WordPress in the Media
125 mentions across press, blogs, and newsletters
May 2026
WP Maps Pro Vulnerability Exposed 15,000 WordPress Sites to Site Takeover
A critical vul
Fake Adobe Document Cloud Pages Spread ScreenConnect Malware
Hackers are actively exploiting trust in Adobe Document Cloud by using fake delivery pages to install remote access malware. The campaign leverages a sophisticated phishing kit named “RatPressto,” which abuses compromised WordPress sites and legitimate software to evade detection while targeting
A year of web hosting for Managed WordPress on Hostinger is now 91% off
Launch Up to 50 WordPress Sites With Free Domain, SSL, Email, Backups & Lightning-Fast LiteSpeed Hosting. <a href="https://www.neowin.net/d
Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets
A solo Russian-speaking threat actor leveraged a jailbroken instance of Google Gemini to run a five-year MAGA-themed influence operation, crack WordPress administrator credentials, and empty at least one victim’s cryptocurrency wallet, all at near-zero cost using stolen API keys. In May 202
$20 per zero-day is already the WordPress plugin reality
Vulnerability researchers have spent the past year arguing about whether AI agents can find real bugs at scale or whether they mostly generate noise. A pipeline built in three days by researchers from TrendAI and CHT Security supplies an answer, along with a price tag that the security industry w
Another top WordPress plugin exploited — hackers target credit card details, here's what you need to know
Funnel Builder WordPress plugin is being exploited to steal people's credit cards but the flaw has since been patched.
1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws
A widely used WordPress plugin powering over one million websites has been hit by two serious vulnerabilities that could allow attackers to steal sensitive data and access server files. Security researchers warn that the flaws in the Avada Builder plugin could be actively exploited if sites remai
1 Million WordPress Websites Exposed by Avada Builder Security Vulnerabilities
A widely used WordPress plugin powering over one million websites has been found vulnerable to two serious security flaws that could expose sensitive data and server files. Security researchers warn that the issues in the Avada Builder plugin could allow both authenticated and unauthenticated att
Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks
A critical vulnerability in a widely used WordPress plugin has exposed over 200,000 websites to full account takeover, raising urgent concerns across the security community. Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statist
Attackers exploit Funnel Builder bug to inject e-skimmers into e-stores
Attackers are exploiting a critical flaw in the WordPress Funnel Builder plugin to inject skimming code into WooCommerce checkout pages. A critical vulnerability in the WordPress Funnel Builder plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages, accordi
Funnel Builder WordPress plugin bug exploited to steal credit cards
A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. [...]
Avada Builder WordPress plugin flaws allow site credential theft
Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. [...]
HostGator Promo Codes: 76% Off for April 2026
Unlock massive savings on HostGator web hosting, WordPress, VPS, and business email plans with our exclusive HostGator promo codes and deals.
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. [...]
Over a million WordPress sites hit in plugin flaw — so patch now or face the consequences
A popular WordPress plugin was found carrying two flaws that can cause data leaks.
Critical WordPress Plugin Flaw Allows Unauthorized Access to Websites
A critical vulnerability in a widely used WordPress plugin has exposed more than 200,000 websites to potential takeover, raising urgent concerns across the security community. Security researchers at Wordfence, using their AI-driven PRISM platform, have uncovered a severe authentication bypass fl
GoDaddy aims to solve WordPress complexity with new AI tool
Airo brings conversational AI to the world’s most popular CMS
Cloudways launches Site Manager for WordPress agencies
The new tool aims to cut manual upkeep for agencies juggling dozens of WordPress sites, with updates and checks now handled in one place.
Avada Builder Flaws Expose One Million WordPress Sites
Avada Builder flaws allowed file read and SQL injection on one million WordPress sites
Hackers Abuse Google Ads to Steal Users GoDaddy ManageWP login Credentials
Hackers are using fake Google ads to steal login credentials from ManageWP users, GoDaddy’s popular platform for managing WordPress websites from a single dashboard. The campaign, which researchers have dubbed “WrongPress,” plants a fraudulent sponsored search result directly ab
Hackers abuse Google ads for GoDaddy ManageWP login phishing
A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddy's platform for managing fleets of WordPress websites. [...]
