Short version:
If you have UpdraftPlus or UpdraftCentral installed, then you should update them as soon as possible. This removes any problems. If you can’t update them now (e.g. due to an expired licence), then install the hotfix plugin that is linked below.
Longer version:
With more powerful tools, security vulnerabilities are being discovered and shared with the world at an increasing rate. Whatever the consequences of this, any security vulnerabilities being identified and fixed are a good thing.
A security vulnerability affecting UpdraftPlus and UpdraftCentral has been identified by a researcher, and responsibly notified to us around 40 hours ago, and is fixed in a release made today.
This post is intended to explain the steps we’ve taken to keep your sites safe. We believe in prompt and transparent disclosure.
What was found – the vulnerability
Unfortunately, the vulnerability is a serious one, potentially allowing full site takeover. It affects only a small percentage of users (we estimate less than 10%), but for affected sites, bad actors could potentially take control of the site, and gain full access to all its contents.
Vulnerable versions
All versions of UpdraftPlus and UpdraftCentral from approximately the last 10-11 years are affected.
It is therefore essential to update whichever of UpdraftPlus and/or UpdraftCentral that you have installed (details of how are available below). Once you have updated your plugin, please take some time to make sure there are no unexpected new site administrators or plugins you didn’t expect to be present. You can also use a service like this one to scan your site for evidence of malicious activity (such a scan can’t tell you when or how that activity occurred).
We have no evidence of anyone attempting to exploit the vulnerability so far (we’ve checked over 200 sites since we were made aware of the vulnerability). We’re convinced there have not been any successful attacks, nor any attempted-but-unsuccessful attacks on the sites we’ve checked.
This is not a reason to avoid updating immediately. Now that an updated version has been released attackers can attempt to reverse-engineer the changes to try to deduce the problem.
Steps taken to secure your site
A patch has already been released and any site using UpdraftPlus version 1.26.5 (free version) or UpdraftPlus version 2.26.5 (premium version, or later, is already safe. If you don’t have these versions, it’s important you update UpdraftPlus today.
For UpdraftCentral, any site updated to version 0.8.32 of the base plugin, or later, is safe. Again, don’t delay. It is not necessary to update UpdraftCentral Premium.
For users of the UpdraftClone service, we have applied blocking measures against attacks on your clone, but you should still update the plugin(s).
If you are using the (free) plugin All In One Security (AIOS), and have updated to the 5.4.9 release (or later), then this also contains a firewall rule which blocks attacks.
How to update
Step one – log into your site’s WordPress admin dashboard.
Step two – navigate to ‘plugins’ in the dashboard (see image below)
Step three – Find ‘UpdraftPlus’ (or ‘UpdraftCentral’) (tip: you can filter your plugins by ‘update available’ to display plugins in need of an update).
Step four – Click ‘update now’
Hotfix plugin if you can’t update
We understand that some customers who haven’t renewed their UpdraftPlus Premium licences won’t yet be ready to do so. So, we’ve also released a hotfix plugin you can download and activate which will patch the vulnerability on whatever version of UpdraftPlus or UpdraftCentral you are running.
Once you are running a fixed version, you can then remove the hotfix plugin.
You can download the hot fix here – https://teamupdraft.com/wp-content/uploads/updraftplus-hotfix-jun2026.zip .
If you have any questions regarding this issue or the steps we’ve taken to fix things, you can contact us at the address “marketing”, at (@) the updraftplus.com domain. Or you can access our support channels here.