Important Vulnerability on Advanced Custom Fields Plugin for WordPress

Imunify360, ImunifyAV, and ImunifyAV+ now run on Ubuntu 26.04.

Stopping outbound spam keeps your server IPs off blocklists and your customers' mail moving. Inbound spam and phishing is the other half of the problem. It fills customer mailboxes, drives support tickets, and raises the chance that one of your customers hands over credentials to a phishing email.

An attacker gets in through a vulnerable plugin. They drop a backdoor file in wp-content/uploads. In the same session, they write a redirect script into wp_options and a spam link into wp_posts.post_content. A file scanner finds the backdoor. The database UPDATEs stay. The site gets cleaned and still serves pharma spam to search engines the next morning.

Imunify360 now includes WAF for WordPress, a new security component that automatically blocks exploits targeting known vulnerabilities in WordPress plugins and themes.

Vulnerable websites are protected through virtual patching. When an attacker tries to exploit a vulnerability in a plugin or theme your customer hasn't updated, WAF for WordPress blocks the malicious request before it reaches the vulnerable code. The site stays protected without requiring an update.

WAF for WordPress is free for all Imunify360 customers. It's delivered through the Imunify Security WordPress plugin, activates automatically, and requires no extra configuration.

Email deliverability is one of the hardest operational problems in shared hosting. One compromised account sending spam from your server can get the IP blacklisted, and suddenly none of your customers' emails reach the inbox. The damage is immediate, the delisting process is slow, and the support tickets pile up. 

If you have a successful WordPress (or other PHP-based) security plugin, you probably know this scenario. You’ve built a solid product. Maybe it’s a login limiter, an activity logger, or a firewall. You have tens of thousands (or millions) of active installs. The reviews are great.

We’re excited to share a milestone we’re genuinely proud of: The Imunify Security WordPress Plugin has now surpassed 500,000 active installations.

If you're moving to a newer Linux OS and notice you can't deploy the Patchman agent, this guide is for you.

We've released a new version of Patchman that comes bundled in with ImunifyAV+. This significant upgrade allows our customers with a Patchman CLEAN license to migrate and enhance the security of their servers.

Imunify products now fully support Debian 13, expanding protection to the latest generation of Debian-based servers. This update applies to the entire Imunify suite: ImunifyAV, ImunifyAV+, and Imunify360 - and is available across Plesk, DirectAdmin, Webuzo, and stand-alone installations. Users running Debian 13 can now deploy Imunify products with the same reliability and security they expect on other supported distributions.

CloudLinux is introducing updates to the pricing model for ImunifyAV+. These changes align ImunifyAV+ with the tiered structure already used by Imunify360 and support continued investment in malware detection, protection technologies, and product development.