Web Development

10 min read • April 14, 2026

Anthropic's Claude Mythos Can Now Write Zero-Day Exploits. Your WordPress Site Is Next.

On 7 April 2026, Anthropic revealed their new model Mythos Preview can autonomously find and exploit zero-day vulnerabilities in operating systems, browsers, and kernels, for under $50 a run. 96% of WordPress vulnerabilities live in plugins. Here's what that means for every site owner, and why web maintenance stopped being optional this week.

Anthropic’s Claude Mythos Can Now Write Zero-Day Exploits. Your WordPress Site Is Next.

On the 7th of April 2026, Anthropic’s red team published a paper most small business owners will never read. It announced that Claude Mythos Preview - their newest frontier model - can autonomously find and exploit zero-day vulnerabilities in every major operating system and every major web browser. Not assisted. Not supervised. Autonomously. For under $50 a run.

I’ve spent the last week reading it properly, and I want to walk through what it actually says, and then explain, in plain English, why this is the week WordPress site owners in Perth need to stop treating web maintenance as an optional line item.

Because the takeaway is simple. The cost of attacking websites just dropped by roughly two orders of magnitude. The number of sites getting attacked didn’t. The gap is where every unmaintained WordPress install now lives.

What Anthropic Actually Announced

Let’s start with the facts, direct from the paper, so nobody thinks I’m catastrophising.

The model: Claude Mythos Preview, a general-purpose frontier language model. Anthropic did not train it specifically for offensive security. The capability emerged as a side effect of general improvements in code, reasoning, and autonomy.

The benchmark shift: Anthropic runs its models against roughly a thousand open source repositories from the OSS-Fuzz corpus and grades the worst crash on a five-tier severity ladder. Across roughly 7,000 entry points, Opus 4.6 - the previous state of the art - produced between 150 and 175 tier-1 crashes and around 100 tier-2 crashes, but topped out at a single tier-3 crash and nothing higher. Mythos Preview hit 595 crashes at tiers 1 and 2, added a handful at tiers 3 and 4, and achieved ten full control-flow hijacks (tier 5) on fully patched targets.

The Firefox test: Anthropic re-ran an earlier experiment where they asked a model to turn known Firefox JavaScript engine vulnerabilities into working shell exploits. Opus 4.6 succeeded 2 times out of several hundred attempts. Mythos Preview succeeded 181 times, with register control on 29 more.

The cost: The single run that found a 27-year-old OpenBSD SACK bug cost under $50 in API credits. The full thousand-run OpenBSD scan that produced it, along with several dozen more findings, cost under $20,000 all in.

The quote that should scare every WordPress site owner:

“Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight, and woken up the following morning to a complete, working exploit.”

Read that again. Non-experts. Overnight. Working exploit. This is the current state of the art, today, in April 2026.

Project Glasswing: Anthropic is releasing Mythos Preview initially only to “critical industry partners and open source developers” under a program called Project Glasswing. The goal is to let defenders get to the bugs first. That’s a responsible rollout. It does not mean competing labs won’t ship similar capabilities to everyone shortly. It just means Anthropic’s model isn’t the one that’s going to hit your site first.

Why This Changes the WordPress Maintenance Conversation

Here’s the part where the news meets the practical reality of running a website in 2026.

WordPress powers roughly 43% of the public web. It is, by raw attack volume, the most targeted software platform on the planet. But here’s the statistic that matters most for this conversation, from Patchstack’s State of WordPress Security reports:

96% of all WordPress vulnerabilities live in plugins. 4% in themes. A handful - literally single digits a year - in WordPress core itself.

And the volume is growing fast. In 2024, the WordPress ecosystem disclosed 7,966 new vulnerabilities, a 34% jump on 2023. High-priority vulnerabilities were up 11% year-on-year. In the first half of 2025, Patchstack alone reported 4,462 vulnerabilities - 66.6% of all named vulnerabilities across the ecosystem, according to their 2025 mid-year report. This is a platform where new holes are being reported by the dozen every single week.

Now layer Mythos Preview on top.

The Anthropic paper has an entire section on what it calls N-day vulnerabilities. N-days are bugs that have been publicly disclosed and patched, but remain exploitable on every system that hasn’t yet applied the fix. Anthropic’s own framing is that N-days are in some ways the more dangerous case - the vulnerability is known, the patch itself acts as a roadmap back to the bug, and the only thing standing between disclosure and mass exploitation is the time it takes an attacker to turn that patch into a working exploit.

