security

The WordPress.org plugins team implemented a 24-hour delay for all updates. While designed to prevent supply chain attacks, it introduces a dangerous vulnerability window. Here is how agencies and B2B maintainers must adapt.

A real audit of an SME WordPress site: Elementor pinned at 3.11.1 with four critical CVEs, and Contact Form 7 at 5.8 exposed to CVE-2023-6449 arbitrary file upload. The outdated-plugin pattern that fast and AI-assisted builds leave behind, and how an audit catches it.

A single week in June 2026 saw the Awesome Motive CDN breach, the ShapedPlugin build pipeline compromise, and a 13-year backdoor campaign exposed. The common thread: the official update channel was the attack vector. What store owners should actually change.

WordPress 7.0 added a Connectors screen that stores AI provider credentials, and some hosts auto-installed AI plugins. Here is the threat model and a hardening checklist.

GuardingWP's inaugural State of WordPress Security 2026 report scanned 424 confirmed WordPress installs across 40-plus verticals. The headline finding is that more than half ship at least one plugin with a known unpatched CVE. Patchstack founder Oliver Sild said WordPress 7.0 will trigger an "absolute rush by hackers to steal API keys." This article reads both as evidence that the plugin economy is the structural problem and NIS2 plus DORA already encode the fix.

Austin Ginder disclosed four WordPress.org plugin backdoors in 30 days, plus an author who ran a hidden update server for five years. What it means for NIS2 and DORA dependency maps.

CRA covers products with digital elements. NIS2 covers entities. DORA covers financial entities. When all three apply at once, headless WordPress sits at the intersection. I sketch what the joint evidence package looks like in 2026.

Article 28 of Regulation 2022/2554 makes financial entities responsible for the ICT risk of every third-party they touch. I walk through the supplier due-diligence checklist I ship with WordPress engagements for banks and insurers in 2026.

Article 21 of Directive 2022/2555 lists ten risk-management measures every in-scope entity must implement. I map each one to a WordPress agency control, with the evidence file each one requires for audit.

Article 23 of Directive 2022/2555 sets three reporting deadlines: an early warning at 24 hours, a full notification at 72 hours, a final report at one month. What the WordPress agency must produce inside each window.

Article 23 of NIS2 gives 24 hours from awareness to file an early warning with the CSIRT. This playbook lists the WordPress-specific signals that trigger the clock and the template I file when the clock starts.

The NIS2 Directive (2022/2555) was to be transposed into national law by 2024-10-17. The DORA Regulation (2022/2554) applies directly from 2025-01-17. For a WordPress site operator this means specific obligations if the site relates to a regulated entity. We explain it without panic, with references to the texts of the acts.

Thirty-one plugins closed after a Flippa buyer planted a backdoor in the first SVN commit. How to audit plugin ownership, detect compromise, and harden your sites against supply chain attacks.

A comprehensive WordPress security hardening guide for 2026 covering server configuration, authentication with Passkeys, WAF setup, CSP headers, database protection, headless security, and a 25-point audit checklist.

A practical notes covering essential WordPress best practices for security, SEO, and performance using only core features.

Learn how to add passkeys to WordPress with WebAuthn and FIDO2, plus how passkey registration works on iPhone, Android, Windows Hello, and security keys.

Protect your business data by choosing Open Source CMS over closed SaaS platforms in the era of AI. Learn about data ownership, GDPR compliance, and vendor lock-in risks.

A practical guide to hardening WordPress in 2026 with passkeys, edge protection, infrastructure controls, and safer operational habits.

Has your WordPress been hacked? Don't panic. See the complete step-by-step process for removing viruses, backdoors, and malware. SSH, WP-CLI, and SQL methods.

Update crashed your site? Don't panic. See 3 proven ways to rollback WordPress core, plugins, or themes to a previous version.

Comprehensive guide to safely restoring WordPress after failed updates. Learn backup strategies, manual recovery via FTP/phpMyAdmin, plugin-based restoration, and prevention techniques.

Compare the best WordPress plugins in 2026 for security, SEO, cache, backups, and image optimisation, with practical advice on what to install and what to avoid.

Beyond the 5-minute install. Learn how to configure WordPress for security, debugging, and performance using wp-config.php constants and mu-plugins.

Comprehensive WordPress admin guide. Learn how to secure your site without plugins, configure Google Search Console and speed up loading.

Stop giving every user Administrator access. Learn how WordPress roles and capabilities really work, and how to design safer permissions.

White-label your WordPress login screen. Change the logo, customize CSS, disable the "Shake" effect, and harden error messages for security.

WordPress displays its version by default, inviting hackers. Learn how to remove the generator tag, asset versions, and implement Security Headers (HSTS, CSP).

Still using "admin"? You are being hacked right now. The definitive guide to securing WordPress authentication: 2FA, Passkeys, Fail2Ban, Cloudflare Turnstile, login monitoring, and incident response procedures.

The famous TimThumb script is a relic and a security hole. Learn how to properly resize images using add_image_size() and native WP functions.