Read to the end to see a very chill dude absolutely shredding it on the slopes.
In today’s edition:
- Post Status launches WP Speakers Virtual Stage Series, for rejected WordCamp speakers and anyone else with something to say about WordPress.
- A cybercriminal network has been working 9-5 since 2016 to infect over 20,000 WordPress websites with malware in the so-called “DollyWay World Domination” campaign.
- Boring is the new sexy – because who doesn’t love a dashboard behaving itself?
Hot Off The Presses: What’s New?
It’s not just us, right?
One minute your computer feels like it’s powered by a potato, and then you press Ctrl-Alt-Del and suddenly everything snaps to attention like a room full of interns who just saw the boss walk in.
Is it magic? Is it fear? Something else entirely?
Who knows!
Anyway, while things seem to be behaving for the moment, keep reading for what’s new in WordPress.
A Chance To Have Your Say on the Virtual Stage
Always wanted to speak at a WordCamp event but your talk submissions haven’t been approved yet?
Good news.
Post Status just launched the WP Speakers Virtual Stage Series – a live webinar event aimed at getting more voices heard from the WordPress community.
This idea came to be after several folks shared on social media that their talk ideas had been rejected. In her tweet, Post Status Executive Director Michelle Frechette promised not to call the event series “Failed Talk Ideas.” But to be honest, Michelle, we think that’s kinda a badass name for a talk series.
Either way, it’s always a good thing to pass the microphone, virtual or not, to a diverse variety of people in the WordPress world and hear about their experiences. Everyone has something to teach us.
So, if you’ve got something to say about WordPress and you’d like to say it to more than just your dog, you can apply via the form on this page. You’ll hear back from Michelle about whether your talk has been selected.
This series will run throughout the year, and they are looking for a breadth of topics, so “don’t be afraid to submit your wildest ideas.”
Can’t wait to hear the interesting perspectives this series will present!
20,000 Hacked WordPress Sites Part of Creepy “DollyWay World Domination” Threat
If your WordPress site has recently developed a mind of its own and started sending visitors to the digital equivalent of a poorly-lit back alley, you might be a victim of the “DollyWay” campaign.
GoDaddy’s security researchers have uncovered a long-running malware operation that dates all the way back to 2016 and has compromised over 20,000 websites around the world.
Here’s what you need to know:
- The malicious scripts hijack your traffic and redirect visitors to, well, somewhere. It could be a phishing page, a dodgy fake “bank,” a cryptocurrency site or a dating scam.
- The hackers then monetize the hijacked traffic to these malware-infested wastelands to gain affiliate ad revenue.
- GoDaddy’s Security team originally thought these attacks were separate campaigns, but they’ve noticed common infrastructure, code patterns, and monetization methods that tie everything back to one single sophisticated threat actor.
- The perpetrators are believed to be VexTrio, a massive cybercrime network that kinda sounds like the name of a knock-off Marvel villain.
- The name DollyWay comes from a tell-tale string that was found in some variations of the malware: define(‘DOLLY_WAY’, ‘World Domination’);.
It really should be illegal to use the name of Our Lord and Savior, Dolly Parton for something so sketchy.
While WordPress site takeovers aren’t exactly news, the sheer scale of this campaign is pretty freakin’ scary.
Plus, it’s mind-blowing how easily this malware can re-infect your site even when you think you’re in the clear. There’s a sophisticated reinfection procedure that takes place every time ANY WordPress page is opened. Like, seriously!?!
If you think you’ve already become infected, experts recommend taking the infected site down, or at least disabling all plug-ins, in order to clean up the infection. It’s also a good idea to implement strong admin password policies, set up multi factor authentication, and use a Web Application Firewall. Also, check the GoDaddy report for indicators of compromise.
This is yet another reminder that security is never a “set-it-and-forget-it” deal. If you don’t update your site, hackers will happily do it for you.
Boring Features Are the Backbone of WordPress—And That’s Exciting (No, Really)
Boring is good.
In a recent article for the WP Minute, Eric Karkovack reminds us that while everyone fawns over flashy AI tools, it’s the so-called dull updates that actually keep WordPress professionals from losing their minds.
Things like stability, predictability, and not waking up to a dashboard full of plugin conflict nightmares are actually massive wins.
