Hacker News pushed this story high because it reads like the most ordinary possible route into a serious breach: an old plugin business gets sold, a shared module changes hands, and the real damage stays quiet for months. By the time WordPress.org closed 31 plugins, the nastier part was already sitting inside infected wp-config.php files.
A widely discussed Hacker News thread elevated a forensic report claiming that a buyer inserted a dormant backdoor into more than 30 WordPress plugins, then activated it months later.
Cloudflare has introduced EmDash as a preview CMS designed to rethink WordPress around plugin isolation and AI-native operations. The project combines Dynamic Worker sandboxes, manifest-scoped permissions, Astro-based theming, and built-in MCP and CLI support.
WordPress.com launched a built-in AI assistant on February 17, enabling Business and Commerce plan users to edit text, generate images via Google's Nano Banana models, and modify layouts through natural language commands.