mySites.guru - Manage Multiple WordPress & Joomla sites in a single dashboard

WordPress 7.0 "Armstrong" was released on 20 May 2026. For anyone managing a portfolio of WordPress sites, the practical question is: how do I roll this out safely? mySites.guru is fully compatible with 7.0. The connector, backups, audits, and one-click updates all work without change. We recommend disabling core auto-upgrades (one click in the dashboard sets AUTOMATIC_UPDATER_DISABLED and WP_AUTO_UPDATE_CORE across every site), running a backup, then triggering the 7.0 update from one screen. Real-time collaboration was pulled before release and is deferred to 7.1. PHP 7.4 and MySQL 8.0 are the new floors. https://lnkd.in/evGYHmMC

A new security release of JCE Editor for Joomla is out. JCE Free/Pro 2.9.99.4 patches two authenticated vulnerabilities: an Editor Profile assignment bypass and a directory traversal in filesystem search. Update your Joomla sites as soon as you can. If you manage Joomla sites at scale, the mySites.guru extension search shows every JCE install grouped by version, and the mass updater pushes the patch across every affected site in one batch. https://lnkd.in/exUfZZjf

Joomla shipped 5.4.6 and 6.1.1, and the release closes ten security holes in one go, including two MFA bypass issues and a privilege escalation in the user management batch task. The agency angle nobody is writing about: patch order matters when you have 30+ sites and a backlog of un-trusted backend users. Here is the priority list: https://lnkd.in/evcCYcF7

Agencies often ask whether they can skip a third-party platform and just cron a bash script per site to auto-update Joomla extensions. The technical answer is yes. The honest answer is you will, for about six months. Then Joomla ships a point release that tightens auth or rotates a hash algorithm and your script silently starts failing on a subset of sites. The maths is in the new walkthrough. https://lnkd.in/eupAvGMa

ICYMI: Avada Builder, bundled with the Avada theme on around 1 million WordPress sites, patched two vulnerabilities this week. CVE-2026-4782 (CVSS 6.5) is an arbitrary file read exploitable by any Subscriber-level account. It reads wp-config.php and leaks database credentials and cryptographic salts. CVE-2026-4798 (CVSS 7.5) is an unauthenticated time-based SQL injection. It only triggers on sites that previously ran WooCommerce, but the WooCommerce order tables persist on disk after deactivation, which is the trigger. Both are fixed in 3.15.3. The work for agencies isn't reading the advisory. It's identifying which of your hundreds of client sites still need the update. mySites.guru lists every Avada Builder install across your portfolio and pushes the patch to all affected sites in one operation. https://lnkd.in/eTGfpBSy

ICYMI: Sorry ransomware is being deployed at scale against cPanel-hosted websites. The entry vector is CVE-2026-41940, a pre-auth CRLF-injection authentication bypass in cPanel and WHM that lets an attacker forge a pre-auth session with user=root, hasroot=1, tfa_verified=1 and walk into WHM with no credentials. CVSS 9.8. Patched by WebPros on 28 April 2026, but watchTowr Labs and Help Net Security place earliest in-the-wild exploitation at 23 February 2026, meaning the bug was a zero-day for around two months. Shadowserver currently tracks 44,000+ compromised cPanel IPs. Censys reports 8,859 hosts with .sorry files in publicly indexed directories. The malware itself is Go-based, uses ChaCha20 with an embedded RSA-2048 public key, appends .sorry to every encrypted file, and drops a README.md ransom note. No decryptor exists. We pushed an update to the mySites.guru audit pipeline. Every connected Joomla, WordPress and Generic site now gets an extra post-audit query that flags any file ending in .sorry as hacked. The File Manager shows a red Ransomware badge next to those files so the encrypted artefacts stand out from ordinary backdoors. The practical lesson is the same one Essential Plugin, Smart Slider 3 Pro and Breeze Cache already taught us: when a critical bug lands in software that runs on every shared host on earth, the question is not whether you are affected but how quickly you can find out. https://lnkd.in/eyHYu4pG

ICYMI: WordPress 7.0 Armstrong shipped with the AI Client and three featured provider connectors (Anthropic, Google, OpenAI) enabled by default. The connectors are inert without API keys, but the architectural default is AI-on, not AI-off. For agencies and hosting providers managing client sites under GDPR, HIPAA-adjacent agreements, or content-authenticity policies, this changes the threat surface. Any admin or editor can wire up a connector and start sending content to a third-party AI provider, often without the site owner knowing. The clean fix is one line in wp-config.php: define('WP_AI_SUPPORT', false). That short-circuits WordPress's wp_supports_ai() gatekeeper before any plugin loads. mySites.guru now audits this constant across every connected WordPress site and flips it from one dashboard. https://lnkd.in/evKhcpPh

ICYMI: WordPress 7.0 "Armstrong" was released on 20 May 2026. For anyone managing a portfolio of WordPress sites, the practical question is: how do I roll this out safely? mySites.guru is fully compatible with 7.0. The connector, backups, audits, and one-click updates all work without change. We recommend disabling core auto-upgrades (one click in the dashboard sets AUTOMATIC_UPDATER_DISABLED and WP_AUTO_UPDATE_CORE across every site), running a backup, then triggering the 7.0 update from one screen. Real-time collaboration was pulled before release and is deferred to 7.1. PHP 7.4 and MySQL 8.0 are the new floors. https://lnkd.in/evGYHmMC

ICYMI: WordPress 7.0 "Armstrong" was released on 20 May 2026. For anyone managing a portfolio of WordPress sites, the practical question is: how do I roll this out safely? mySites.guru is fully compatible with 7.0. The connector, backups, audits, and one-click updates all work without change. We recommend disabling core auto-upgrades (one click in the dashboard sets AUTOMATIC_UPDATER_DISABLED and WP_AUTO_UPDATE_CORE across every site), running a backup, then triggering the 7.0 update from one screen. Real-time collaboration was pulled before release and is deferred to 7.1. PHP 7.4 and MySQL 8.0 are the new floors. https://lnkd.in/evGYHmMC

WordPress 7.0 Armstrong shipped with the AI Client and three featured provider connectors (Anthropic, Google, OpenAI) enabled by default. The connectors are inert without API keys, but the architectural default is AI-on, not AI-off. For agencies and hosting providers managing client sites under GDPR, HIPAA-adjacent agreements, or content-authenticity policies, this changes the threat surface. Any admin or editor can wire up a connector and start sending content to a third-party AI provider, often without the site owner knowing. The clean fix is one line in wp-config.php: define('WP_AI_SUPPORT', false). That short-circuits WordPress's wp_supports_ai() gatekeeper before any plugin loads. mySites.guru now audits this constant across every connected WordPress site and flips it from one dashboard. https://lnkd.in/evKhcpPh