Four plugin backdoors in a month: WordPress supply chain in 2026
Austin Ginder disclosed four WordPress.org plugin backdoors in 30 days, plus an author who ran a hidden update server for five years. What it means for NIS2 and DORA dependency maps.
security
Posts in category security
Next pathways
Go deeper into this topic area
This block routes category visitors into the commercial pages and supporting content that complete the search intent.
Security Audit
Audit, hardening, and incident risk reduction.
View service
Maintenance & Support
Stability, updates, and post-launch support.
View service
WordPress Developer
Custom WordPress engineering and architecture.
View service
Speed Optimization
Core Web Vitals, caching, and faster delivery.
View service
Next.js / Astro Migration
Migration to Astro, Next.js, and headless WordPress.
View service
GEO / LLMO Optimization
Visibility in Google and AI answer systems.
View service
Related categories
Supporting articles
WordPress Security Hardening 2026: The Complete Guide From Server to Application
A comprehensive WordPress security hardening guide for 2026 covering server configuration, authentication with Passkeys, WAF setup, CSP headers, database protection, headless security, and a 25-point audit checklist.
Advanced WordPress Security Hardening in 2026
A practical guide to hardening WordPress in 2026 with passkeys, edge protection, infrastructure controls, and safer operational habits.
Ultimate WordPress login security guide (2026): Stop brute force attacks
Still using "admin"? You are being hacked right now. The definitive guide to securing WordPress authentication: 2FA, Passkeys, Fail2Ban, Cloudflare Turnstile, login monitoring, and incident response procedures.
WordPress Security Audit
Professional WordPress security audit services. Identify vulnerabilities, get actionable remediation plans, and protect your website from threats.
Cyber Resilience Act + NIS2 + DORA: the 2026 compliance stack for headless WordPress
CRA covers products with digital elements. NIS2 covers entities. DORA covers financial entities. When all three apply at once, headless WordPress sits at the intersection. I sketch what the joint evidence package looks like in 2026.
DORA Article 28 ICT third-party risk: WordPress hosting and WAF supplier audit
Article 28 of Regulation 2022/2554 makes financial entities responsible for the ICT risk of every third-party they touch. I walk through the supplier due-diligence checklist I ship with WordPress engagements for banks and insurers in 2026.
NIS2 Annex II for WordPress agencies: scope, deadlines, evidence trail
Article 21 of Directive 2022/2555 lists ten risk-management measures every in-scope entity must implement. I map each one to a WordPress agency control, with the evidence file each one requires for audit.
NIS2 incident reporting timeline for WordPress: 24h, 72h, one month
Article 23 of Directive 2022/2555 sets three reporting deadlines: an early warning at 24 hours, a full notification at 72 hours, a final report at one month. What the WordPress agency must produce inside each window.
WordPress incident response under NIS2: 24-hour early warning playbook
Article 23 of NIS2 gives 24 hours from awareness to file an early warning with the CSIRT. This playbook lists the WordPress-specific signals that trigger the clock and the template I file when the clock starts.
NIS2 and DORA on WordPress: what a site must meet in 2026
The NIS2 Directive (2022/2555) was to be transposed into national law by 2024-10-17. The DORA Regulation (2022/2554) applies directly from 2025-01-17. For a WordPress site operator this means specific obligations if the site relates to a regulated entity. We explain it without panic, with references to the texts of the acts.
WordPress plugin supply chain attacks: audit and hardening guide after the Flippa backdoor incident
Thirty-one plugins closed after a Flippa buyer planted a backdoor in the first SVN commit. How to audit plugin ownership, detect compromise, and harden your sites against supply chain attacks.
WordPress Security Hardening 2026: The Complete Guide From Server to Application
A comprehensive WordPress security hardening guide for 2026 covering server configuration, authentication with Passkeys, WAF setup, CSP headers, database protection, headless security, and a 25-point audit checklist.
WordPress best practices for security, SEO and performance
A comprehensive guide covering essential WordPress best practices for security, SEO, and performance using only core features.
Passkeys for WordPress - Passwordless Authentication Guide 2026
Learn how to add passkeys to WordPress with WebAuthn and FIDO2, plus how passkey registration works on iPhone, Android, Windows Hello, and security keys.
Digital Sovereignty: Why Open Source Matters in 2026
Protect your business data by choosing Open Source CMS over closed SaaS platforms in the era of AI. Learn about data ownership, GDPR compliance, and vendor lock-in risks.
WordPress Security Audit
Professional WordPress security audit services. Identify vulnerabilities, get actionable remediation plans, and protect your website from threats.
Advanced WordPress Security Hardening in 2026
A practical guide to hardening WordPress in 2026 with passkeys, edge protection, infrastructure controls, and safer operational habits.
How to clean a hacked WordPress site? Complete malware removal guide (2026)
Has your WordPress been hacked? Don't panic. See the complete step-by-step process for removing viruses, backdoors, and malware. SSH, WP-CLI, and SQL methods.
How to downgrade WordPress? (Plugin, FTP, wp-CLI)
Update crashed your site? Don't panic. See 3 proven ways to rollback WordPress core, plugins, or themes to a previous version.
How to Restore WordPress After a Failed Update
Comprehensive guide to safely restoring WordPress after failed updates. Learn backup strategies, manual recovery via FTP/phpMyAdmin, plugin-based restoration, and prevention techniques.
Best WordPress Plugins 2026 - Essential Plugin Stack Guide
Compare the best WordPress plugins in 2026 for security, SEO, cache, backups, and image optimisation, with practical advice on what to install and what to avoid.
WordPress developer setup and wp-config hardening
Beyond the 5-minute install. Learn how to configure WordPress for security, debugging, and performance using wp-config.php constants and mu-plugins.
WordPress security & performance – Complete administrator guide 2025
Comprehensive WordPress admin guide. Learn how to secure your site without plugins, configure Google Search Console and speed up loading.
WordPress Roles and Capabilities - Developer Guide
Stop giving every user Administrator access. Learn how WordPress roles and capabilities really work, and how to design safer permissions.
How to Customise the WordPress Login Page Without Plugins
White-label your WordPress login screen. Change the logo, customize CSS, disable the "Shake" effect, and harden error messages for security.
Hide WordPress version and harden HTTP headers
WordPress displays its version by default, inviting hackers. Learn how to remove the generator tag, asset versions, and implement Security Headers (HSTS, CSP).
Ultimate WordPress login security guide (2026): Stop brute force attacks
Still using "admin"? You are being hacked right now. The definitive guide to securing WordPress authentication: 2FA, Passkeys, Fail2Ban, Cloudflare Turnstile, login monitoring, and incident response procedures.
TimThumb is dead! How to handle images in WordPress (2026 guide)
The famous TimThumb script is a relic and a security hole. Learn how to properly resize images using add_image_size() and native WP functions.