Translate that to a real scenario. Your site runs a popular WordPress form plugin. The plugin vendor ships a security release on a Tuesday morning. The release notes mention a “privilege escalation fix.” Within hours, an attacker pipes the patch diff into a Mythos-class model and asks it to write the exploit. By Wednesday morning, automated scanners are hitting every WordPress site on the public internet looking for unpatched installs.

Pre-Mythos, that cycle took weeks. A competent attacker could turn a patch into a working exploit in one to four weeks. Most site owners had a rough grace period to apply the update.

Post-Mythos, that cycle is overnight, and costs less than lunch. The grace period is gone.

If your WordPress site updates plugins manually once a quarter - and most do - you are now sitting in a ninety-day kill zone for every security advisory that drops in your stack. That is not a forecast. That is the maths of what Anthropic just published.

The Five Things Every WordPress Site Owner Needs to Do This Month

The rest of this post is the practical part. None of it is new. All of it just got urgent.

1. Get your patch velocity under 24 hours

The single most important metric for any WordPress site in 2026 is time from security advisory to patched production. Anthropic’s own defensive advice to industry partners was to “shorten patch cycles” and “expedite vulnerability mitigation.” For WordPress, that means:

Plugin auto-updates enabled for every plugin where the publisher is trustworthy and you have working rollback. A staging environment for the plugins where auto-update is too risky - typically e-commerce, membership, and LMS plugins. Active monitoring of Patchstack, WPScan, and the WordPress.org plugin security team advisory feeds, filtered to the plugins you actually use. A human reviewing any critical advisory within hours, not days.

Twenty-four hours is the new target. A week is too late. A month is malpractice.

2. Cut your plugin count in half

Every plugin on your site is a potential entry point. If 96% of WordPress vulnerabilities live in plugins, then every plugin you can delete is a meaningful reduction in risk.

The typical commercial WordPress site I audit in Perth runs between 25 and 45 plugins. The target for every one of those sites is now 15 or fewer. That means:

Delete abandoned plugins (no update in 12+ months, no response to support tickets). Replace bloated plugins with lean alternatives - ditch the 40-feature SEO plugin if you use three features. Rewrite trivial plugins as 10 lines of theme code - custom post types, simple shortcodes, tiny admin tweaks. Audit premium plugins quarterly - are you actually using what you’re paying for?

I wrote about the plugin soup problem in WordPress Isn’t the Problem. Your WordPress Setup Is. - the diagnosis hasn’t changed, but the stakes just went up.

3. Harden the obvious entry points

WordPress has a small number of attack surfaces that account for the overwhelming majority of automated compromises. All of them are fixable in one afternoon:

Enforce 2FA on every admin account. No exceptions. Not even “just the owner uses that login.” Move wp-login.php to a non-default URL to filter out dumb bot traffic. Disable XML-RPC unless you have a documented reason to keep it on. Throttle login attempts at the server or plugin level. Disable file editing in wp-config.php so a compromised admin can’t pivot to editing theme PHP from the dashboard. Block PHP execution in /wp-content/uploads via .htaccess or nginx rules. Put Cloudflare in front of the site. The free tier handles most automated noise.

Anthropic made one observation in the paper that applies directly to WordPress hardening:

“Mitigations whose security value comes primarily from friction rather than hard barriers may become considerably weaker against model-assisted adversaries.”

In plain English - renaming your admin URL buys you time against a human. Against a model running thousands of probes overnight, it buys you nothing. Hard barriers (2FA, WAF, file permissions, signed updates, capability checks) are what actually hold. Soft barriers (obscurity, cosmetic changes) are decorative.

4. Back up like you’re going to need it this week

A backup you’ve never restored from is not a backup. It’s a hope you’ll never have to prove wrong.

Daily off-site backups of both files and database, retained for 30 days minimum. A quarterly test restore to a staging environment - not just “the backup file exists,” but “I restored it and the site worked.” Encrypted backups at rest. A compromised backup is a second breach. Off the same host. If your host gets hit, your backups shouldn’t go with them.

