Drupal has issued a security warning saying users who did not apply a patch for a recently discovered bug should "assume" they have been hacked.
Anyone who had not yet updated should do so immediately, it warned.
"Attackers may have copied all data out of your site and could use it maliciously," said the notice. "There may be no trace of the attack." It also provided a link to advice that would help sites recover from being compromised.
Mark Stockley, an analyst at security firm Sophos, said the warning was "shocking".
Drupal should no longer rely on users to apply patches, said Mr Stockley.
"Many site owners will never have received the announcement and many that did will have been asleep," he said. "What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."