Protect The Shire

WordPress.org is implementing a temporary 24-hour cooldown period for new plugin and theme releases before they are distributed via auto-updates, aiming to prevent supply chain attacks amid rapidly advancing AI capabilities. The initiative, called "Protect The Shire," will use automated review tools to analyze code changes during the delay, with the goal of securing all 78,000 plugins and themes in the directory.

tl;dr: Temporary 24-hour cooldown period for plugin/theme releases before auto-updates. AI can give defenders an edge. We want to secure all 78K plugins and themes on WordPress.org. One of the things we’ve always striven to do as the developers of WordPress is to work harder so you don’t have to; we take technology that’s complex or inaccessible and make it available to everyone, running in as many environments as possible. It’s the Open Source way. Just last December there was a step-change in coding ability https://x.com/karpathy/status/2026731645169185220 that rocked many developers, and since April’s reveal of Mythos https://red.anthropic.com/2026/mythos-preview/ , security activity has kicked into high gear. A few days ago, Chrome shipped a release with 429 security fixes https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html The threats and opportunities of these new capabilities inspired us to kick off an initiative we call Protect The Shire hat tip J. R. R. Tolkien https://www.tolkiensociety.org/discover/biography/ with the aim of using our best minds and the infrastructure of WordPress.org to make all code in our directories and repositories as secure as possible. Much of this work was and will remain behind the scenes, and we hope its success is defined mostly by what doesn’t happen. However, while we reckon with our newfound powers, we need to make space for review. To Update or Not WordPress core updates go through multiple people and layers of review before they go out, a process we’ve polished to a high art in the 18 years since we introduced one-click upgrades in 2.7 “Coltrane.” https://wordpress.org/news/2008/12/coltrane/ Core is solid, and I’m so proud that over 50% of all WordPress sites have upgraded to 7.0 within two weeks https://wordpress.org/about/stats/ That’s the result of an unimaginable amount of work across thousands of hosts, developers, and teams across WordPress.org. We’ve pushed hard to make upgrades happen automagically, and as fast as possible. We’re in a liminal period now, and I believe 2026 will be a year of tension between two approaches: updating as quickly as possible to stay secure, and holding back on updating to stay secure. We’ve seen clever and dangerous supply chain attacks across the npm, PyPI, GitHub, and RubyGems ecosystems, and we even had our own mini-version with the Essential Plugins debacle https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/ , where good plugins were unknowingly sold to a new author who had malicious intent. How to balance security updates and securing updates? Mirkwood or the Wild West? Everyone knows the fun of WordPress is in its 78k+ plugins and themes. We have a rigorous, human-powered review process for theme https://make.wordpress.org/themes/handbook/review/ and plugin https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/ submissions, but once you’re published in the directory, you’re on your own. Our update system currently distributes every plugin and theme release as soon as a developer presses the button.That’s what keeps the directory as robust as WordPress itself. There were over 3,000 commits to the plugin repository yesterday For now, each new plugin release will wait up to 24 hours before being distributed through auto-updates. This will give everyone, including a new Wapuu https://wapuu.studio/wapuu/a-gandalf-wapuu-that-is-a-coding-wizard-302912b8/ we call Gandalf, a chance to review changes. I expect 24 hours could be reduced to minutes as the process evolves, but we’ll err on the side of caution while AI models are advancing so rapidly. Our plugin review team https://make.wordpress.org/plugins/ seems superhuman, but still needs to sleep. But bots don’t, and a depth of review that seemed unimaginable before is now a matter of time and tokens. The security capabilities of AI are going to make the world weird and take a lot of our focus in the next few months, but there’s a light at the end of the tunnel. Our Shire Is Special There’s no shortage of ways to find, install, and update plugins and themes for WordPress. For those who choose WordPress.org, though, we want to make sure that it feels safe and secure. That means staying strict about some things—like guidelines and Open Source licenses—while also remaining flexible enough to allow solo hackers, community projects, and for-profit commercial plugins and themes to thrive in our ecosystem. GitHub stars may get the hype, but if you add up all the numbers in our plugin directory https://wordpress.org/plugins/ , it’s over 400M installs. There are 69 plugins, many from solo devs, installed on over a million sites each Now we need to learn from the best parts of GitHub and make that available to every developer on WordPress.org. Just because WordPress plugins have a reputation for vulnerabilities is no reason not to aim for the same security and stability we’ve achieved in core. We’ve done the impossible a few times already in our journey from a b2/cafelog fork https://wordpress.org/book/table-of-contents/ to where we are today https://wordpress.org/showcase/ . Freedom and security are not zero-sum. With Open Source, we can show how security comes from transparency, not obscurity. Collaboration over competition. What we accomplish when we come together is nothing short of incredible. Success always attracts bad actors, but we grow stronger through every adversity. More to come, stay tuned. I wish everyone in Kraków at WordCamp Europe https://europe.wordcamp.org/2026/ the best and hope to see you soon