If your small business has a website, there's a good chance it runs on WordPress, and a good chance its biggest security weakness is a plugin you installed once and forgot about. Two recent events make the point: attackers quietly bought and backdoored a whole family of popular plugins, and separately, a single critical flaw left an estimated 150,000 sites open to takeover.
What happened
Two different stories, one lesson.
The supply-chain attack. An attacker bought an entire portfolio of more than 30 long-running WordPress plugins (the "Essential Plugin" family, formerly WP Online Support) on an online marketplace, quietly planted a backdoor in the code in late 2025, let it sit dormant, then switched it on in early April 2026. WordPress.org removed all 31 plugins from its repository on April 7. Because the plugins had hundreds of thousands of installs between them, the attacker could reach a vast number of sites at once, the whole point of going after a trusted plugin instead of attacking sites one by one.
The critical flaw. Separately, a critical vulnerability (CVE-2026-8206, rated 9.8 out of 10) in the popular Kirki plugin let unauthenticated attackers take over administrator accounts through a flawed password-reset feature. Security firm Wordfence found the plugin on more than 500,000 sites, with roughly 150,000 still vulnerable. The common thread is simple: the overwhelming majority of WordPress security holes live in plugins and themes, not in WordPress itself.
Why this is a small business problem specifically
- WordPress runs a huge share of small business websites, and most are plugin-heavy. The convenience that makes it great, a plugin for everything, is exactly what creates the risk.
- A plugin is software you've outsourced. When you install one, you're trusting whoever maintains it, today and after they sell it, abandon it, or get breached. The Essential Plugin attack is that trust being abused.
- The forgotten plugin is the dangerous one. The plugins that bite you are the ones nobody updates: a slider, a contact form, a countdown timer added years ago and never touched.
- A hacked site isn't only your problem. It can serve malware or spam to your customers, get you flagged by Google, and quietly damage the reputation the site exists to build.
What to do this week
You don't need to be a developer:
- Update everything now, WordPress core, plugins, and themes, and turn on automatic updates where you can.
- Delete plugins you don't use. Every one you remove is one less thing to maintain and one less way in. Deactivating isn't enough; delete it.
- Check the removed-plugin list. If your site runs anything from the Essential Plugin family that WordPress.org pulled in April, replace it with a maintained alternative.
- Lock the admin login with a strong, unique password and multi-factor authentication, so a stolen or reset password isn't game over.
- Keep off-site backups, so a compromised site can be restored rather than rebuilt from nothing.
- Run a quick check with our free Website Security Checker to see how your site looks from the outside.