Connect with us

roundup

Weekly Roundup: June 29, 2026 – July 5, 2026

Published

on

A Rough Week for WordPress Security

Well folks, if you were hoping for a quiet week in WordPress land, you didn’t get it. This week brought us a full-blown supply chain attack, an actively exploited plugin vulnerability, and WordPress.org scrambling to implement emergency security measures. Let’s break down what happened and what it means for your sites.

The Big One: Supply Chain Attacks Hit WordPress

The most serious story of the week was the ShapedPlugin supply chain attack that came to light on June 29th. If you’re not familiar with the term, a “supply chain attack” is when hackers compromise legitimate software before it reaches users—kind of like poisoning products at the factory instead of breaking into individual homes.

Several ShapedPlugin Pro commercial plugins were compromised back on June 18th, meaning if you installed or updated these plugins during that window, you might’ve unknowingly installed malicious code on your site. This is the nightmare scenario for WordPress site owners, because you did everything right—you kept your plugins updated—and still got hit.

What makes this particularly concerning is that it affects premium, paid plugins. We usually think of commercial plugins as more secure than free alternatives, but this attack proves that assumption isn’t always true.

WordPress.org Responds: The 24-Hour Delay

In direct response to these supply chain concerns, WordPress.org announced a new 24-hour delay for all plugin and theme updates on June 30th. Here’s how it works: when developers push an update, it won’t immediately roll out to your sites. Instead, there’s a mandatory 24-hour holding period.

The idea is simple—give the security team a window to catch compromised updates before they reach millions of sites. It’s a temporary measure while they work on more sophisticated solutions, but it’s a pretty significant change to how WordPress updates have always worked.

Is it the perfect solution? Nope. It means legitimate security fixes take longer to reach sites that need them. But given what happened with ShapedPlugin, you can understand why they felt they had to do something immediately.

Another Day, Another Vulnerability

As if the supply chain attack wasn’t enough, we also learned about a critical vulnerability in Gravity SMTP that exposed API keys on about 100,000 sites. The scary part? Hackers were actively exploiting this one.

If you’re using Gravity SMTP for sending emails from your WordPress site, this flaw could’ve leaked your email service API keys to attackers. Those keys are basically the passwords that let services like SendGrid or Mailgun send emails on your behalf. In the wrong hands, attackers could use them to send spam, phishing emails, or worse—all on your dime and under your domain name.

The fix is out, so if you haven’t updated yet, do it now. And you might want to rotate those API keys just to be safe.

Not All Doom and Gloom: Alternatives Emerge

Interestingly, right in the middle of WordPress security week from hell, a new project called EmDash CMS launched as a WordPress alternative. The timing couldn’t be more perfect—or more suspicious, depending on how cynical you’re feeling.

EmDash is positioning itself as the answer to WordPress’s plugin security problems. It’s open-source and backed by Cloudflare, which gives it some serious credibility. The platform promises to fundamentally rethink how plugins work and how they’re secured.

Will it succeed? Who knows. WordPress has a massive ecosystem and switching costs are huge. But the fact that credible alternatives are emerging tells you something about the concerns people have with WordPress’s current security model.

Beyond WordPress: Ecommerce and Market Data

Not everything this week was about security drama. We also published a practical guide on WooCommerce tools for African ecommerce merchants. If you’re running an online store in Africa, you’re dealing with a complex puzzle of payment gateways, delivery services, and messaging platforms that weren’t really designed to work together. This piece breaks down what you need and how to make it all connect.

We also covered something completely different: displaying stock market data on your website. If your site shows financial information, you need to understand data licensing, accuracy limitations, and the disclaimers that protect you legally. Not the sexiest topic, but important if you’re in that space.

What to Watch Next Week

The big question heading into next week is whether WordPress.org’s 24-hour delay will catch anything, and whether we’ll see more supply chain attacks now that hackers know it’s a viable strategy. Keep an eye on any plugins you’re using from smaller development shops—they’re more likely targets because they have fewer security resources.

Also watch for EmDash’s progress. A Cloudflare-backed WordPress alternative could actually gain traction if WordPress’s security problems continue. And finally, if you’re using ShapedPlugin or Gravity SMTP, stay vigilant. Sometimes the aftermath of these attacks is worse than the initial breach.

Stay safe out there, and for crying out loud, keep your plugins updated—even if they now take an extra day to arrive.

WP Guy News is built to give as close to a single source of info for all the WordPress news. It is sponsored by Your WP Guy which is a WordPress Security and Maintenance company. You can learn more about our company here: Your WP Guy

Continue Reading
Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.