PUSH_TO_DEV

WEEKLY UPDATE: FRIDAY 6TH MARCH 2026

The State of WordPress Security in 2026

Some worrying security stats from Patchstack, new features to make WordPress more accessible to AI crawlers, and improved visibility for contributors and plugins.

A fair bit of WordPress and WordPress adjacent news this week.

Patchstack releases State of WordPress Security In 2026

PatchStack has released its new report, the State of WordPress Security in 2026, and it paints a worrying picture: 

In 2025, 11,334 new vulnerabilities were discovered within the WordPress ecosystem, a 42% increase over the 7,966 found in 2024. Of these, the number of highly exploitable vulnerabilities increased by 113% in that time

By itself, this is concerning enough. But the real shocker is how quickly many of these vulnerabilities are exploited. According to Patchstack’s data, 20% were exploited within six hours of disclosure, 45% within 24 hours, and 70% within seven days. 46% of vulnerabilities were not fixed before being disclosed, meaning that in almost half of cases, there was a gap between the vulnerability being known about and the affected plugin being patched.

Patchstack’s message is clear: waiting for plugin updates alone is not enough. If you wait for your plugins to be updated, you’re leaving time during which your site is insecure and vulnerable to attacks.

“Regular plugin updates are the second line of defence, but as attackers weaponize new vulnerabilities within mere hours, this is not a viable defence.” 


These are sobering statistics, and part of the reason that we have integrated Patchstack virtual patching into our WordPress support plans, on top of the standard plugin updates and site maintenance.

Yoast launches Schema Aggregation

This week Yoast launched Schema Aggregation as an opt-in feature. It’s a new endpoint which provides AI crawlers with a map of an entire site – pages, articles, products, authors and additional organisational data – without them having to crawl individual pages on the site.

According to Alex Moss, Principle SEO at Yoast, 

“An agent no longer needs to crawl all individual pages to understand its meaning but can now ingest an entire entity map with ease”

WordPress.org now serves Markdown output

Most sites on wordpress.org now support MarkDown output. Predictably, the main audience for this is AI agents and large language models, which seem to increasingly be the main users of the web these days.

I’m not a big AI fan, but I am a fan of markdown and simple text outputs for their accessibility benefits, however they are consumed, so this is something I’m planning to add to this site as well.

New WordPress Contributor Dashboard pilot

A new Contributor Dashboard pilot has launched, with the aim of making things simpler and more transparent for WordPress contributors.

The dashboard pulls contribution data directly from WordPress.org and maps activity across Make teams into a shared “Contributor Ladder” framework — Connect → Contribute → Engage → Perform → Lead — without ranking contributors or implying that some work matters more than others.

More information about the current status of the dashboard, as well as proposed next steps, can be found on the launch post.

A long-overdue update to the WordPress Featured Plugins tab

The list of featured plugins on the Add Plugins screen in wp-admin will look familiar to anyone who has used WordPress to any great capacity – apparently it hasn’t changed at all in the last eight years!

With over 60k plugins in the WP plugin directory, it’s fair to say that there is a discoverability problem – search relies on already knowing which plugin you are looking for, while ranking plugins based on popularity simply reinforces plugins that are already known.

The latest update to the Featured Plugins list aims to change this, with a regular rotation of eight human-curated plugins, changing every two weeks.

Plugins must meet several requirements to be eligible for consideration: released within the last 12 months, fewer than 10,000 active installs, compatible with the current WordPress version, recently maintained, and free of known security vulnerabilities.

The first round of featured plugins is as follows: