Best of WordPressApril 2026

  1. 1
    Video
    Avatar of fireshipFireship·6w

    A rich hacker just penetrated 31 WordPress plugins...

    A supply chain attack compromised 31 WordPress plugins after an attacker purchased them via Flippa, inserted a dormant backdoor, and later activated malicious payloads that modified core WordPress files including wp-config.php. The command-and-control domain was resolved through an Ethereum smart contract, making it resilient to takedowns. The attack bypassed normal security suspicion by arriving as a routine plugin update. The post also covers Cloudflare's new Mdash project, a WordPress-compatible alternative built on Astro that sandboxes plugins using dynamic workers and capability-based bindings to prevent the kind of full-privilege access that makes WordPress plugins dangerous.

  2. 2
    Article
    Avatar of newstackThe New Stack·6w

    Who will maintain the web when PHP’s veterans retire?

    A Perforce 2026 PHP Landscape Report surveying over 700 developers reveals a growing skills gap in the PHP ecosystem: more than half of PHP developers have 15+ years of experience, while only 15% have five years or less. Hiring has become the top challenge for PHP team managers, with 24% citing lack of skilled personnel as a leading operational concern. Analysts warn this isn't just a PHP problem but an open source problem, compounded by AI-generated code creating silent technical debt without enough junior developers to manage it. Despite the talent crunch, PHP remains foundational — tied with JavaScript at 72% usage — powering millions of e-commerce sites, WordPress installations, and APIs, mostly at companies with fewer than 500 employees. Symfony and Laravel lead the framework landscape.

  3. 3
    Article
    Avatar of wordpressdevWordPress Developer·8w

    @wordpress/build, the next generation of WordPress plugin build tooling

    @wordpress/build is a new build tool for WordPress plugins that replaces webpack and Babel with esbuild, offering significantly faster builds and zero-config convention-based discovery. It auto-generates PHP script registration files from package.json conventions, supports scripts, script modules, and styles in a single pass, and already powers all 100+ Gutenberg packages. The tool uses fixed folder conventions (packages/, routes/, blocks/ proposed) and a namespace model for cross-plugin dependency externalization. The long-term plan is for it to become the internal engine of @wordpress/scripts, so wp-scripts build continues to work but gets faster with auto-generated PHP. The API is still being shaped and the team is actively seeking feedback from plugin developers, especially around block plugin structure, monorepo-free setup, and the externals/namespace model.

  4. 4
    Article
    Avatar of cms_squadCMS·7w

    Em Dash: a programmable CMS experiment, not a WordPress replacement (yet)

    Em Dash is an early-stage, developer-oriented CMS that takes an API-first, tool-driven approach to content management, integrating with AI agents via MCP-like interfaces and using Astro on the frontend. Unlike traditional CMS platforms, it treats content as something operated on programmatically rather than edited through a UI. It features an isolated worker-based security model (requiring paid Cloudflare Workers for full benefit) and includes a WordPress content importer. In practice, local MCP integration had issues but API-based usage with Claude worked. The verdict: no plugin ecosystem, no non-dev editor experience, and significant infra requirements make it a developer experiment rather than a WordPress replacement — but it hints at where programmable, AI-driven content systems may be heading.

  5. 5
    Article
    Avatar of wordpressdevWordPress Developer·6w

    What’s new for developers? (April 2026)

    WordPress 7.0's release cycle has been extended to fix a performance issue in the Real-Time Collaboration (RTC) database architecture. Pre-release versions are paused until April 17th, with a new schedule announced by April 22nd. Key developer highlights include: RTC using Yjs/CRDT with HTTP polling, requiring migration from classic meta boxes; a new WP AI Client PHP library providing a unified abstraction for AI providers (OpenAI, Anthropic, Google, Ollama, Mistral, OpenRouter); a Connectors API for platform-level AI credential management; a Client-Side Abilities API in JavaScript; and WordPress Playground's new MCP server enabling AI coding agents like Claude Code to control a local WordPress instance via WebSocket. Theme developers get pseudo-state button styling in theme.json, viewport-based block visibility controls, and background gradient support. PHP minimum requirement rises to 7.4, with 8.2+ recommended.

  6. 6
    Article
    Avatar of wordpresscoreMake WordPress Core·4w

    Presence API Feature Plugin

    A new experimental WordPress feature plugin called the Presence API adds a system-wide awareness layer to the WordPress admin, showing who is logged in, which admin screens they are on, and which posts they are actively editing. It introduces dashboard widgets ('Who's Online' and 'Active Posts'), an admin bar online indicator with avatar stacks, a post list 'Editors' column, a Users list 'Online' filter, REST endpoints, WP-CLI commands, and a post-lock bridge. Data is stored in a dedicated ephemeral table with a 60-second TTL and flows through the existing Heartbeat API. The plugin can be tested in WordPress Playground with 5- or 40-user blueprints. It is experimental and community feedback is being solicited.

  7. 7
    Article
    Avatar of wordpresscoreMake WordPress Core·4w

    Urgent: Testing request to Web hosts for collaborative editing by May 4th

    WordPress Core is requesting web hosts and database admins to test the Real Time Collaboration (RTC) feature planned for WordPress 7.0 by May 4th. A test suite requiring only bash, cURL, WP-CLI, and patch has been provided. Hosts are asked to run tests against their actual production configurations (not fresh installs) and submit results to WordPress.org using a bot account. Results will be aggregated and analyzed by hosting type to inform architectural decisions before the 7.0 release. The RTC feature is part of the Phase 3 roadmap and opens the door to agentic collaborators and future features like suggestion mode.

  8. 8
    Article
    Avatar of wordpresscoreMake WordPress Core·6w

    Elevating Individuals

    Matt Mullenweg reflects on how the WordPress community has shifted toward over-recognizing corporate sponsors at the expense of individual contributors. He calls for a return to celebrating personal contributions, critiques badge designs that prominently display employer names over personal identity, and challenges the community to measure actual impact rather than hours pledged. He also questions how consensus-driven processes and emphasis on participation may have slowed progress, referencing The Mythical Man-Month as a long-known warning.

See all WordPress archives