Your managed WordPress might be blocking AI bots and you can’t see it
<img alt="Your managed WordPress might be blocking AI bots and you can't see it" class="attachment-large size-large wp-post-image" height="1080" src="https://searchengineland.com/wp-content/seloads/2026/05/Your-managed-WordPress-might-be-blocking-AI-bots-and-you-cant-see-it.png" width="192
Rocket.net adds MCP integration, lets AI agents run your WordPress sites
<img alt="Rocket.net adds MCP integration, lets AI agents run your WordPress sites" class="attachment-large size-large wp-post-image" height="469" src="https://nerds.xyz/wp-content/uploads/2026/05/rocketne
CISA Alert Highlights Active Exploitation of cPanel & WHM Security Bug
The US Cybersecurity and Infrastructure Security Agency (CISA) has raised the alarm over a critical security vulnerability affecting WebPros cPanel & WebHost Manager (WHM) and WP2 (WordPress Squared). On April 30, 2026, CISA officially added this flaw to its Known Exploited Vulnerabilities (K
Chancery Lane Project launches AI-friendly WordPress plugin
Chancery Lane Project launches AI-friendly WordPress plugin to cut token use and energy demand as websites adapt to machine readers.
This free WordPress tool could save businesses billions every year by slashing the AI tokens needed to read the web — saving enough electricity to power the entire USA for 24 hours
Free WordPress plugin could slash AI web traffic data use enough to rival daily USA electricity consumption if widely adopted.
April 2026
Tired of WordPress? It's time to consider Joomla
If you're looking for another solution, this could be it
WordPress Plugin Hacked Since 2020 to Inject Malicious Code Silently
A massive supply chain attack has been uncovered in the Quick Page/Post Redirect Plugin, a popular WordPress plugin with over 70,000 active installations. Security researcher Austin Ginder discovered a dormant backdoor introduced five years ago that silently injects arbitrary code into websites.
Backdoored WordPress Plugin Abuses Remote Update Checker for Silent Code Delivery
A long-dormant backdoor has been uncovered in the “Quick Page/Post Redirect Plugin,” a popular WordPress add-on with over 70,000 active installations. The tampered plugin, specifically version 5.2.3, contained two distinct malicious features. First, it featured a passive content injec
Over 400,000 sites at risk as hackers exploit Breeze Cache plugin flaw (CVE-2026-3844)
Attackers exploit a Breeze Cache flaw (CVE-2026-3844) to upload files without login. Wordfence researchers detected over 170 attacks. Threat actors are exploiting a critical flaw, tracked as CVE-2026-3844 (CVSS score of 9.8), in the Breeze Cache WordPress plugin, allowing them to upload files to a s
I took an easier route to create my new website, and so should you
If you're tired of WordPress bloat, you might want to consider ClassicPress.
Hackers exploit file upload bug in Breeze Cache WordPress plugin
Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication. [...]
Mullenweg’s Override: Akismet’s Last-Minute Slot in WordPress 7.0 Sparks Core Clash
Matt Mullenweg overruled WordPress core committers to add Automattic's Akismet to the 7.0 Connectors screen, igniting process fights and exposing Automattic tensions amid release de
Buyer Spends Six Figures on WordPress Plugins, Plants Backdoors in All 31 for Mass Compromise
A six-figure Flippa buyout turned 31 trusted WordPress plugins malicious, backdooring thousands of sites with SEO spam after eight months dormant. No ownership alerts from WordPress
'Update immediately': 60,000 WordPress websites at risk after experts discover flaw that allows hackers to create hidden admin accounts
A critical WordPress plugin flaw allows attackers to bypass authentication and gain full administrative control, exposing websites to data theft and malware attacks.
Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites
More than 30 WordPress plugins were shut down after a supply-chain backdoor compromised thousands of sites through the Essential Plugin portfolio. The post Malicious WordPress Plugins with
WordPress plugin suite hacked to push malware to thousands of sites
More than 30 WordPress plugins in the EssentialPlugin package have been compromised with malicious code that allows unauthorized access to websites running them. [...]
Popular WordPress plugins backdoored after ownership change, putting thousands of websites at risk
<img height="560" src="https://www.techspot.com/images2/news/ts3_thumbs/2026/04/2026-04-15-ts3_thumbs-c1a.jpg" style="padding: 15px 0;" title="Popular WordPress plu
WordPress websites under attack — expert report says dozens of plugins hijacked to target thousands of sites
A malicious actor found a struggling WordPress plugin company, bought it, and introduced malware to each product.
Someone bought 30 WordPress plugins and planted backdoors in all of them
An attacker bought 30+ WordPress plugins (Essential Plugin portfolio) on Flippa for six figures, planted a PHP deserializati
WordPress plugins used across thousands of websites found with malicious backdoors - Is your site at risk?
