Reclaim Hosting initiated automated emergency updates for UpdraftPlus across its infrastructure on June 10 at 3pm ET after Wordfence disclosed a critical authentication bypass vulnerability affecting versions 1.26.4 and earlier of the widely-deployed WordPress backup plugin, according to the hosting provider's security notice. The flaw enables unauthenticated attackers to execute administrator-level commands on WordPress sites that have connected UpdraftPlus to UpdraftCentral, the plugin's remote management dashboard.
TL;DR: Reclaim Hosting pushed emergency UpdraftPlus updates June 10 after Wordfence published a critical authentication bypass vulnerability affecting versions 1.26.4 and earlier; agencies must verify client sites updated to version 1.26.5 or later.
The vulnerability was patched in UpdraftPlus version 1.26.5, released June 10. Wordfence published the disclosure in its vulnerability database the same day under the title "Critical Unauthenticated Authentication Bypass Vulnerability Patched in UpdraftPlus WordPress Plugin." Reclaim Hosting noted that older UpdraftPlus installations using a legacy versioning scheme may report themselves as version "2x" and likely remain vulnerable if not updated. The provider deployed automated updates across Domain of One's Own, Managed Hosting, Reclaim EDU, and Shared Hosting accounts.
UpdraftPlus ships on an estimated 3 million WordPress installations, making it one of the platform's most-installed backup solutions. While not a default installation on most hosts, many agencies recommend or deploy it as part of standard client site configurations. The plugin's integration with UpdraftCentral—a centralized dashboard for managing backups across multiple sites—created the attack surface that the disclosed vulnerability exploits.
How the Authentication Bypass Works
The vulnerability allows attackers to forge administrator-level commands on WordPress sites where UpdraftPlus has been connected to an UpdraftCentral instance. Once authenticated, attackers can execute arbitrary administrative actions without valid credentials. Wordfence classified the flaw as critical, indicating both ease of exploitation and high impact potential. The vulnerability does not require any user interaction beyond the initial UpdraftCentral connection, which many agencies configure during site setup to centralize backup management across client portfolios.
Sites that have never connected UpdraftPlus to UpdraftCentral remain unaffected by this specific vulnerability. The attack vector depends on the remote management connection being established. However, agencies that use UpdraftCentral as part of their white-label maintenance workflows face exposure across every site in their managed portfolio if those installations remain on vulnerable versions.
Reclaim Hosting's automated update procedure uses WordPress's native update functionality to replace vulnerable UpdraftPlus installations with version 1.26.5. The provider triggered the updates across its entire infrastructure rather than notifying individual account holders and waiting for manual action, reflecting the severity classification and active exploitation risk typical of authentication bypass vulnerabilities. Similar forced update procedures occurred during the Everest Forms Pro exploitation campaign that generated 29,300 attack attempts between April and June, and during the Kirki plugin vulnerability that enabled unauthenticated admin account takeovers.
Verification Steps for Agencies
Agencies using UpdraftPlus must verify that all client installations now run version 1.26.5 or later, regardless of hosting provider. Sites hosted outside Reclaim Hosting's infrastructure require manual verification and update. The plugin's dashboard displays the current version number in the WordPress admin under Plugins → Installed Plugins. Agencies managing sites through UpdraftCentral can check versions centrally, though the vulnerability itself makes centralized management a potential liability until every connected site updates.
For sites reporting version numbers in the "2x" range, agencies should treat these as vulnerable unless confirmed otherwise. The legacy versioning scheme predates the current numbering convention; UpdraftPlus has not published a specific mapping between old and new version numbers in its security advisory. Agencies encountering "2x" version numbers should update immediately and verify post-update version numbering returns to the 1.26.x format.
Sites with UpdraftPlus installed but not connected to UpdraftCentral do not face immediate exploitation risk from this vulnerability, but should still update. The flaw sits in the codebase regardless of configuration, and future UpdraftCentral connections would retroactively expose sites running outdated versions. Standard WordPress security baseline practices recommend treating all disclosed vulnerabilities as deployment blockers until patched, regardless of whether a specific site currently uses the affected feature.
What This Means for Agency Owners
Centralized management tools like UpdraftCentral create efficiency in white-label operations, but they also concentrate authentication surface area. A single authentication bypass vulnerability affecting the management layer exposes every connected site simultaneously. Agencies that standardize on remote management plugins across client portfolios should maintain a secondary audit mechanism—such as WP-CLI scripts run via SSH or a separate monitoring stack—that verifies plugin versions independent of the centralized dashboard itself.
UpdraftPlus is far from the only backup plugin to ship critical vulnerabilities in 2026; the pattern reflects the broader 96% share of WordPress vulnerabilities originating in plugins and themes rather than core. Agencies cannot eliminate plugin risk entirely without eliminating plugins, which means the deployment question shifts from "Is this plugin safe?" to "How fast can we verify updates across our entire client base when the next disclosure drops?" Reclaim Hosting answered that question with a four-hour turnaround from disclosure to forced updates. Agencies hosting client sites elsewhere should audit whether their hosting providers match that response speed—or whether the agency itself maintains the tooling to push emergency updates when a provider does not.
The authentication bypass category of vulnerability deserves particular attention in agency security protocols because exploitation leaves minimal forensic trace and requires no user interaction. Unlike cross-site scripting or SQL injection flaws that often generate error logs, authentication bypass attacks can succeed silently. Agencies managing UpdraftPlus across client portfolios should verify not only that sites now run 1.26.5 or later, but also audit recent administrator activity for any unrecognized logins or configuration changes between June 10's disclosure and the confirmed update timestamp for each site.