TL;DR
- WordPress security in 2026 looks structurally different from 2018. Patchstack’s 2025 mid-year report counted 6,700 new vulnerabilities in six months — 89% in plugins, 41% actively exploitable, 57.6% requiring no authentication. The audit your hosting dashboard runs was not designed for this volume.
- An AI-audited hardening pass feeds your redacted wp-config.php, your .htaccess rules, your plugin list with versions, and your active theme to an AI chat. The chat returns a pass-or-fail against the WordPress.org hardening handbook plus a 24-month CVE cross-reference — a prioritized remediation list, not a generic checklist.
- The five-step workflow runs about two hours per site. Redact wp-config secrets. Pull .htaccess and plugin list. Feed the chat with one specific prompt. Read the output as three buckets — fix today, fix this week, monitor only. Apply in staging before production.
- Three traps. Pasting unredacted wp-config.php (your secrets become chat history). Trusting the chat’s CVE recall when last week’s Patchstack disclosure is not in training. Treating the hardening pass as the whole defense. Patchstack’s 2025 State report makes the disconfirming case — relying on updates is not enough.
- Hardening is a baseline, not a strategy. The audit you ran today closes the visible doors. Tomorrow’s CVE opens a new one. A defensible site treats hardening as a recurring practice.
Three hundred and thirty-three new WordPress plugin vulnerabilities emerged in a single week of January 2026. Seventy-one percent of them shipped without a fix ready. Ninety-seven percent landed in plugins, not core. More than half required no login at all to exploit.
The audit your hosting dashboard runs was not aimed at this volume. Neither was the security plugin sitting in your dashboard. Both were designed for a slower 2018, when CVEs trickled in by the dozen.
This piece is about how an AI chat audits your wp-config.php, your .htaccess, and your plugin list. The audit runs against the WordPress hardening handbook and the last twenty-four months of CVEs. Two hours of work, applied carefully, replaces a security firm engagement that would have cost a thousand dollars.
Why is WordPress security harder in 2026 than it was?
WordPress security in 2026 is structurally different from 2018. The vulnerability volume is the first signal.
Patchstack’s 2025 mid-year report counted 6,700 new vulnerabilities across the WordPress ecosystem in the first six months of 2025 alone. Cross-site scripting accounted for 34.7%. Cross-site request forgery for 19%. Local file inclusion for 12.6%. Forty-one percent of the total were classed as actively exploitable in the wild.
The fix gap is the second signal.
Webhostmost’s January 2026 audit guide tracks 71% of newly disclosed plugin vulnerabilities arriving without a patch ready when the disclosure lands. The plugin you trusted yesterday may have a public CVE today and no remediation for another two weeks. The exposure window is whatever the disclosure-to-patch interval ends up being. A third-party plugin code review walkthrough covers the deeper read for any plugin you cannot afford to wait two weeks on.
The plugin concentration is the third signal. 97% of new WordPress vulnerabilities live in plugins. Themes carry 2.8%. Core carries 0.2%. The fifteen plugins on your site are the surface area, not the WordPress installation itself.
The auth gap is the fourth. 58.9% of WordPress plugin vulnerabilities require no authentication to exploit. An attacker can run the exploit without a username, without a password, without a logged-in session.
Add the four signals together and the audit you ran in 2018 is no longer the audit your site needs in 2026. The 2018 audit was about misconfiguration. The 2026 audit is about misconfiguration plus continuous CVE pressure across hundreds of plugins.
What does an AI-audited hardening pass actually do?
An AI-audited hardening pass is a small, repeatable workflow. Two hours per site, including fix application.
Think of it as the security audit the landlord meant to do before handing you the keys. The landlord did not run it. You moved in. The locks still work. The wiring is untested. The smoke alarms have batteries from 2019. None of that is visible from the front door.
You give an AI chat four artifacts. Your redacted wp-config.php, with secrets stripped. Your relevant .htaccess rules. Your active plugin list with versions. Your active theme name and version.
You ask for one specific output. A pass-or-fail against the WordPress.org hardening handbook for each directive that applies to your stack. A cross-reference against the last twenty-four months of CVEs from Patchstack and Wordfence Intelligence for every plugin in your list. The output reads as a prioritized remediation list grouped by urgency.
The CVE cross-reference is the differentiator. A generic hardening checklist tells you to disable file editing in wp-config. The audited pass tells you the same. The pass also flags that your active forms plugin had an authentication-bypass CVE in November 2025 that you missed in your monthly update cycle.
How do you run the audit in one sitting?
The work splits into five steps. None of them needs a developer beyond reading the output.
Step 1 — redact wp-config.php and gather artifacts. Open wp-config.php in your text editor. Replace the eight unique authentication keys and salts with the literal word REDACTED. Replace DB_USER, DB_PASSWORD, DB_HOST, and DB_NAME with REDACTED. Leave every define statement otherwise intact — DISALLOW_FILE_EDIT, FORCE_SSL_ADMIN, WP_DEBUG, the table prefix line. The structure is what the audit reads. Three minutes.
Step 2 — pull the .htaccess rules and the plugin list. Copy the WordPress-related rules from your .htaccess file. Copy your plugin list with versions from Plugins, Installed Plugins, including any custom or premium plugins not in the directory. Add your active theme name and version to the same text file.
Step 3 — feed the chat with one specific prompt. Ask for a pass-or-fail against the WordPress.org hardening handbook. Each directive applicable to your stack gets a verdict. Ask for a cross-reference of the last twenty-four months of plugin CVEs from Patchstack and Wordfence Intelligence. State your priority order in plain English — public-facing site over internal staging, for example.