Dozens of WordPress plugins were taken offline after a suspected supply-chain attack involving a malicious backdoor added following a change in ownership
Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware
A group of trusted WordPress plugins quietly carried a hidden backdoor for eight full months, and nobody noticed until the damage had already been done. The attack, uncovered in April 2026, did not begin with a dramatic breach. It started with the silent purchase of a legitimate plugin business o
Trusted WordPress Plugins Hijacked in 8-Month Stealth Backdoor Campaign
Hackers secretly planted a remote code-execution backdoor in more than 30 popular WordPress plugins, leaving it dormant for about 8 months before activating malware that rewrote wp-config.php and injected cloaked SEO spam at scale. The incident centers on “Essential Plugin,” a portfolio of 30+ fr
The Quiet Sabotage: How Backdoors Were Planted in Dozens of WordPress Plugins Powering Thousands of Websites
Attackers planted backdoors in dozens of WordPress plugins through the official repository, compromising thousands of websites by exploiting stolen developer credentials and abandon
WordPress plugins taken offline after a developer found 30 injected with malicious code
WordPress plugins taken offline after a
Dozens of WordPress plug-ins removed after backdoor discovered
<img alt="Dozens of WordPress plug-ins removed after backdoor discovered" class="webfeedsFeaturedVisual wp-post-image" height="1015" src="https://dataconomy.com/wp-content/uploads/2026/04/dozens-of-wordpress-plug-ins-removed-after-backdoo.jpg" style="display: block; margin: auto; margin-bottom: 10px
Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites
Dozens of WordPress plug-ins were allegedly hijacked to push malware after they were sold to a new corporate owner.
WordPress Plugin Vulnerability Enables Admin Takeover via Auth Bypass
A newly disclosed vulnerability, tracked as CVE-2026-1492, has been identified in the User Registration & Membership plugin for WordPress, exposing websites to critical authentication bypass and privilege escalation risks. Affecting versions up to 5.1.2, the vulnerability allows remote attack
Cloudflare’s Quiet Power Play: How a $40 Billion Infrastructure Giant Is Trying to Reshape the Open Web
Cloudflare's acquisition of Em Dash and aggressive courtship of disaffected WordPress developers signals a serious bid to build a competing CMS on its global infrastructure — raisin
Cloudflare made a WordPress for AI agents
Cloudflare, the cloud provider that connects millions of sites to the internet, wants to "fix" another digital giant: WordPress. It announced a new open-source system, called EmDash, that's supposed to address the "core problems that WordPress cannot solve" - and they want to do it by allowing AI ag
Top WordPress Slider plugin hijacked to spread malware — here's what to look out for
A tainted version was pushed as an update to more than 800,000 active websites.
Smart Slider updates hijacked to push malicious WordPress, Joomla versions
Hackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, and pushed a malicious version with multiple backdoors. [...]
'A more secure, scalable platform that runs on modern infrastructure and supports AI-native workflows': Why Cloudflare's new EmDash is the "spiritual successor" to WordPress
Cloudflare outlines its vision for EmDash as a modern CMS designed to improve security, support AI-native workflows, and modernize how websites are built and managed.
Critical Vulnerability in Ninja Forms Exposes WordPress Sites
Ninja Forms File Upload RCE via unauthenticated arbitrary file upload; update to 3.3.27 immediately
Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover
The vulnerability allows hackers to upload arbitrary files to a site’s server and achieve remote code execution. The post Hackers Targeting Ninja Forms Vulnerability
Build Faster, Launch Smarter: $207 off WordPress Hosting
Launch and manage up to 50 WordPress sites with fast, reliable hosting, built-in tools, plus 24/7 support. The post Build Faster, Launch Smarter: $207 off WordPress Hosting appeared first on <a href="https://
Hackers exploit critical flaw in Ninja Forms WordPress plugin
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution. [...]
Launch 50 websites for just $20 with this all-in-one hosting plan
Building and growing websites has never been easier with this Hostinger Business Web Hosting for Managed WordPress subscription.
50,000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCE
A severe security flaw has been discovered in the Ninja Forms File Upload plugin, a widely utilized WordPress add-on that allows website administrators to accept documents, images, and other media from their visitors. Tracked officially as CVE-2026-0740, this unauthenticated arbitrary file upload
Cloudflare Targets WordPress With New AI-Powered EmDash CMS
Cloudflare launches EmDash CMS, an AI-powered platform built to fix WordPress security flaws with sandboxed plugins, serverless scaling, and passkey auth.
