A reported Wordfence security alert claiming 7.3 million Squarespace sites were attacked in May 2026 cannot be verified through current information sources, security databases, or Wordfence’s published research. While Wordfence does publish frequent security reports and incident data, their May 2026 bulletins focus primarily on WordPress vulnerabilities rather than Squarespace platforms. This discrepancy highlights an important challenge for digital marketers and web developers: distinguishing between verified security incidents and unconfirmed claims that circulate online.
The confusion may stem from legitimate security concerns affecting both platforms during this period. In May 2026, Wordfence documented significant attacks targeting WordPress installations exploiting outdated plugin vulnerabilities, including flaws in GutenKit and Hunk Companion plugins affecting hundreds of thousands of sites. Simultaneously, security researchers have documented real Squarespace vulnerabilities from prior incidents, most notably a July 2024 DNS hijacking campaign targeting cryptocurrency domain owners. Understanding what actually happened versus what may be speculation is critical for protecting your websites.
Table of Contents
- Why Wordfence May 2026 Reports Don’t Mention Squarespace
- Real Squarespace Security Incidents and What They Tell Us
- WordPress Vulnerabilities Documented in May 2026
- How to Verify Security Reports and Distinguish Truth from Speculation
- The Risk of Unverified Security Claims in Digital Marketing
- Squarespace Security Best Practices Regardless of Reported Incidents
- The Future of Security Reporting and Platform Trust
- Conclusion
Why Wordfence May 2026 Reports Don’t Mention Squarespace
Wordfence’s primary focus remains WordPress security, where they maintain the largest dataset of attack patterns and vulnerability exploitation. Their May 2026 reports detailed the blocking of 8.7 million attacks against WordPress sites exploiting old plugin flaws—this is documented, verifiable data. The company publishes weekly intelligence reports specifically for WordPress vulnerabilities, CVE disclosures, and attack campaigns.
When Wordfence does investigate security incidents affecting other platforms like squarespace, they typically publish separate, clearly labeled reports rather than lumping them into WordPress statistics. The absence of the 7.3 million Squarespace figure in searchable security databases, Wordfence’s official blog, or reputable security news aggregators suggests this statistic either doesn’t exist, uses different terminology, or comes from a source other than Wordfence. Security researchers regularly cite verified Wordfence findings in publications like SecurityAffairs and SC Media, but this specific claim has not appeared in those channels. This is a limitation of relying on unverified statistics: they can spread through marketing materials and social media without grounding in actual incident data.
Real Squarespace Security Incidents and What They Tell Us
The most documented Squarespace security incident in recent memory occurred in July 2024, when hackers exploited weak account security practices to hijack DNS records for cryptocurrency-related domains hosted on Squarespace. Unlike a sudden coordinated attack affecting millions of sites simultaneously, this campaign relied on compromised credentials and insufficient multi-factor authentication across affected accounts. The lesson here is that Squarespace incidents typically result from user account compromise or configuration vulnerabilities rather than platform-wide exploits.
This incident affected primarily cryptocurrency websites and traders who failed to enable MFA on their Squarespace accounts, making them vulnerable to credential stuffing and brute force attacks. The scale was significant but not in the millions—more accurately described as hundreds to low thousands of domains. Wordfence and other security firms monitor Squarespace differently than WordPress because Squarespace is a closed, proprietary platform with less publicly available attack surface data. Wordfence’s strength lies in analyzing open-source WordPress plugins where vulnerability information is publicly disclosed and can be quantified across millions of installations.
WordPress Vulnerabilities Documented in May 2026
In May 2026, Wordfence confirmed attacks exploiting the Burst Statistics plugin vulnerability (CVE-2026-8181) affecting over 200,000 WordPress installations. This CVSS 9.8 severity flaw represented a critical risk for site administrators who hadn’t patched their systems. Additionally, older vulnerabilities in GutenKit and Hunk Companion plugins continued to be exploited months after patches were available, demonstrating that many WordPress site owners delay or skip critical updates. Wordfence blocked millions of exploitation attempts against these outdated plugins in May alone.
These WordPress incidents are verifiable through multiple channels: the CVE databases, plugin repositories, security alerts, and Wordfence’s own published timeline. Each attack pattern can be traced to specific plugin versions and vulnerability types. This contrasts sharply with the unverified Squarespace statistic, which lacks supporting data, CVE numbers, or publication in any mainstream security report. For WordPress users, the takeaway is clear—keep all plugins updated and monitor your Wordfence security status regularly.