Step 4 — read the output as three buckets. Fix today, fix this week, monitor only. Critical CVEs with a public exploit go in fix today. Hardening misses that protect against unauthenticated exploitation go in fix this week. Pattern detections that mostly help logging go in monitor only.
Step 5 — apply fixes in staging, then production. Never paste a wp-config change directly to production. The staging copy is the test. Webhostmost’s January 2026 audit guide names this exact ordering as the standard workflow. If staging passes a smoke test, the production change is mechanical.
What can go wrong with this approach?
Three traps catch operators on a deadline.
Trap 1 — pasting unredacted wp-config.php. The eight authentication salts and the four database credentials are real secrets. Pasting them into the chat puts them into chat history that your provider may retain. Strip the values before you paste. Leave only the structure. The audit does not need the secret values. The audit needs the shape.
Trap 2 — trusting the chat’s CVE recall. Training data has a cutoff date. Patchstack’s most recent disclosures may not be in training. The chat may also confidently cite a CVE that was reclassified or withdrawn.
After the chat flags a candidate CVE, open Patchstack’s database in a browser. Verify the CVE number, the affected version range, and the patch status. Three minutes per flagged CVE. The chat accelerates the cross-reference. The chat does not replace it.
Trap 3 — treating the hardening pass as the whole defense. Patchstack’s 2025 State of WordPress Security report makes the disconfirming case plainly. Relying on updates is not enough. Popular security plugins get disabled, bypassed, and even removed by malware on compromised sites.
Thirty-three percent of disclosed vulnerabilities are not fixed in time for public disclosure. The Bricks Builder remote-code-execution case in 2024 saw mass exploitation campaigns within hours of disclosure. Hardening reduces the attack surface. Hardening does not replace continuous monitoring, virtual patching, or backups.
How do you spread the audit across an afternoon and a calm morning?
A defensible hardening pass costs about two hours of your time spread across an afternoon and a calm morning.
Half a Tuesday afternoon redacts wp-config.php, pulls the artifacts, and runs the audit. The output lands in seconds. The next morning applies the fix-today bucket in staging, then production. The fix-this-week bucket gets calendar slots. The monitor-only bucket goes in a notes file you check during your monthly maintenance.
If you ship the prioritized list as a four-line summary to whoever owns the site, you have a second-pair-of-eyes artifact. Your developer friend, your security-conscious colleague, your former agency contact — any of them can read the same summary and weigh in. That is the point of writing the audit down.
Hardening is not a security strategy. Hardening is a baseline. The audit you ran today closes the visible doors. Tomorrow’s CVE opens a new one. The pass you just applied is good for two weeks at most before the next plugin vulnerability emerges. A defensible site treats hardening as a recurring practice. The chat accelerates the recurring practice. The chat does not eliminate the recurrence.
Other questions worth answering
What triggers a fresh look at your wp-config and plugin list?
Three triggers, not a calendar. The first: after any batch of plugin installs or updates. The second: after Patchstack or WPScan publishes a CVE for a plugin you run. The third: after a major WordPress core release.
The 2026 Webhostmost audit guide names monitoring as the final step of its seven-step workflow.
What if a plugin shows a CVE with no patch yet?
Three options. Deactivate the plugin if your site can run without it. Find a maintained alternative with feature parity. Apply virtual patching if you carry a Patchstack subscription.
Patchstack’s 2025 State of WordPress Security report named virtual patching as the most effective method for preventing roughly half of WordPress malware infections.
How do you check premium plugins bought from a marketplace?
Patchstack and WPScan track the popular marketplace plugins by name. Search both databases first for any plugin bought from CodeCanyon or a vendor’s own site. Marketplace plugins sit outside the WordPress.org directory’s audit signals.
For obscure premium plugins, paste the changelog into the chat. The 2026 Webhostmost audit guide names developer transparency as one of seven audit signals.
Why does no service certify a plugin as safe at install time?
Because no formal certification body exists. The WordPress.org Hardening WordPress handbook, updated January 7, 2026, treats plugin auditing as a manual practice. You read the code yourself, or you ask someone you trust to read it.
Patchstack and WPScan track CVEs after disclosure, not before publication. Plugin developers self-publish to the directory, so the audit responsibility moves to you.
Can a single check replace a paid Patchstack or Wordfence subscription?
No. A single check gives you a snapshot of your current configuration. The snapshot pairs the WordPress.org Hardening WordPress handbook, updated January 7, 2026, with a twenty-four-month CVE cross-check on your plugin list.
A subscription gives you continuous monitoring plus virtual patching against new CVEs as they land. Snapshot plus subscription is the defensible answer.
What should you redact before you paste?
Six values. The four database constants — DB_USER, DB_PASSWORD, DB_HOST, DB_NAME. The eight authentication keys and salts. The custom table prefix if it functions as a secret. Replace each with the literal word REDACTED. Three minutes of redaction.
The next post in this series is the wp-config hardening pass that respects your specific plugin stack. The audit flags any setting that would break a known plugin in your active list before you change it. The wp-config hardening walkthrough covers the next-step ruleset you apply after the audit’s fix-today bucket lands.
If you want a calm second opinion on your audit output before you apply the fix-today bucket to production, you can contact me here. I read your prioritized list, look at your plugin stack, and tell you which fix to apply first. There is no pitch, no upsell, and the conversation is free.