Hackers Breach ILSpy WordPress Domain to Deliver Malware
The official WordPress website for ILSpy, a highly popular open-source tool used by software developers to examine .NET code, has been compromised. Hackers successfully breached the site to redirect visitors and deliver malware, turning a trusted developer resource into a dangerous trap. The Redi
[Deal Alert] 1-Year subscription to Hostinger Web Hosting for Managed WordPress now 91% off
Launch Up to 50 WordPress Sites With Free Domain, SSL, Email, Backups & Lightning-Fast LiteSpeed Hosting. <a href="https://www.neowin.net/d
The CMS Isn’t Dead — It Just Doesn’t Look Like It Used To
The monolithic CMS — where content storage, editing, and rendering live under one roof — is giving way to decoupled, API-first architectures. A veteran WordPress developer's essay c
Cloudflare previews 'EmDash' – an AI-driven rebuild of WordPress in TypeScript
The world's most popular CMS has been remade with the help of AI. Cloudflare has released EmDash version 0.1, described as a rebuild of the WordPress CMS (content management system) but using TypeScript rather than PHP. In contrast to the one week claimed for recreating Next.js using agentic AI, Cl
'I think EmDash was created to sell more Cloudflare services': WordPress co-founder Matt Mullenweg gives his verdict on Cloudflare's EmDash
WordPress co-founder Mullenweg isn't too critical about EmDash or Cloudflare, says he sees it as a commercial opportunity, not a 'spiritual successor'.
Cloudflare’s new CMS is not a WordPress killer, it’s a WordPress alternative
Cloud
Cloudflare’s new CMS is not a WordPress killer, it’s a WordPress alternative
Cloud
Cloudflare debuts EmDash to challenge aging WordPress with AI-native CMS
24 years ago, two young coders launched a fork of the b2/cafelog log code called WordPress, a content management system for the then-emerging blogging world that over two decades later has grown into the most used CMS on the planet, with WordPress estimated to power around 40% of sites on the int
Meet EmDash, the Cloudflare CMS and WordPress 'Spiritual Successor'
Cloudflare created an open-source CMS it calls a "spiritual successor to WordPress" — and indu
Cloudflare launches WordPress competitor to fix plugin security "crisis"
Cloudflare's AI-built "successor" claims better plugin security and AI compatibility as WordPress' troubles continue.
Cloudflare aims to dethrone WordPress with a new CMS – developers aren’t convinced - Cybernews
Cloudflare aims to dethrone WordPress with a new
Cloudflare launches EmDash — the 'spiritual successor' that wants to take on WordPress
Cloudflare says WordPress's plugin problem is out of hand – EmDash plugins take a different, more secure route.
Cloudflare launches EmDash as WordPress alternative
Cloudflare unveils EmDash, an open-source CMS with plugin isolation, migration tools and pay-per-use monetisation for publishers and AI access.
Cloudflare says WordPress is outdated and insecure, introduces EmDash CMS
<img alt="EmDash" class="webfeedsFeaturedVisual wp-post-image" height="670" src="https://nerds.xyz/wp-content/uploads/2026/04/EmDash-1024x762.pn
ImageMagick Zero-Day Enables RCE on Linux and WordPress Servers
New research from Octagon Networks reveals a critical zero-day ImageMagick vulnerability that allows Remote Code Execution (RCE) via simple image uploads affecting Ubuntu, Amazon Linux, and WordPress. This magic byte shift bypasses even the most secure policies.
March 2026
Threat Actor Auctioning WordPress Admin Access to Spanish E-Commerce Site With REDSYS Payment Gateway and ~1,200 Monthly Card Orders
Threat Actor Auctioning WordPress Admin Access to Spanish E-Commerce Site With REDSYS Payment Gateway and ~1,200 Monthly Card Orders
Around 500,000 WordPress websites could be at risk from crucial plugin security flaw — here's what we know
Hackers can read arbitrary files, including those containing passwords, with this newly discovered WordPress flaw.
WordPress Plugin Flaw Exposes Sensitive Data Across 800,000+ Sites
A severe security flaw has been disclosed in Smart Slider 3, a highly popular WordPress plugin currently active on more than 800,000 websites. Discovered by security researcher Dmitrii Ignatyev, this vulnerability enables authenticated attackers to read arbitrary files directly from the hosting s
File read flaw in Smart Slider plugin impacts 500K WordPress sites
A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. [...]
