WordPress adds 24-hour update delay, AI scanning for security

Image credit: Search Engine Journal

WordPress implemented a 24-hour delay for plugin and theme auto-updates and expanded its internal scanner with AI-assisted capabilities to enhance code security, the global content management system announced Tuesday.

The measure aims to bolster defenses against increasing software supply chain attacks that target open-source libraries, ensuring all code within WordPress.org directories and repositories undergoes security checks before distribution to users.

The 24-hour delay will allow for thorough security vetting of updates, a response to the growing threat, according to WordPress officials.

WordPress anticipates that the initial 24-hour delay will eventually be reduced to a matter of minutes as security processes become more efficient.

As part of the initiative, the WordPress Plugins Team expanded its internal scanner in January 2026, integrating AI-assisted capabilities and new automated checks.

These enhancements are designed to improve the workflow for reviewing plugins and themes, catching potential vulnerabilities earlier.

The primary goal of ‘Protect The Shire’ is to prevent security vulnerabilities and malicious attacks from ever reaching end-users, with success measured by the absence of incidents, according to statements from the organization.

The move follows similar concerns across the open-source ecosystem, which has seen platforms like npm, PyPI, GitHub, and RubyGems face challenges related to software supply chain integrity.

Security experts previously highlighted the need for enhanced security measures within widely used software platforms.

WordPress said in a statement that the initiative represents a proactive step to safeguard the millions of websites powered by its platform globally.

The organization emphasized its commitment to continuously evolving its security protocols to protect its vast user base from emerging cyber threats.

Source: Search Engine Journal