Blog

Security Insights & Updates

WordPress security tips, vulnerability news, and best practices.

WordPress Core

WordPress 6.9.4 Security Release: Three CVEs and a Triple Patch Chaos

WordPress released versions 6.9.2, 6.9.3, and 6.9.4 within roughly 24 hours in March 2026. Three CVEs were only partially fixed in the first two releases, leaving millions of sites exposed until 6.9.4 shipped.

ScanMyWordPress Team

15 Apr 2026 2 min read

Security

April 2026 WordPress Supply Chain Attack: 30 Plugins Backdoored

On April 5 and 6, 2026, a dormant backdoor in over 30 WordPress plugins was activated, injecting SEO spam visible only to Google. WordPress.org permanently closed 31 affected plugins on April 7. Over 20,000 sites were affected.

ScanMyWordPress Team

11 Apr 2026 2 min read

Vulnerabilities

CVE-2026-1357: Critical RCE in WPvivid Affects 900,000 WordPress Sites

CVE-2026-1357 is a critical unauthenticated remote code execution vulnerability in WPvivid Backup and Migration, a plugin installed on over 900,000 WordPress sites. CVSS score: 9.8. Update immediately.

ScanMyWordPress Team

04 Apr 2026 2 min read

Vulnerabilities

CVE-2026-1830: Unauthenticated RCE in Quick Playground WordPress Plugin

CVE-2026-1830 is an unauthenticated remote code execution vulnerability in the Quick Playground plugin for WordPress. The flaw stems from insufficient authorization checks on REST API endpoints that allow arbitrary file uploads.

ScanMyWordPress Team

28 Mar 2026 2 min read

Vulnerabilities

Elementor CVE-2026-1206: Sensitive Data Exposure Patched in March 2026

Elementor patched CVE-2026-1206 in version 3.35.8 in March 2026. The vulnerability allowed Contributor-level users to read private and draft Elementor templates they should not have access to.

ScanMyWordPress Team

21 Mar 2026 2 min read

Security

WordPress Two-Factor Authentication in 2026: Complete Setup Guide

Two-factor authentication is the single most effective control against credential-based attacks on WordPress. This guide covers setup, enforcement, and the best methods to use in 2026.

ScanMyWordPress Team

14 Mar 2026 3 min read

PHP Security

PHP 8.1 Reached End of Life in December 2025: Is Your WordPress Site at Risk

PHP 8.1 officially reached end of life on December 31, 2025. Any WordPress site still running PHP 8.1 in 2026 will never receive another security patch from the PHP project. Here is what you need to do.

ScanMyWordPress Team

07 Mar 2026 2 min read

Security

How to Read CVSS Scores and Prioritize WordPress Plugin Updates

Not every WordPress vulnerability requires the same urgency. CVSS scores give you an objective way to prioritize which plugin updates need immediate attention versus which can wait for your next maintenance window.

ScanMyWordPress Team

28 Feb 2026 2 min read

Security

How to Protect Your WordPress Site from Supply Chain Attacks

The April 2026 supply chain attack on 30 WordPress plugins exposed a fundamental weakness: established plugins can become malicious after ownership changes. Here is how to protect your site from this type of threat.

ScanMyWordPress Team

21 Feb 2026 3 min read

Start today

Is your site
safe right now?

Scan my site free View pricing

Security Insights & Updates

Is your sitesafe right now?

Is your site
safe right now?