This Premium WordPress plugin and theme have been compromised – here's how to check your website hasn't been infected
BuddyBoss had its update server compromised and used to push a poisoned update.
WordPress.com adds AI write tools for site control
WordPress.com now lets AI agents draft, edit and publish content directly to sites via conversation, expanding beyond read-only integrations.
WordPress now permits AI agents to write content for you
WordPress, a leading web hosting platform, is integrating artificial intelligence (AI) into its services.
WordPress Hands the Keys to AI Agents — and the Implications for Publishing Are Enormous
WordPress.com now allows AI agents to autonomously create, edit, and publish content through a Model Context Protocol server, marking the most aggressive move any major web platform
WordPress.com lets AI agents write, publish, and manage your site
Automattic has added write capabilities to WordPress.com’s MCP integration, giving AI agents like Claude and ChatGPT the ability to create posts, build pages, manage commen
WordPress.com now lets AI agents write and publish posts, and more
New AI agents on WordPress.com could lower barriers to publishing while increasing machine-generated content across the web.
You Can Now Let an AI Agent Modify Your WordPress.com Website
Paid plan customers can try out the new AI feature.
What’s Going On with FAIR Package Manager
Federated FAIR pivots from WordPress to TYPO3
SQL Injection Vulnerability in Ally WordPress Plugin Exposes 200K+ Sites
SQL injection flaw in Ally WordPress plugin exposes 200,000+ sites to data theft. Patch released, but most installations remain unpatched and vulnerable.
A Single Plugin Flaw Left 400,000 WordPress Sites Wide Open — And Most Owners Had No Idea
A critical authentication bypass vulnerability in the InstaWP Connect plugin exposed 400,000 WordPress sites to full administrative takeover without credentials. The flaw highlights
WordPress now lets you create websites directly in your browser
WordPress.org has launched a new tool that allows users to create a private website directly in their web browsers.
Security Flaw in WordPress Plugin Puts 400,000 Websites at Risk
A security flaw in the Ally WordPress plugin used on more than 400,000 sites could allow attackers to extract sensitive data without logging in. The post Security Flaw in WordPress Plugin Pu
A WordPress Plugin Flaw Puts 250,000 Sites at Risk — Here’s What You Need to Know
A critical WordPress plugin vulnerability threatens 250,000 websites with potential compromise. Security researchers flagged the flaw amid a persistent pattern of plugin-related ris
WordPress Launches Browser-Based Site Builder for Private Use
WordPress rolls out my.WordPress.net, a no-signup tool for drafting private sites
400K WordPress Sites Exposed by Elementor Ally Plugin SQL Flaw
A SQL injection flaw in the Elementor Ally plugin exposes over 400,000 WordPress sites to potential data theft. The post 400K WordPress Sites Exposed by Elementor Ally Plugin S
Another worrying WordPress plugin security flaw could put 250,000 websites at risk
WordPress plugin Ally was carrying an SQL injection flaw that allowed data exfiltration.
WordPress launches an in-browser website creator
WordPress.org is launching a new tool that lets you create a private website directly in your browser, according to an announcement on Wednesday. You can access the tool by heading to my.WordPress.net, which opens up a workspace where you can start building a website without signing up to WordPress,
Critical SQL Injection bug in Ally plugin threatens 400,000+ WordPress sites
An unauthenticated SQL injection flaw (CVE-2026-2413) in the Ally WordPress plugin, used on 400K+ sites, could allow attackers to steal sensitive data. An unauthenticated SQL injection flaw, tracked as CVE-2026-2413 (CVSS score 7.5), in Ally plugin could allow attackers to steal sensitive data. The
Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks
The issue allows attackers to inject SQL queries and extract sensitive information from the database. The post Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks
'It’s a WordPress that stays with you': WordPress can now run within your browser, letting you build private websites not on the public web
You can now build your fully private, local website with WordPress that's stored directly within your browser.
AI assistant can now build plugins on my.WordPress.net
<img alt="AI assistant can now build plugins on my.WordPress.net" class="webfeedsFeaturedVisual wp-post-image" height="493" src="https://dataconomy.com/wp-content/uploads/2026/03/1092834.jpg" style="display: block; margin: auto; margin-bottom: 10px;" title="AI assistant can now build plugins on my.W
Toolradar Research
See WordPress in context: The SaaS Press Index 2026
We analyzed 6,704 press mentions across 290 outlets to rank which SaaS tools win coverage. Find WordPress's position relative to the 488 most-covered tools.
Read the reportExplore WordPress
Press coverage is one signal. See the full picture.