Issue 6: Bad week for trusted updates

This week brought a blunt lesson. A normal plugin update or vendor script can hurt your site, even when you follow the usual safe path. WordPress also set a clear direction for 7.1, and that matters if your team edits content inside the block editor.

Security: Trusted channels became the threat

The biggest security story did not come from a normal plugin bug. Attackers tampered with vendor-hosted scripts for OptinMonster, TrustPulse, and PushEngage. That code ran inside real administrator sessions, then created rogue admin accounts and installed a hidden backdoor plugin.

That detail matters. A backdoor is hidden access that lets an attacker control a site later. Updating the plugin now does not prove your site stayed clean, because the attack used your own admin session while the bad script loaded.

If you use any of those plugins, check your users and plugins now. Start with this checklist for OptinMonster, TrustPulse, and PushEngage. Remove anything you do not recognize, then change admin passwords if you find signs of trouble.

ShapedPlugin brought the same lesson through a different route. Attackers inserted a backdoor into Pro plugin updates that the vendor sent through its official licensed update system. If you installed a recent paid ShapedPlugin update, treat the site as compromised until you scan it and get a known-clean copy. We covered the immediate steps in ShapedPlugin Pro updates carried a backdoor.

Gravity SMTP needs urgent attention too. Attackers now actively probe unpatched sites for a flaw that can expose the keys and tokens your site uses to send email. Update first, then rotate those credentials and test email delivery. Use our Gravity SMTP update guide if that plugin sits on your site.

Avada Builder also landed on the high-risk list. Wordfence flagged a critical flaw that can let an attacker delete files on the server, which can lead to a full site takeover. This issue needs a published Avada form that saves entries, but the fix still belongs at the top of your queue if you use Avada Builder.

Take the bigger lesson seriously. Trusted vendors now fail often enough that you need a response plan. Keep daily backups, limit admin accounts, and review recent updates when something feels off.

Core: 7.1 starts to help editorial teams

WordPress published the 7.1 roadmap and set August 19 as the release date. The theme looks right. WordPress wants to help teams review, edit, and publish inside the editor, not bolt that work onto email and chat.

The headline features center on collaboration. Notes, the in-editor feedback tool, should gain suggestion mode and emoji reactions. Real-time collaboration still has open questions, so do not plan around Google Docs style co-editing yet.

The most useful addition for site owners looks like Guidelines. This feature should let you store editorial rules inside WordPress, which can help writers and AI tools follow your voice. If several people publish on your site, start writing those rules now so you can test them early.

WordPress also plans practical editor upgrades. Responsive styling should make mobile layout changes easier. Pseudo-state styling should let you control hover and focus styles without custom code. Media uploads should get more reliable, and image cropping should get easier too.

Before 7.1 arrives, WordPress plans 7.0.1 for July 9. That release only fixes bugs from 7.0. If 7.0 caused editor glitches or layout oddities on your site, wait for 7.0.1 before you make bigger design changes, but keep minor auto-updates on.

End of article