Jet. 🇳🇿

Request a Free Website Audit


We offer a free WordPress website audit that reviews key areas including performance, security, and maintenance. We’ll assess your site’s loading speed, identify any potential vulnerabilities or outdated plugins, and evaluate how well it’s being maintained. This audit helps uncover issues that may be affecting your site’s reliability, SEO, or user experience with clear, actionable recommendations to improve your WordPress setup.
Book Your free website AUDIT

WordPress Hosting Logo - Retina

Providing reliable, fast, and affordable WordPress hosting for New Zealand customers since 2008.

HOME About Pricing FAQ BLOG CONTACT