WordPress co-founder Matt Mullenweg announced Protect the Shire on June 5, 2026, a new security initiative aimed at using AI to review and secure all 78,000+ plugins and themes in the WordPress.org directory.
The announcement came days before WordCamp Europe 2026 in Krakow and directly addressed the supply chain vulnerabilities that hit the WordPress ecosystem in April 2026.
Protect the Shire Initiative Explained
Protect the Shire is WordPress.org’s response to a growing threat in the plugin ecosystem. WordPress core updates go through multiple layers of review before they are released, a process refined over 18 years since one-click upgrades were introduced in WordPress 2.7. Plugins and themes, however, have had no equivalent review layer after initial submission.
The initiative takes its name from J. R. R. Tolkien’s The Lord of the Rings and aims to bring the same stability and security standards that WordPress core enjoys to every plugin and theme in the directory.
24-Hour Cooldown Period for Plugin and Theme Updates
The most immediate change is a new 24-hour cooldown period for plugin and theme releases. Each new release will wait up to 24 hours before being distributed through auto-updates, giving WordPress.org and its new AI reviewer time to scan changes before they reach millions of sites.
Mullenweg expects the 24-hour window to be reduced to minutes as the process matures, but WordPress.org will err on the side of caution while AI capabilities are advancing rapidly. Manual updates through the WordPress dashboard are not affected. The cooldown only applies to the auto-update distribution channel.
AI-Powered Security Review
The plugin review team at WordPress.org is human and has limits. Bots do not sleep, and a depth of automated security review that seemed unimaginable before is now achievable with AI.
WordPress.org is deploying an AI reviewer named Gandalf to run automated security scans during the cooldown window, aiming to catch malicious code before it reaches sites via auto-updates.
The initiative was accelerated by two developments. A significant leap in AI coding ability in late 2025 changed what attackers can do, and security activity across the broader software ecosystem has increased sharply through early 2026. Chrome recently shipped a release addressing 429 security vulnerabilities, a signal of how fast the threat landscape is moving.
The Scale of the WordPress Plugin Ecosystem
The WordPress plugin directory has over 400 million installs across all plugins. There are 69 plugins, many from solo developers, installed on over a million sites each. A single compromised plugin at that scale can cause widespread damage across the web.
The Essential Plugin attack in April 2026 made this clear. A bad actor purchased a portfolio of legitimate plugins and injected malicious code that was instantly distributed via the standard auto-update mechanism. The Protect the Shire initiative is a direct structural response to close that gap.
What Changes for Plugin and Theme Developers?
Developers will see a delay of up to 24 hours between pushing a release and its distribution via auto-updates. The change applies only to auto-update distribution. Site owners who update manually can still do so immediately after a release is published on WordPress.org.
WordPress.org has also signaled plans to introduce deeper repository tooling, drawing lessons from GitHub’s security model. Features like code signing and ownership transfer reviews are part of the initiative’s longer-term direction, though no fixed timeline has been announced.
Conclusion
Protect the Shire is one of the most significant infrastructure changes WordPress.org has made to the plugin ecosystem in years. The 24-hour cooldown and AI-powered review layer address a structural gap that has existed since the plugin directory launched.
With over 78,000 plugins and themes in the directory and supply chain attacks becoming more sophisticated, the initiative signals that WordPress.org is treating plugin security with the same seriousness it has long applied to core.
FAQs
What is Protect the Shire in WordPress?
Protect the Shire is a WordPress.org security initiative announced by Matt Mullenweg on June 5, 2026. It introduces a 24-hour cooldown period for plugin and theme releases before auto-updates and deploys AI to review code changes before they reach millions of WordPress sites.
What is the 24-hour cooldown for WordPress plugin updates?
The 24-hour cooldown means every new plugin or theme release waits up to 24 hours before being distributed through WordPress auto-updates. This gives WordPress.org time to run automated security scans on the new code. Manual updates are not affected.
Why did WordPress launch Protect the Shire?
The initiative was launched in response to growing supply chain attack threats, including the April 2026 Essential Plugin attack where a bad actor planted malicious code across 31 plugins after purchasing the portfolio. WordPress.org had no review mechanism to catch the change before it was distributed through auto-updates.
Does the 24-hour cooldown affect manual WordPress updates?
No. The cooldown only applies to the auto-update distribution channel. Site owners who manually update plugins and themes from the WordPress dashboard can still do so immediately after a new release is published.
Who is Gandalf in WordPress security?
Gandalf is the name given to WordPress.org’s new AI security reviewer, introduced as part of the Protect the Shire initiative. It runs automated code scans during the 24-hour cooldown window before plugin and theme updates are distributed through auto-updates.
