WordPress Security Checklist for Q2 2026: What to Audit Right Now

Q1 2026 Security Summary

The first quarter of 2026 has produced several significant WordPress security events that require action from site owners. Before moving into Q2, review each item on this checklist to confirm your sites are fully protected.

Core and PHP Updates

• WordPress core is updated to version 6.9.4 or later. Versions 6.9 through 6.9.3 are vulnerable to CVE-2026-3906, CVE-2026-3907, and CVE-2026-3908.
• PHP version is 8.2 or higher. PHP 8.1 reached end of life on December 31, 2025 and no longer receives security patches.
• Automatic minor WordPress core updates are enabled.

Supply Chain Attack Response

• Review your installed plugin list against the WordPress.org disclosure of the 31 plugins removed in April 2026. Remove any that appear on the list.
• Review your wp-config.php file for any code you did not add. The April 2026 attack injected malicious code into this file.
• If you find unexpected code in wp-config.php, treat your site as compromised and restore from a backup predating August 2025.
• Audit your total plugin count. Remove any plugins that are no longer actively needed.

Plugin and Theme Updates

• All plugins are on their latest versions, with particular attention to WPvivid (CVE-2026-1357, CVSS 9.8) and Quick Playground (CVE-2026-1830, CVSS 9.1) if installed.
• Elementor is updated to version 3.35.8 or later to address CVE-2026-1206.
• All installed themes are updated, including inactive themes. Delete themes that are not in use.

Authentication

• Two-factor authentication is enabled and enforced for all Administrator and Editor accounts.
• All admin passwords have been changed if there is any possibility they were exposed in a recent data breach. Use a password manager to generate strong unique passwords.
• Login attempt limits are configured to block repeated failed logins.
• XML-RPC is disabled if not required by any active service or plugin.

Backups and Monitoring

• Automated daily backups are running and stored off-site.
• Backup restoration has been tested. A backup you have never tested is a backup you cannot rely on.
• Automated vulnerability scanning is active and alerts are being delivered to a monitored email address.
• File integrity monitoring is in place to detect unexpected changes to plugin and theme files.

Stay Informed

The ScanMyWordPress blog publishes security advisories and vulnerability reports as significant issues are disclosed. Subscribe to alerts for your installed plugins to stay ahead of the next vulnerability before attackers begin exploiting it.