The real magic of WordPress happens when things just… work. No drama. No frantic Googling of error messages at 2 AM. Just a smooth, predictable system that allows pros to build and maintain sites without feeling like they’re defusing a bomb every time they hit “Update.”
For example, WordPress 6.8 using bcrypt to encrypt user passwords? Not that exciting or sexy – but definitely a win.
Eric has a glass-half-full perspective on Automattic’s reduction in contributor hours to the WordPress project. He believes that a slowdown in new feature development may turn some attention to small, longstanding issues that need to be looked at. It could be a “chance to clean up WordPress and make it leaner and more efficient.”
Either way, Eric’s right that “unexciting” fixes are worth appreciating. In the world of web development, boring is just another word for reliable. And reliable means less stress, happier clients, and more time to waste posting silly memes of your dog on Bluesky.
What are your thoughts? What’s your fave “boring” update?
Cool Stuff Clever WordPress Folks Have Made Recently
We’re always impressed by the neat plugins, projects and blocks that smart people in the WordPress world have been tinkering with. Here are some of the gems we’ve spotted recently:
- Bhargav (Bunty) Bhandari made a totes-profesh-looking block that lets you add LinkedIn-style work experience history to your site, complete with title, company name and description.
- Robert DeVore made “Slop Stopper,” a WordPress content checker that will help stop your multi-author blog from being swamped by poor quality AI-written drivel.
- Hudson Atwell built a free email signature generator, so you can sign off those passive-aggressive “as per my earlier email…” messages with flair.
- Johnathon Williams of Odd Jar built QuickLink Pro, a link management solution that helps you add external links to the standard link dialog in the block editor for easy linking.
- Djordje Arsenovic created a very cool block which allows you to make text appear like it is being typed on a typewriter. Lots of fun possibilities there!
What other interesting projects have you seen in the wild? Share them with us in the comments.
Mind Bloggling Facts & Stats
- According to the Verizon Data Breach Investigations Report 2024, 68% of WordPress data breaches were not caused by malicious hackers or phishing scams but by accidental security lapses. Oops… (Source)
- Patchstack reported that 7,966 new security vulnerabilities were found in the WordPress ecosystem in 2024, which is about 22 new vulnerabilities per day. Of those vulnerabilities, 96% were found in plugins and only 4% in themes. Better keep an eye on those plugins, hey? (Source)
- Kinsta recently published some pretty eye-opening data about Black Friday & Cyber Monday shoppers. For example, desktop traffic increased by 21.5% on Cyber Monday, revealing that shoppers are taking more time to engage with websites to read reviews and content – rather than grabbing spontaneous deals on their phone. (Source)
Blogs & Resources You Shouldn’t Miss

“I’m a .SVG… Classy, bougie, ratchet, sassy, moody, nasty…” Topher DeRosia gives us the lowdown on .SVG images and how to use them in WordPress.
Michelle Frechette shares some relatable reflections on burnout and inertia in her post, Running in Place.
Don’t know how to commit? (Don’t worry, we’re talking code reviewing, not romance) This guide from Michael Lynch shows you how to write marvelously helpful commit messages.
In your quest to make all your WordPress stuff more accessible, it’s easy to get scammed by “accessibility cowboys” selling bogus fixes. Anne Bovelett created a great guide on how to avoid these fake experts.
If privacy policies confuse the heck outta you, Trevor Willingham attempts to explain the basics using memes in this post on The Admin Bar.
If you’re seeking a way to hide a page in WordPress, Martin Dubovic posted a video tutorial with 5 different tricks to make content vanish from visitors and crawlers.
Schema whaa? Jolissa Skow breaks down Schema Markup and how to use it in WordPress in this super helpful guide.
Coffee Break Distractions
This developer asked Cursor AI to generate code for him, and it said, “Uh, no. Do it yourself.” lol
A bit of a mind-bending one: We’ve Been Wrong About Math for 2300 Years
Fascinating read: Cloudflare is trapping malicious AI bots in never-ending “AI Labyrinths.”
A surprisingly fluffy oreo cookie.
Have you played WordlePress? It’s like Wordle, but for WordPress core (PHP) functions.
And finally…
This absolute golden ski-slope legend.
Found this interesting? Forward it to someone who you think might also love it!