WordPress’s market share has fallen for six consecutive months, now sitting at 41.90% as Shopify, Wix, and Squarespace continue to gain ground. Supply chain attacks remain front and center; the April Essential Plugin backdoor across 31 plugins prompted WordPress.org to institute a platform-wide 24-hour auto-update hold and launch the “Protect The Shire” security initiative. A critical UpdraftPlus flaw is putting 3 million sites at risk, while Kinsta shipped free bot protection for all plans. On the dev side, wp-now is deprecated in favor of Playground CLI, the official WordPress AI plugin hit 1.0.1 with 18 editor experiments, and the new Thryve Biz Agency FSE theme joined the directory.
Kinsta – The AI & Bot Traffic Reality Check
Smart WordPress pros are already blocking this. Are you still letting it in?
AI bot traffic grew 300% in a single year. By late 2025, one in every 31 web requests came from an AI crawler. Scrapers, broken automation loops, and aggressive crawlers are quietly draining your server resources, skewing your analytics, and slowing your site.
Kinsta analysed more than 10 billion requests to expose exactly what’s happening and what site owners who act now can do about it.
Peak Performance WordPress Hosting, No Compromises
Leave single-server hosting in 2015. Choose autoscaling Managed WordPress Hosting built for traffic surges, complex sites & demanding PHP workloads, all without missing a beat.
↑ Brought to you with support from these partners
🏷️ SureContact Early Bird Deal Closing Soon
Still paying monthly for your marketing CRM? Lock this in for life instead. SureContact is offering a rare Early Bird Lifetime Deal for businesses that want a powerful CRM built for serious marketing, automation, and conversions, without recurring fees.
This is a premium, performance-focused platform, and the window is closing fast. Only 144 of the 500 exclusive lifetime spots remain. When they’re gone, this offer is gone for good. If you’ve been waiting for the right moment to upgrade your marketing stack, this is it.
What You Get with SureContact Lifetime
• Manage up to 100,000 contacts
• Send unlimited emails
• Use your own sending infrastructure like Amazon SES to keep ongoing costs near zero
💡 WordPress Spotlight
WordPress Loses Market Share for Six Consecutive Months as Competitors Surge: WordPress has shed 1.3 percentage points in CMS market share since December 2025, dropping from 43.20% to 41.90% by May 2026 more than double the 0.60-point year-over-year decline recorded just one year prior. Shopify, Wix, and Squarespace are each recording consistent gains, suggesting the acceleration is structural rather than seasonal. The data, sourced from W3Techs, paints a picture of a platform losing ground faster than at any point in recent memory. (Source)
WP Tavern, AI, and the Hidden Threats Lurking in Plugin Updates: Austin Ginder’s post traces how AI-assisted tooling is changing the plugin review pipeline and why that’s not enough on its own given how acquisition-driven supply chain attacks have evolved. The Essential Plugin backdoor, which activated in April 2026 after eight months dormant across 31 plugins, illustrates how trust in update channels is now a direct attack surface. The piece examines how automated threat detection and human editorial judgment need to work in tandem as the ecosystem scales. (Source)
Dozens of WordPress Plugins Hijacked in Coordinated Supply Chain Attack: A threat actor purchased the struggling Essential Plugin portfolio in mid-2025, quietly injected backdoors across 31 plugins, and waited eight months before activating the payload hitting over 20,000 sites in a six-hour and forty-four-minute window. The malicious code modified wp-config.php and injected cloaked SEO spam visible only to search crawlers, making it nearly invisible to site owners. WordPress.org permanently closed all affected plugins on April 7, 2026, but sites that had already been compromised required manual cleanup beyond a standard update. (Source)
Patchstack Tightens Bug Bounty Scope to Prioritize Real-World Impact: As of June 1, 2026, Patchstack has significantly updated its bug bounty program rules, raising the bar for what qualifies as a valid submission to focus on vulnerabilities with clear and meaningful real-world impact. The Contributor user role is no longer in scope, meaning reports must now involve lower-privilege roles such as guest or subscriber to qualify. The changes are designed to reduce triage volume from technically-compliant-but-low-impact reports, while keeping the zero-day bounty track fully open. (Source)