How to Verify Security Reports and Distinguish Truth from Speculation
When you encounter a dramatic security statistic, apply these verification steps: check Wordfence’s official blog and security intelligence reports directly, search major security news outlets like SecurityWeek and Cybernews for independent confirmation, look for CVE numbers and technical details that can be independently verified, and verify whether the claim appears in multiple reputable sources. A genuine large-scale incident will be reported by at least three independent security organizations and will include specific technical indicators, affected versions, and remediation steps. The tradeoff of this verification approach is time—it takes longer than simply accepting the first scary headline you encounter.
However, the cost of acting on unverified information is higher: you might implement security measures that address non-existent threats, distract your team from real vulnerabilities, or spread misinformation to your audience. Media outlets and security firms have strong incentives to break real news, but they also sometimes amplify claims without independent verification. Your responsibility as a web professional is to dig deeper before making infrastructure decisions or publishing warnings to your audience.
The Risk of Unverified Security Claims in Digital Marketing
Unverified security statistics can damage your credibility when published. If you cite the 7.3 million Squarespace figure and later discover it’s unsupported, you lose reader trust and professional reputation. This is particularly important for digital marketing and SEO professionals who build authority partly through accurate, trustworthy information. Search engines increasingly reward sites that demonstrate expertise and factual accuracy—publishing debunked or unverified security claims undermines your E-E-A-T (Experience, Expertise, Authoritativeness, Trustworthiness) signals.
Additionally, clients and readers may make expensive security decisions based on misinformation. A client might migrate away from Squarespace unnecessarily or invest in security tools that address phantom threats. The warning here is simple: verify before you publish. Contact Wordfence directly if you’re uncertain about a claim, check the publication date carefully, and cross-reference with other security firms. The few extra hours of verification work prevents days of potential damage control.
Squarespace Security Best Practices Regardless of Reported Incidents
Whether or not the 7.3 million figure is accurate, Squarespace users should implement fundamental security practices. Enable multi-factor authentication on all Squarespace accounts, use strong unique passwords managed through a password manager, regularly review domain and DNS settings for unauthorized changes, and monitor your site’s analytics for suspicious traffic patterns.
These practices would have prevented the actual July 2024 DNS hijacking incident and protect against other common attack vectors. For WordPress users, the priorities differ slightly: keep all plugins and themes updated immediately, use a security plugin like Wordfence, limit login attempts, implement strong passwords, and regularly scan for malware. WordPress’s open-source nature means vulnerabilities are discovered and disclosed regularly, so a patching discipline is non-negotiable.
The Future of Security Reporting and Platform Trust
As cyber threats evolve, the distinction between verified incident data and speculation becomes increasingly important. Wordfence and similar firms maintain value precisely because they publish verifiable, reproducible data. Their reports cite specific attack campaigns, exploitation counts, and affected plugin versions. Future-focused security professionals should prioritize sources that provide this level of documentation over sensational claims lacking supporting evidence.
The web development and digital marketing communities benefit when accurate information flows freely. By holding security claims to a verification standard, you protect not just your own credibility but contribute to industry-wide trust. When you encounter statistics you can’t verify, ask questions, research the source, and share only confirmed information with your audience. This practice strengthens the entire ecosystem’s ability to respond to real threats.
Conclusion
The specific claim that Wordfence reported 7.3 million Squarespace sites attacked in May 2026 cannot be verified through available sources, Wordfence’s official publications, or major security research organizations. What is documented and verified are WordPress vulnerabilities exploited in May 2026, including the Burst Statistics CVE and lingering attacks against older GutenKit and Hunk Companion flaws. Additionally, real Squarespace security incidents from July 2024 involving DNS hijacking provide actual lessons for securing cryptocurrency-related and other high-value domains.
For your websites and your audience, focus on verified threats and implement security practices that address proven vulnerabilities. Check Wordfence’s official blog for WordPress updates, enable multi-factor authentication across all platforms, maintain patching discipline, and apply healthy skepticism to unverified security claims. When you encounter dramatic statistics, invest time in verification—it protects both your reputation and your readers’ confidence in your expertise.
