Security & Hacking
When the Update Itself
Why Staying Current Is Only Half the Job
When the Update Itself Is the Hack: Why Staying Current Is Only Half the Job
When the Smart Slider 3 Pro update channel itself was compromised in April 2026, every site that did the responsible thing and auto-updated got infected, and being across the threat landscape in real time was what actually kept our hosted sites safe.
Created: June 1, 2026 | Reading Time: 5 mins
A few weeks ago, an email landed in my inbox at the start of the day.
It started with the line every web designer dreads. The below sites were hacked overnight. It ended with the line every web designer wants. There’s nothing for you to action.
In between those two sentences sat one of the more interesting moments I’ve had in years of running websites, and a very clean case for why hosting choice is not the boring afterthought most business owners treat it as.
What actually happened
On April 7, 2026, a WordPress plugin called Smart Slider 3 Pro shipped an update through its normal update channel. Around 800,000 sites use this plugin. It is widely trusted, well maintained, and the kind of thing you would never think twice about updating.
Except this update was not from the plugin developer.
Someone had breached the plugin company’s update infrastructure and pushed their own version of the file through the legitimate distribution channel. Every site that auto-updated in the next six hours, before anyone noticed, willingly installed a fully weaponised backdoor. Not a vulnerability. Not a bug. A complete remote access toolkit, delivered through the front door, signed off by the system every site owner has been told to trust.
The technical breakdown that Patchstack published is genuinely chilling. The malicious code created a hidden administrator account on each infected site, hid that account from the user list, left three separate backdoors in three different locations so deleting the plugin would not actually remove the infection, and quietly transmitted each site’s URL, database details, and the plaintext credentials of the hidden admin back to a command and control server. Then it sat. Waiting.
That last part is the important bit. The attack did not do anything dramatic right away. It planted itself, made itself invisible, and waited for whatever the attacker wanted to do later. Weeks. Months. Whenever.
Why this changes the conversation
For years, the standard advice on WordPress security has been some version of keep your plugins updated. And that is true. It is still true. Most attacks still come through unpatched plugins, and most of those are preventable by clicking the update button every week.
But this incident is a different kind of problem, and it is one I think every business owner with a website needs to understand. When the update channel itself is compromised, being up to date is what gets you hacked. The sites that ignored the update for a day were safe. The sites that did the right thing got infected.
Welcome to supply chain attacks. They are not new in software, but they are arriving in the WordPress world properly now, and they are going to keep arriving. The honest truth is that there is no checklist you can give a site owner that protects them from this. You can do everything right, exactly as recommended, and still get hit.
So what does protect you?
Being across it, and acting
This is the part I want to spend the most time on, because it is the part most people miss.
Security is not a state you arrive at. It is not a box you tick when the site goes live. It is an ongoing practice of being across the current landscape, watching the threat ecosystem in real time, and being able to act inside hours rather than days when something does go wrong.
The story above ended with there is nothing for you to action because somebody was paying attention while the rest of the world was asleep. The malware scanner caught the infection within the window the attacker needed to deploy. The hosting team went in manually, on the same day, and updated the plugin, cleaned the compromised files, deleted the hidden administrator account, and removed the breadcrumbs the attacker had left for themselves. By the time the affected sites’ owners woke up, the threat was already gone.
That is not luck. That is what active hosting looks like.
What we actually do as the host
When DeCODE hosts your site, you are not just renting server space from us. You are buying a layer of attention that sits between your business and the rest of the internet. Practically, that means a few things.
Our infrastructure is actively monitoring for behaviour that should not be happening, not just known signatures. The Smart Slider attack used custom HTTP headers and disguised file names specifically designed to slip past generic checks, and our scanner caught it anyway because it watches for the shape of an infection, not just the names of bad files.
We are paying attention to what the broader WordPress security community is publishing. When something like this hits the news, we know. We are reading the same advisories the security researchers are, often within the hour. That awareness is what turns “you’ve been hacked, please do something” into “we already handled it, here’s what happened.”
When something does go wrong, the response is not a support ticket and a forty-eight hour wait. It is somebody manually going into the affected sites, doing the cleanup, and writing you an email by morning. That email exists because someone was already in the system before you would have known there was a problem.
And critically, none of this is something I expect a client to manage themselves. The whole point of working with a partner who builds, hosts, and looks after your site is that the technical scaffolding of running a business website online does not become your problem. You should not need to know what a supply chain attack is to be protected from one.
What this means for you
If you take one thing from this article, take this: in 2026, the security of your website is not a function of how careful you are. It is a function of how alert your hosting and maintenance setup is, and how fast it can act when something the world has never seen before turns up at 2am.
Auto-updates are still good practice. Patching is still essential. Keeping your plugins lean and well-chosen still matters. But all of those are necessary, and none of them are sufficient on their own.
What protects a small business website in 2026 is having someone in your corner who is watching the landscape, knows what to look for, and can move fast when they spot it. That is the part you cannot automate, and it is the part that quietly does the most work.
So if you are reading this and you do not know who would have caught that attack on your site, that is the conversation worth having. Not next quarter. Now.
We caught ours before breakfast. We would rather catch yours too.
Running a WordPress site and want to know what your current hosting setup would have done in the same scenario? Get in touch. We are happy to take a look.
On this page
We’re here to help you DeCODE the Digital World
DeCODE builds breathtaking websites that drive sales for your business without a price that would take your breath away.
We understand that Companies don’t need websites. Companies need a regular stream of high-quality leads. Customers eager, educated, and ready to purchase their products or share their vision. This is the core of a DeCODE build.
In 2020 websites are no longer set and forget, winning an online race is now a marathon, not a sprint. Visually stunning sites with limited back end functionality and no ability to perform in search are redundant.
At DeCODE we build sites that perform.
Ilana is a Web Designer & Development Consultant with 15+ years building websites that actually perform: ecommerce stores, membership platforms, training portals, and SEO rebuilds that turn slow, dated sites into properties that rank and convert.