WordPress Announces Initiative To Secure All Plugins And Themes via @sejournal, @martinibuster
WordPress announced the Protect The Shire initiative for securing all plugins and themes in its repositories and directories. The post WordPress Announces Initiative To Secure All Plugins And Themes appeared first on Search Engine Journal.
Tfoso
WordPress announced a new security initiative called Protect The Shire that aims to secure plugins and themes. The announcement also said a temporary 24-hour delay will be imposed before plugin and theme updates are distributed through auto-updates.
Temporary 24 Hour Update Delay
In the past, plugin and theme updates were pushed out to WordPress users autonomously: A theme or plugin author would update their software and push it live to their users immediately. That’s no longer the case for the time being.
WordPress is temporarily delaying updates for 24 hours in order to have time to check the updated plugins to ensure that they are secure before allowing them to be sent to WordPress users. WordPress anticipates that this delay will, in time, become dramatically shorter so that it’s only a matter of minutes.
This new step is being taken in light of increasing incidents of software supply chain attacks, a scenario where a hacker sneaks a malicious payload into an open-source library that is subsequently distributed to every piece of software, plugin, and theme that depends on it. Hackers are targeting these libraries of useful code because they are frequently maintained by a single volunteer.
WordPress describes this moment as a “liminal period,” which means that the project is in a moment of transition, neither doing things the same way as in the past nor doing things as they intend to do in the near future.
The WordPress announcement explains:
“We’re in a liminal period now, and I believe 2026 will be a year of tension between two approaches: updating as quickly as possible to stay secure, and holding back on updating to stay secure.
We’ve seen clever and dangerous supply chain attacks across the npm, PyPI, GitHub, and RubyGems ecosystems, and we even had our own mini-version with the Essential Plugins debacle, where good plugins were unknowingly sold to a new author who had malicious intent.
How to balance security updates and securing updates?”
Protect The Shire Initiative
WordPress also announced a security effort called Protect The Shire for making all of the code in the WordPress.org directories and repositories secure.
WordPress did not describe specific technical details about how the initiative will operate, only that it will improve security across its ecosystem of plugins and themes. The announcement also says the work will happen behind the scenes, with success measured by vulnerabilities and attacks that never reach users.
WordPress Plugin Team Automation
WordPress has been using automated tools to assist plugin reviews for some time. In January 2026, the Plugins Team disclosed that its internal scanner, used to review plugin submissions, had been expanded with AI-assisted capabilities and dozens of new automated checks. According to the team, the scanner helps identify potential issues for human reviewers to investigate and is used to automate repetitive tasks.
The blog post explains:
“If there is one thing worth highlighting this year, it is how AI has impacted the WordPress plugin ecosystem. This impact is evident both in the number of submissions sent for review to be published in the directory, and in how the team is implementing AI-based analysis processes to help deliver improved workflows with a certain level of automation.
…The internal scanner is the in-house tool that the team uses to review plugins. It searches for hundreds of possible issues that the reviewers either confirm or dismiss when creating a report. As part of the improvements to this central tool for our day-to-day plugin reviews, we have worked on reducing review time, particularly for highly repetitive and time-consuming processes such as:
Verifying that the plugin name does not conflict with existing published plugins. Ensuring branding is used correctly and complies with guidelines. Verifying plugin ownership.”Response On Social Media Is Positive
The response on social media was largely positive.
@Usmank11 tweeted:
“24 hours seems a good amount of time especially for small devs. I hope we won’t forget our releases after 24 hours of release to public..”
@enqueue_russ asked a question about how this would be timed with emails sent out by plugins:
“I’m curious to know how this will change the marketing strategy for many freemium plugins. They might no longer be able to time emails with releases on .org.”
Others agreed that this was a good decision and agreed that this would be good for improving the security of the WordPress ecosystem although a few people had concerns.
@adampreiser tweeted:
“Am I the only one thinking this is going to create some problems as well?
What if there is an urgent bug fix? Welp, you have to wait 24 hours.
What if there is a pro version that needs to be available at the same time? Good luck timing that right.
Likely other issues.”
@themergency responded with a Gandalf “You shall not pass” animated gif, expressing their support:
“I support Protect The Shire!
A request from plugin devs: open up a way to integrate Gandalf-AI-style pre SVN commit scans into dev workflows.”
Reviewing Plugin Updates A Great Idea
WordPress security has long been one of the things that many users have been concerned about. The massive size of the WordPress user base makes WordPress plugins and themes a larger target for hackers, although the WordPress core itself has a fantastic track record for security. This is going to make users more confident in WordPress and will likely win back some users who have been concerned about security.
Featured Image by Shutterstock/GreenTech