WordPress Marketing Team Uses AI and Automation to Spotlight Community Contributions: The WordPress.org marketing team has published a new initiative exploring how AI tools and automation can surface the best community contributions, tutorials, plugins, and educational content across the sprawling WordPress ecosystem. The project sits within the broader “Find the Best of WordPress” effort, aiming to make community knowledge more discoverable for users and contributors alike. (Source)
wp-now Is Deprecated Time to Migrate to Playground CLI: The @wp-now/wp-now package has been officially deprecated and will not receive future updates; developers are directed to migrate to @wp-playground/cli, the Playground team’s supported replacement for local WordPress development. The migration process took several months to stabilize, but Playground CLI now covers the same core use cases with better long-term backing. If you’re running wp-now in any local dev or CI workflow, the switch should be prioritized. (Source)
WordPress Institutes a 24-Hour Hold on All Plugin Auto-Updates: Matt Mullenweg announced on June 5 that WordPress.org will now hold every new plugin release for up to 24 hours before it flows through auto-update channels converting what was previously opt-in into a platform-wide default covering all 61,000+ plugins. The delay gives an AI-assisted review system (internally called “Gandalf”) time to scan each release before distribution, a direct response to the Essential Plugins backdoor and the Smart Slider 3 Pro incident. The tradeoff is real: Patchstack’s 2026 research found roughly half of high-impact vulnerabilities are exploited within 24 hours of disclosure. (Source)
WordPress Core Calls for Testing on Unicode Email Address Support: A call for community testing has been issued for Unicode (non-ASCII) email address support in WordPress accounts a long-requested feature tracked under ticket #31992, with initial support merged in [62482]. The update affects is_email() and sanitize_email(), which will now accept internationalized email addresses. Plugin and theme developers are encouraged to test compatibility before the feature lands in a stable release. (Source)
GoDaddy Managed WordPress Remains the Company’s Revenue Core: Despite years of diversification into website builders and commerce tools, GoDaddy’s managed WordPress hosting remains the anchor of its hosting business a segment that continues to outperform expectations as WordPress adoption among professional site builders holds firm. The piece highlights how GoDaddy’s infrastructure investments and bundled tools continue to differentiate managed WordPress from commodity shared hosting, particularly for SMBs. (Source)
UpdraftPlus Vulnerability Puts 3 Million Sites at Risk: A critical authentication bypass flaw in UpdraftPlus allows attackers to execute commands with administrator-level privileges and install malicious plugins without valid credentials affecting roughly 3 million active installations. The vulnerability enables full site takeover once exploited, making it one of the most severe plugin flaws disclosed in recent weeks. Site owners running UpdraftPlus should update immediately and verify no unauthorized admin accounts or plugins have been added. (Source)
Cybersecurity for WordPress in 2026 What Site Owners Need to Know: With plugin supply chain attacks, authentication bypass flaws, and AI-assisted threat scanning all converging, WordPress site security demands more than periodic updates. This overview covers the current threat landscape from the Essential Plugin backdoor to UpdraftPlus and outlines practical mitigation steps including activity logging, firewall rules, and trusted plugin sourcing. A useful primer for site owners who need to reassess their security posture in light of recent incidents. (Source)
🏷️ Exclusive LIFETIME Deals Digest
Stop paying monthly for your favorite tools. We’ve curated an elite collection of Lifetime Deals that allow you to invest once and profit forever. Grab these high-end, premium WordPress solutions at a massive discount today and enjoy professional-grade performance without the recurring fees.
