A Backup Plugin on 3 Million Sites Has a Critical Flaw. Check Yours Today.

If your business website runs on WordPress, this one is worth fifteen minutes today. On 11 June 2026, the security firm Wordfence disclosed a critical flaw in UpdraftPlus, the most widely used backup plugin for WordPress, installed on more than three million sites worldwide. The flaw lets an attacker take full control of a site without ever knowing a password.

It is tracked as CVE-2026-10795, the standard reference number security researchers use for a confirmed vulnerability, and carries a severity score of 8.1 out of 10, which sits firmly in the high range. The makers of UpdraftPlus have released a fix, version 1.26.5, and their changelog tells every user the same thing: update immediately.

This is not a theoretical risk sitting in a lab. Wordfence reported blocking 8,172 attacks aimed at this single flaw in just one 24-hour window. Once a vulnerability is public, automated tools start hunting for unpatched sites within hours, and a small business site is just as easy a target as a large one.

What the flaw actually does

UpdraftPlus includes a feature for managing and migrating sites remotely. The flaw is what is called an authentication bypass: the check that is meant to confirm a command genuinely came from the site owner can be tricked. Because of a fault in how the plugin verifies and decrypts those remote messages, the security key it relies on can collapse to a predictable, all-zero value, which is the digital equivalent of a lock that opens for any key.

With that bypass, an unauthenticated attacker, meaning someone with no login at all, can forge commands that run as the site administrator. From there they can upload a malicious plugin and run their own code on your server. That is remote code execution, the most serious outcome a website flaw can have, because it hands the attacker the keys to everything.

One important detail from the disclosure: only sites with an active Migrator key or UpdraftCentral key are exposed, so not every install is at immediate risk. But working out whether yours is takes longer than simply updating, so the safe move for everyone is to update first and ask questions later.

Why this matters for a small business

A compromised website is rarely a quiet problem. Attackers use hijacked small business sites to host phishing pages, send spam in your name, quietly skim customer details, or redirect your visitors to scam sites. Google flags infected sites with a red warning screen and can drop them from search results, so the damage to your reputation and your traffic often outlasts the break-in itself.

For most small businesses the website is the shopfront, the booking desk and the first impression all at once. Losing it for a few days, or having customers greeted by a security warning, costs real money and trust. The painful irony here is that the tool at fault is a backup plugin, the very thing people install to feel safe.

A website you never think about is exactly the kind a small business cannot afford to lose. The plugins quietly keeping it running are also the first doors an attacker tries.

What to do today

You do not need to understand the technical detail to protect yourself. The fix is fast if you know where to look:

• Check whether UpdraftPlus is installed. Log in to your site's admin area (usually yoursite.com.au/wp-admin) and open the Plugins screen. If UpdraftPlus is listed below version 1.26.5, that is the one.
• Update it now. On the Plugins screen, click update for UpdraftPlus so it moves to 1.26.5 or later. This is the single most important step.
• Turn on automatic updates for your plugins while you are there, so the next critical fix installs itself instead of waiting for someone to notice.
• If you cannot log in, or are not sure what is installed, contact whoever maintains your site today rather than next week. Speed is the whole point.
• After updating, look for signs of trouble: admin users you do not recognise, plugins you never installed, or odd redirects. If anything looks wrong, have it cleaned by a professional before going further.
• Confirm you have a recent backup stored somewhere off the site itself, so you can restore quickly if you ever need to.

Treat this as a prompt to take your website's upkeep seriously rather than a one-off scramble. The same discipline that keeps a site fast and reliable, which we wrote about in treating performance as a feature, is what keeps it secure: stay patched, keep an eye on what is installed, and have backups you have actually tested. Because affected versions and advice can change as researchers learn more, confirm the current detail on the official UpdraftPlus changelog or with whoever looks after your site.

This is exactly the unglamorous work we take off your plate at NextAura. We build and look after business websites, keeping plugins patched, watching for issues like this one, and making sure backups are real and recent, so a headline like today's is a quiet Tuesday for our clients rather than an emergency. Hand us the maintenance and the monitoring, and you can get back to running the business.