insights

UpdraftPlus Vulnerability: 3 Million Sites at Risk

A critical flaw in UpdraftPlus — installed on 3 million+ WordPress sites — could let strangers access your site. Here's what to do right now.

11 June 2026·Uptrue Team· 4 min read

Keep your website visible and reliable

Try Uptrue Free

UpdraftPlus Vulnerability: 3 Million WordPress Sites Need Attention Right Now

Someone could log into your WordPress site without knowing your password. That's what this UpdraftPlus flaw makes possible — and with over 3 million active installations, the chances are decent that your site or a client's is running it.

The vulnerability was disclosed on 2 June 2026. If you haven't checked your plugins since then, now is the time.

What Happened With UpdraftPlus

Wordfence reported a critical authentication bypass flaw in UpdraftPlus, one of the most widely used backup plugins for WordPress. "Critical" here isn't marketing language — it's the highest risk rating a vulnerability can receive. Plain English version: the flaw could let a complete stranger gain access to your site without a username or password.

UpdraftPlus has more than 3 million active installations. It's the go-to backup plugin for a huge chunk of the WordPress world, which makes this one worth taking seriously.

The patch has been issued. The problem is that plugins don't update themselves unless you've switched on automatic updates — and most people haven't.

So: have you updated UpdraftPlus in the last week?

Who Is Actually Affected

Not every UpdraftPlus site is equally at risk. According to Wordfence, the vulnerability is only exploitable on sites that meet certain conditions. The full technical criteria aren't spelled out in their summary, but the confirmed facts are: the plugin has 3 million-plus active installs, the flaw is rated critical, and the submission came in on 2 June 2026.

Honestly, that's a bit thin on specifics. Wordfence hasn't published the full disclosure details yet, which is fairly standard practice — they give site owners time to patch before releasing information that could help attackers. We could not confirm the exact version numbers affected from the available source material at time of writing.

What we can say: if you're running UpdraftPlus and you haven't updated it recently, you should assume you're affected until you've checked.

What to Do Right Now

Three steps. Do them in order.

1. Check your UpdraftPlus version. Log into your WordPress dashboard, go to Plugins, and find UpdraftPlus. Note the version number showing.

2. Update it immediately. Click "Update Now" if an update is available. Don't schedule it. Don't wait for your next maintenance window. Do it now.

3. Check your other client sites. If you manage WordPress sites for clients, this is the moment to run through your list. An authentication bypass vulnerability (meaning: access gained without any login credentials) is exactly the kind of flaw attackers scan for automatically. They don't need to know your site exists — they run scripts across millions of URLs looking for vulnerable plugin versions.

If you're using a management tool that shows plugin versions across all your sites, use it. If you're not — that's a gap worth fixing before the next one of these lands.

What's Still Unclear

A few things remain unconfirmed right now. The specific version numbers affected haven't been confirmed from the available source material. The exact conditions that make a site exploitable are also still vague — Wordfence notes the vulnerability isn't exploitable on every installation, but hasn't yet detailed what configuration triggers the risk.

No confirmation exists yet of active exploitation in the wild. That's worth knowing. But authentication bypass vulnerabilities tend to get picked up by automated scanners quickly once word is out, so the window between disclosure and active attacks is often short.

Can Uptrue Detect This?

Uptrue won't catch the vulnerability itself — it's not a security scanner. What it does do is alert you if your site goes down, responds slowly, or shows SSL problems. Which matters here because a compromised site often behaves oddly before the real damage becomes visible: slow load times, unexpected redirects, pages returning errors.

If someone does exploit a flaw like this and starts messing with your site's files or settings, downtime or degraded response is frequently one of the first visible symptoms.

Uptrue monitors your WordPress site around the clock and sends alerts the moment something changes. You can set it up in a few minutes at uptrue.io — and if you manage multiple client sites, the Uptrue tracker gives you a single view across all of them.


FAQ

What is the UpdraftPlus vulnerability discovered in June 2026? A critical authentication bypass flaw in UpdraftPlus, disclosed on 2 June 2026, could allow an attacker to access a WordPress site without any login credentials.

How many sites does this UpdraftPlus flaw affect? UpdraftPlus has more than 3 million active WordPress installations, though Wordfence confirmed the vulnerability is only exploitable on sites meeting specific conditions.

Do I need to update UpdraftPlus right now? Yes — a patch has been issued, and you should update UpdraftPlus immediately via your WordPress dashboard under Plugins.

Will Uptrue tell me if my site gets hacked? Uptrue monitors for downtime, slow response times, and SSL issues — all of which can be early signs of a compromised site — and sends alerts in real time.

Where can I read the full Wordfence disclosure? The Wordfence report is at wordfence.com.


Sources

  1. Wordfence – Critical Unauthenticated Authentication Bypass Vulnerability Patched in UpdraftPlus WordPress Plugin
ShareX / TwitterLinkedIn
Get weekly reliability reports
Uptime rankings, incident summaries, and response time trends — every Monday.

Monitor your website - and your AI citations