DOSSIER №01 — APRIL 2026
The ground your website stands on just moved.
Thirty-one WordPress plugins were quietly backdoored. If your municipality runs WordPress, your clock started last week.
In March and April of 2026, a threat actor compromised thirty-one widely installed WordPress plugins by injecting obfuscated PHP into their update packages. The attack was dormant for eight months before activating — a technique designed to survive the first wave of security audits.
For municipalities, the calculus is straightforward: a WordPress site that was unpatched for even a short window during the activation period is compromised until forensically cleared. The site is running. The certificate is green. The backdoor is open.
I build statically generated municipal websites using Next.js and modern deployment infrastructure. No PHP. No database. No plugin supply chain. The attack surface is a git repository.
Every site ships bilingual, WCAG 2.1 AA compliant, and optimized for Canadian hosting. Updates are atomic, reversible, and auditable. The stack is the same one used by the largest enterprises on the web.
A municipality running WordPress today should, at minimum, ask its current vendor for the list of active plugins and the date of the last third-party security audit. The website is the reconnaissance surface — a forty-seven-plugin install is a public signal about the broader IT governance posture, and that signal is read.
A rebuild on auditable static architecture closes a specific category of long-standing audit findings in one procurement cycle. Under the threshold, over the standard.
NEXT STEP
Call first. Email second. Forms third.
← Return to Fit For GovDOSSIER №01— CITATIONS UNDER REVIEW