Working Notes: web security

have

        May 7, 2026

Working Notes: web security

            A short and useful newsletter for people who look after websites.

        Working Notes: #6
Marc Jenkins · 7th May, 2026
Since I wrote my last newsletter, Anthropic announced their latest model, Mythos. It made mainstream news because Anthropic claimed it's "strikingly capable at computer security tasks". There's been plenty of debate about whether Mythos is terrifying or just hype.
For us website owners, I don't think it really matters if it's hype or not. The truth is that hackers have more powerful tools at their disposal than ever. Website security is as important as it's ever been.
I've been asked a lot recently about WordPress. How secure is it? 
I maintain that a well-built WordPress site, hosted professionally and updated regularly, is secure. I've been working with WordPress for well over a decade and have built dozens of websites over that period. I know many WordPress professionals who have launched hundreds of high-profile WP-powered sites. I don't know a single one that has been hacked. Not one.
The WordPress sites I've seen that have been hacked weren't kept up to date, were on cheap insecure hosting, or used dodgy plugins.
Of course, this doesn't just apply to WordPress. Kirby, the CMS that powers my own site, just released an update that patched a bunch of recent vulnerabilities. Whatever CMS you're using, keep it up to date if you can.
This is just a reminder that while security might be boring and uninteresting, it’s increasingly important.
If you want to chat about the security of your site, reply to this email or book a call.
What I’ve been reading
How to buy technology ethically

Great tips on how to approach agencies for a website redesign.
Selling Lemons

I re-read Frank Chimero’s excellent article Selling Lemons this week. I, too, feel like we’re in the lemon stage of the internet.
How to minimize the environmental impact of your website

A framework for reducing your website's environmental impact by minimising page weights across key user journeys.
Common misconceptions about testing accessibility

An interesting list of accessibility testing misconceptions. “Relying on automated testing” is the mistake I see most often.

                                Don't miss what's next. Subscribe to Working Notes:

            Email address (required)