✨ Fresh Features Rollout
Kinsta Launches Free Bot Protection Across All WordPress Hosting Plans: Kinsta rolled out Bot Protection on June 9, a self-serve dashboard feature available to all 230,000+ customers at no extra cost, built directly into MyKinsta at the environment level with no support ticket required. It includes four preset protection levels, a Block AI Crawlers toggle, emergency lockdown mode, a managed allow list covering WordPress and WooCommerce paths, and a bot traffic analytics tab. The context is stark: bots now account for 57.4% of all web traffic, and Kinsta’s own data shows bots hitting add-to-cart URLs 7.67 million times in a single 24-hour window. (Source)
WordPress Launches “Protect The Shire” Initiative to Secure All Plugins and Themes: WordPress.org has announced a new security initiative called “Protect The Shire,” aimed at systematically improving the security posture of all plugins and themes in its repositories. The effort comes directly off the back of the 2026 supply chain attacks and Patchstack’s finding that 11,334 new vulnerabilities were reported in 2025, with a five-hour median time to first exploit. Details on the review tooling, timelines, and scope are ongoing, but it marks one of the most formal platform-level security commitments WordPress has made to date. (Source)
🆕 Fresh Releases
Ultimate Addons for Elementor Pro 1.44.4 Delivers Elementor 4.1 Compatibility: UAE Pro 1.44.4, released June 3, brings full compatibility with the newly launched Elementor and Elementor Pro 4.1, letting users update their page builder without disruption. The release also fixes two targeted issues: Integration settings failing to save on WordPress subdirectory installs, and a fatal PHP 8.0+ error affecting the Nav Menu widget on TranslatePress-powered multilingual sites. Compact update, but essential for anyone running multilingual or subdirectory WordPress setups. (Source)
The Official WordPress “AI” Plugin Hits 1.0.1 with 18 Editor Experiments: Built by the WordPress AI team and formerly known as “AI Experiments,” the official AI plugin simply listed as “AI” on WordPress.org reached version 1.0.1 on May 27 and now ships 18 opt-in features including alt text generation, excerpt writing, content summaries, and comment moderation. It sits on top of WordPress 7.0’s new AI Client infrastructure, connecting to OpenAI, Anthropic, and Google via the centralized Connectors screen. With the 7.0 architecture in place, the team is now targeting a monthly release cadence with version 1.1.0 due in late June. (Source)
Thryve Biz Agency: A New FSE Theme Built for Agencies and Consulting Firms: Thryve Biz Agency is a new Full Site Editing (FSE) child theme released on June 11, built entirely with Gutenberg blocks for code-free customization and designed specifically for agencies, consulting firms, and professional service providers. It ships with responsive layouts, clean design, and full WooCommerce compatibility making it usable for both service showcases and lightweight storefronts. Worth watching as the FSE theme category matures post-WordPress 7.0. (Source)
Packetra: A Privacy-Conscious WordPress Hosting Option from Finland and Switzerland: Packetra is a newly highlighted hosting provider running WordPress infrastructure out of Finland and Switzerland, with a distinct focus on privacy offering anonymous signup and cryptocurrency payment options. WP Mayor covers its positioning in the managed WordPress hosting space as an alternative for users prioritizing data sovereignty and minimal tracking. Early-stage, but relevant for European users navigating tightening data residency requirements. (Source)
🗓️ Mark Your Calendar
If you’re looking for opportunities to network and learn, check out these upcoming WordPress events and meetups:
Flagship WordCamps
August 16 – 19, 2026: WordCamp US 2026, Phoenix, Arizona.
April 09 – 11, 2027: WordCamp Asia 2027, Penang, Malaysia.
Offline Events for WordPress
September 23, 2026: LoopConf 2026, event for WP developers & engineers.
October 16, 2026: WP Suomi 2026, for Nordic WP enthusiasts, Oulu, Finland.
Upcoming WordCamps
July 03, 2026: WordCamp Mannheim 2026, Mannheim, Germany.
July 04, 2026: WordCamp Masaka 2026, Masaka, Uganda.
September 11, 2026: WordCamp Switzerland 2026, Fribourg, Switzerland.
September 18, 2026: WordCamp Bretagne 2026, Rennes, Brittany, France.
October 03, 2026: WordCamp Rajasthan 2026, Jaipur, Rajasthan, India.
November 05, 2026: WordCamp Canada 2026, Vancouver, Canada.
November 12, 2026: WordCamp Netherlands 2026, Netherlands.
November 13, 2026: WordCamp Pisa 2026, Pisa, Italy.
Wrap-Up
That’s a wrap for this week’s WPDigest! Stay tuned for more exciting WordPress updates next week.
Want to feature your WordPress product, service, or update news? Submit it for free using our form, helping spread the goodness of WordPress!
📩 Enjoyed this digest? Share it with your network!