The reason this matters more in the Mythos era is that the window between compromise and impact is shrinking. You need to be able to roll back to yesterday, not last month.

5. Actually watch the site

Uptime monitoring, file integrity monitoring, log review, form submission testing. None of it is glamorous. All of it is how you find out you’ve been compromised before your customers do.

The single most common compromise story I hear from Perth small businesses goes like this - “we didn’t know anything was wrong until a customer rang us about the porn links on our blog page.” By that point the site has been compromised for weeks, Google has de-indexed half of it, and the clean-up bill is four figures.

The whole point of monitoring is to make that story impossible.

The Perth Small Business Reality

Most of the small and medium businesses I work with across Perth - Joondalup, Fremantle, the CBD, the northern suburbs - are not running enterprise ops. They have a WordPress site someone built them in 2022 or 2023. They’ve clicked the update button a handful of times. The original developer may or may not still be in the picture.

Pre-Mythos, a site like that had maybe a 5-10% annual chance of a meaningful compromise event - depending on plugin choices, hosting, and luck. That was already too high for a business-critical asset.

Post-Mythos, I expect that number to double within twelve months and triple within twenty-four. The reasoning is simple - the cost of writing a working WordPress plugin exploit just collapsed, the number of unpatched sites didn’t, and the European Union’s Cyber Resilience Act - already in force since December 2024 - begins applying its mandatory vulnerability reporting obligations on 11 September 2026, which will likely generate another wave of CVE filings against plugins and themes used by EU businesses.

The cost to clean up a compromised WordPress site for a Perth small business usually lands between $800 and $3,500 AUD, depending on how deep the infection went and whether the SEO damage is bad enough to need a reconsideration request to Google. Then you add the lost leads while the site is down or flagged, the reputational hit, and the awkward email to your customer list.

Compare that to the cost of running proper maintenance - $200 to $400 a month, all in. The cost-benefit was already obvious before this week. It just became unmissable.

I covered the fundamentals of why sites need ongoing care in Why Your Website Needs Ongoing Maintenance. Everything in that post is still true. The urgency just increased by an order of magnitude.

Where I Sit On This

Doom is not useful and panic is not a plan. So let me end where Anthropic ended, because I think their framing is correct.

“Once the security landscape has reached a new equilibrium, we believe that powerful language models will benefit defenders more than attackers, increasing the overall security of the software ecosystem.”

I agree with this. The same models that write exploits will patch code. Project Glasswing is already pushing Mythos-class capability to defenders first. WordPress core, major plugin vendors, and the broader ecosystem will be more secure in three years than they are today. But “eventually” is doing a lot of work in that sentence. The transitional period is what matters, and the transitional period is where WordPress site owners in Perth are sitting right now.

Surviving the transition means doing the unglamorous work - patching fast, cutting plugin count, hardening the obvious entry points, backing up properly, and actually watching the site - while the asymmetry between attackers and defenders is at its widest.

What To Do This Week

If you own a WordPress site and nobody has meaningfully looked at it in the last three months, here’s the five-minute version:

  1. Log in and check how many plugins are flagged for updates. If it’s more than three, your patching cadence is already behind the new reality.
  2. Check whether your admin account has 2FA enabled. If it doesn’t, enable it today.
  3. Ask your hosting company or developer when the last successful backup restore test happened. If they can’t tell you, assume it never did.
  4. Count your plugins. If it’s over 25, you have an attack surface problem.

If any of that rings alarm bells, you need maintenance on the site, not in six months, now. I run Website Care Plans starting at $200/month AUD that handle exactly this - core and plugin updates, security and log review, backup verification, form testing, SSL monitoring, uptime monitoring, mobile testing, and a monthly report. The Performance Boost add-on covers Core Web Vitals and caching. None of it is glamorous. All of it is what stands between your site and a bad week.

If you’re not sure whether your site needs a plan, get in touch and I’ll run a free initial audit - what plugins you’re running, what’s out of date, what entry points are exposed, and what the realistic risk profile looks like. No obligation. If everything’s fine, I’ll tell you everything’s fine.

The machines just got a lot better at finding holes in websites. The right response isn’t to panic, and it isn’t to move to Squarespace. It’s to stop leaving the holes there in the first place.

Sources and further reading:

← Back to Blog
Get in Touch