A WordPress publication · Launched May 2026
WordPress, without the developer-speak.
A smart, opinionated publication about what's actually happening in WordPress, written for WordPress site owners and for the developers and consultants who advise them.
This week's roundup
Read in full Issue 06 / Weekend Within · June 19, 2026
Issue 6: Bad week for trusted updates
Supply chain attacks hit trusted plugins, and WordPress 7.1 shows where editing is heading next.
Inside this issue
01
Security Trusted plugin channels caused the biggest risks this week.
02
Core WordPress 7.1 should help editorial teams, not just developers.
Recently
All articlesJune 19, 2026
Avada Builder has a critical file deletion flaw
Avada Builder users should update now. A patched flaw can let attackers delete server files without logging in.
Security
2 min
June 19, 2026
Issue 6: Bad week for trusted updates
Supply chain attacks hit trusted plugins, and WordPress 7.1 shows where editing is heading next.
Weekend Within roundup
5 min
June 18, 2026
Update Gravity SMTP now, attackers are targeting unpatched sites
Attackers are hitting a Gravity SMTP flaw that can expose email service keys, secrets, and login tokens.
Security
2 min
June 17, 2026
ShapedPlugin Pro updates carried a backdoor
Attackers slipped a backdoor into ShapedPlugin Pro plugin updates sent through the official licensed channel.
Security
2 min
June 15, 2026
Check for rogue admins if you use OptinMonster, TrustPulse, or PushEngage
A supply chain attack tampered with scripts from three marketing plugins and created hidden WordPress admin accounts.
Security
3 min
June 12, 2026
Issue 5: Security got stricter
WordPress slowed plugin auto-updates, UpdraftPlus fixed a serious bug, and 7.1 looks more stable.
Weekend Within roundup
4 min