A protect-only WordPress site-owner checklist for the OptinMonster, TrustPulse, and PushEngage supply-chain incident: who should check, what to inspect, and when to rotate credentials.
Wordfence reports a ShapedPlugin Pro plugin supply-chain compromise through official licensed update channels. Inventory affected Pro plugins, remove unverified builds, scan the site, and rotate credentials where exposure is possible.
CVE-2026-6433 affects the Custom css-js-php WordPress plugin through 2.0.7. No known fix is listed, so disable or remove it and review affected sites.
2026 update: the main lesson still holds for small business WordPress hosting: cloud infrastructure is not the same thing as WordPress support. If you host WordPress on AWS, you still need a plan for backups,
