tl;dr: Temporary 24-hour cooldown period for plugin/theme releases before auto-updates. AI can give defenders an edge. We want to secure all 78K plugins and themes on WordPress.org.
One of the things we’ve always striven to do as the developers of WordPress is to work harder so you don’t have to; we take technology that’s complex or inaccessible and make it available to everyone, running in as many environments as possible. It’s the Open Source way.
Just last December there was a step-change in coding ability that rocked many developers, and since April’s reveal of Mythos, security activity has kicked into high gear. A few days ago, Chrome shipped a release with 429 security fixes! The threats and opportunities of these new capabilities inspired us to kick off an initiative we call Protect The Shire (hat tip J. R. R. Tolkien) with the aim of using our best minds and the infrastructure of WordPress.org to make all code in our directories and repositories as secure as possible.
Much of this work was and will remain behind the scenes, and we hope its success is defined mostly by what doesn’t happen. However, while we reckon with our newfound powers, we need to make space for review.
To Update or Not
WordPress core updates go through multiple people and layers of review before they go out, a process we’ve polished to a high art in the 18 years since we introduced one-click upgrades in 2.7 “Coltrane.”
Core is solid, and I’m so proud that over 50% of all WordPress sites have upgraded to 7.0 within two weeks! That’s the result of an unimaginable amount of work across thousands of hosts, developers, and teams across WordPress.org. We’ve pushed hard to make upgrades happen automagically, and as fast as possible.
We’re in a liminal period now, and I believe 2026 will be a year of tension between two approaches: updating as quickly as possible to stay secure, and holding back on updating to stay secure.
We’ve seen clever and dangerous supply chain attacks across the npm, PyPI, GitHub, and RubyGems ecosystems, and we even had our own mini-version with the Essential Plugins debacle, where good plugins were unknowingly sold to a new author who had malicious intent.
How to balance security updates and securing updates?
Mirkwood or the Wild West?
Everyone knows the fun of WordPress is in its 78k+ plugins and themes. We have a rigorous, human-powered review process for theme and plugin submissions, but once you’re published in the directory, you’re on your own. Our update system currently distributes every plugin and theme release as soon as a developer presses the button.That’s what keeps the directory as robust as WordPress itself. There were over 3,000 commits to the plugin repository yesterday!
For now, each new plugin release will wait up to 24 hours before being distributed through auto-updates. This will give everyone, including a new Wapuu we call Gandalf, a chance to review changes.
I expect 24 hours could be reduced to minutes as the process evolves, but we’ll err on the side of caution while AI models are advancing so rapidly.
Our plugin review team seems superhuman, but still needs to sleep. But bots don’t, and a depth of review that seemed unimaginable before is now a matter of time and tokens.
The security capabilities of AI are going to make the world weird and take a lot of our focus in the next few months, but there’s a light at the end of the tunnel.
Our Shire Is Special
There’s no shortage of ways to find, install, and update plugins and themes for WordPress. For those who choose WordPress.org, though, we want to make sure that it feels safe and secure. That means staying strict about some things—like guidelines and Open Source licenses—while also remaining flexible enough to allow solo hackers, community projects, and for-profit commercial plugins and themes to thrive in our ecosystem.
GitHub stars may get the hype, but if you add up all the numbers in our plugin directory, it’s over 400M installs. There are 69 plugins, many from solo devs, installed on over a million sites each! Now we need to learn from the best parts of GitHub and make that available to every developer on WordPress.org.
Just because WordPress plugins have a reputation for vulnerabilities is no reason not to aim for the same security and stability we’ve achieved in core. We’ve done the impossible a few times already in our journey from a b2/cafelog fork to where we are today.
Freedom and security are not zero-sum. With Open Source, we can show how security comes from transparency, not obscurity. Collaboration over competition. What we accomplish when we come together is nothing short of incredible. Success always attracts bad actors, but we grow stronger through every adversity.
More to come, stay tuned. I wish everyone in Kraków at WordCamp Europe the best and hope to see you soon!