AI Can Now Write Exploits Overnight. Is Your WordPress Site Ready?
Wordpress Website Security Web Design Hawaii Oahu Web Design Maintenance

AI Can Now Write Exploits Overnight. Is Your WordPress Site Ready?

A new AI model can find and exploit website vulnerabilities overnight for under $50. Here's what that means for your WordPress site on Oahu.

Something Changed in April 2026

On April 7, 2026, Anthropic published a research paper that most small business owners will scroll past without a second thought. You probably won't read it. But what it describes changes the math on website security in a real, immediate way.

Their newest AI model, Claude Mythos Preview, can autonomously find and exploit zero-day vulnerabilities in major operating systems and browsers. Not with a human guiding it step by step. On its own. For less than $50 per run.

One of their own engineers with no formal security background asked the model to find remote code execution vulnerabilities overnight. They woke up the next morning to a complete, working exploit. That sentence is worth reading twice.

Why WordPress Owners on Oahu Should Pay Attention

WordPress runs roughly 43% of the public web, and it is the most targeted software platform on the planet by a wide margin. That's not an opinion; it's just what the attack data shows year after year.

Here's the statistic that matters most: according to Patchstack's security research, 96% of all WordPress vulnerabilities live in plugins. Not in WordPress core. In the plugins sitting on your site right now. In 2024 alone, the WordPress ecosystem disclosed nearly 8,000 new vulnerabilities, a 34% jump from the year before.

Now layer an AI model that can turn a newly published patch into a working exploit overnight, for the cost of a plate lunch, on top of that plugin vulnerability rate. That combination is what changed this month.

The Grace Period Is Gone

Before tools like this existed, a skilled attacker needed one to four weeks to reverse-engineer a security patch and build a working exploit from it. That window gave site owners a realistic chance to apply updates before the attacks arrived.

Here's how that same scenario plays out now. A popular contact form plugin ships a security update on a Tuesday morning. The release notes mention a privilege escalation fix. By Tuesday afternoon, that patch diff gets fed into a Mythos-class model. By Wednesday morning, automated scanners are hitting every WordPress install on the public internet looking for unpatched sites.

If your site updates plugins once a month, or once a quarter, you are sitting in that exposure window for every security advisory that drops. That is not a worst-case forecast. It is the direct result of what Anthropic published.

What You Actually Need to Do

Get Patches Applied Within 24 Hours

The most important number for any WordPress site right now is the time between a security advisory being published and that fix going live on your site. A week is too slow. A month is asking for trouble.

For plugins from well-supported publishers, enable automatic updates and make sure you have rollback capability if something breaks. For higher-stakes plugins, like e-commerce or membership tools, use a staging environment so you can test before pushing to your live site. The goal is 24 hours, not 24 days.

Cut Your Plugin Count Down

If 96% of WordPress vulnerabilities live in plugins, every plugin you can remove is a real reduction in risk. The typical WordPress site we see across Oahu runs 25 to 45 plugins. Many of those are abandoned, redundant, or used for a single minor feature that could be handled with a few lines of code instead.

A realistic target is 15 or fewer plugins. Delete anything that hasn't been updated in the past year. Replace bloated multi-feature plugins with leaner alternatives where you only actually use two or three features. Audit premium plugins regularly; if you're not using what you're paying for, get rid of it.

Unattended WordPress sites accumulate plugin debt fast. What starts as a clean build in 2022 can turn into a sprawling, vulnerable mess by 2025 just from years of adding without subtracting. Converting that kind of setup to a modern, streamlined stack is one of the core services we offer, precisely because the cleanup pays for itself quickly.

Harden the Easy Entry Points

WordPress has a short list of attack surfaces that account for the majority of automated compromises. Most of them can be addressed in a single afternoon.

  • Enable two-factor authentication on every admin account, no exceptions.

  • Disable XML-RPC unless you have a specific documented reason to keep it active.

  • Throttle login attempts at the server level or through a security plugin.

  • Block PHP execution in your uploads folder via server config rules.

  • Disable file editing from the WordPress dashboard in your wp-config.php file.

  • Put a WAF like Cloudflare in front of the site; the free tier handles most automated noise.

Anthropic made a point in their paper worth repeating here. Security measures that rely on friction rather than hard barriers, meaning obscurity and cosmetic changes, become far less effective against AI-assisted attackers. Renaming your login URL slows down a human. It does not slow down a model running thousands of probes overnight. Hard barriers like 2FA, a WAF, and strict file permissions are what actually hold.

Treat Backups as a System, Not a Setting

A backup you have never restored from is not really a backup. It is an untested hope. Daily off-site backups of both your files and database are the starting point, but the restore test is what actually proves they work.

Make sure your backups live somewhere separate from your host. If your hosting account gets compromised, backups stored in the same account go with it. Test a restore to a staging environment at least quarterly, not just checking that the backup file exists, but actually confirming the site comes back up correctly.

Watch What's Happening on Your Site

Uptime monitoring, file integrity checks, and log review are not glamorous work. But they are how you find out your site was compromised before your customers do.

The most common story we hear from small businesses across Oahu, whether it's a Kailua restaurant or a Kapolei contractor, goes something like this: they had no idea anything was wrong until a customer called about strange links showing up on their website. By that point, the site had been compromised for weeks, Google had flagged it, and the cleanup was expensive and slow. Monitoring makes that story much less likely.

This Is Manageable

Panic is not a plan, and moving to a website builder to avoid the problem is not much of a solution either. The same AI capabilities that help attackers will increasingly help defenders. Major plugin vendors and the broader WordPress ecosystem will be more secure in a few years because of these tools. But right now, during the transition, the gap between attacker capability and the average unmaintained WordPress site is wider than it has ever been.

Closing that gap means doing consistent, unglamorous work: patching fast, keeping plugins lean, hardening the entry points, backing up properly, and actually watching what's happening on your site. None of it is complicated. All of it matters more today than it did last month.

If you own a WordPress site on Oahu and it hasn't had a proper security review in the past few months, now is a good time to change that. Give us a call at (808) 470-7900 or request a free site audit and we'll take a look at what plugins you're running, what's out of date, and where your real exposure is. No pressure; if everything checks out, we'll tell you so.