You Had ONE Job, Security Plugin!

By Editorial staff

May 6, 2025

0

14

Read to the end to find out why at this particular post office, you have to hold your breath while sending your mail…

In today’s edition:

A plugin that reminds me of my ex: acts like it’s protecting you, but really just secretly sabotages everything while you’re not looking.
Bring your best ketchup-chip-fueled hot takes: Canadian WordCamp is coming.
The EAA is getting serious, and pretending your site is compliant won’t cut it (just ask AccessiBe’s wallet.)

Hot Off The Presses: What’s New?

Most of the time, it’s a simple “turn it off and on again” type fix. Easy peasy.

But every now and then, you accidently become the final boss in someone else’s support ticket queue. Now that’s impressive.

Here’s to all of the times you’ve broken things so spectacularly, the dev team needed therapy afterwards. 🍻

Keep reading for your fortnightly hit of WordPress news, you code-slinging rascal, you.

Poutine the Spotlight on You at WordCamp Canada 🍁

WordCamp Canada is happening in Ottawa from October 16-17th, and it’s a good thing it isn’t happening any later in the year… because by November you’d need finger-warmers, thermal socks, and sheer willpower just to type your password.

If you’ve ever wanted to speak at a WordCamp, this is your moment. The call for speakers is open until June 15, which gives you plenty of time to pick a topic, write a pitch, panic about it, scrap everything, rewrite it, and finally hit submit with trembling hands (from nerves, not frostbite, yet).

You can apply to give a Lightning Talk (a fast, 10-minute knowledge bomb) or go big with a 30, 60, or even 90-minute presentation on whatever WordPress rabbit hole you’ve fallen down lately. And don’t worry. Ottawa audiences are famously polite. If you mention anything even mildly exciting, non-governmental, or temperature-related, you’ll probably get a standing ovation.

If your talk is accepted, you’ll score a free conference ticket and a team of actual humans who will help you prep and deliver your talk like the web wizard you are. Then you can all belt out Bryan Adams together at karaoke afterwards to celebrate.

So go ahead, throw your toque in the ring by filling out the form at the bottom of this page. Because the only thing colder than an Ottawa winter is the regret of not applying.

The Ultimate Irony: Hackers Hide Malware in Fake Security Plugin

In a twist that would make Alanis Morissette proud (speaking of Canadians), cybercriminals have introduced a malicious WordPress plugin masquerading as a security tool. Dubbed “WP-antymalwary-bot.php” (because nothing says trustworthy like a typo, right?) it offers attackers administrator access, hides itself from the dashboard, and even injects malicious JavaScript to serve spammy ads.

First spotted during a site cleanup in January 2025, this digital Trojan horse has since evolved, adopting aliases like “addons.php” and “wp-performance-booster.php.” Once activated, it leverages the REST API to execute remote code, modifies theme headers, and clears caches of popular plugins. Just when you think you’ve yeeted it into oblivion, wp-chron.php says, ‘Surprise, loser!’ and drags it back from the malware grave.

The origin of this campaign remains unclear, though Russian language comments suggest a possible link to Russian-speaking threat actors. This incident underscores the importance of vigilance: always vet plugins, keep your site updated, and remember that sometimes, the biggest threats come disguised as protectors.

(BTW… for a plugin that is the absolute opposite of this one and will actually keep your site safe, may we recommend Defender? It’s guaranteed 100% free of creepy hackers)

Get Ready for the European Accessibility Act (Unless You Love Fines, I Guess)

Accessibility isn’t optional anymore. Here’s what you need to know.

The European Accessibility Act (EAA) is coming into full effect in June 2025, so it’s time to make your website truly accessible – none of that AccessiBe “pretend-it’s-accessible” nonsense.

If you haven’t heard – AccessiBe learned the hard way, claiming their plugin could make any website compliant with Web Content Accessibility Guidelines (WAG) and then getting hit with a $1 million fine for fake accessibility. So, unless you want to join them in the “we should’ve done better” club, now’s the time to get your act together!

The EAA applies to all businesses with consumer-facing digital presence in the EU, and it isn’t about just checking boxes; it’s about actually making sure your site works for everyone. If you’ve been hoping to skate by with a flashy widget and a prayer, think again.

Don’t sweat it too much though, WP Umbrella’s got your back with a super helpful post on how to prepare your WordPress site for compliance.

👉 See exactly what changes you need to make before June 2025, the WP Umbrella guide breaks it down.

Mind Bloggling Facts & Stats

Another 15 bugs have been squished throughout Core in the new release of WordPress 6.8.1 that just dropped April 30th. (Source)
Can you guess the highest number of plugins found on a WordPress site running on Kinsta? (It’s more than you think) (Source)
PressConf 2025 only gathered around 140 WordPress professionals compared to the thousands at other conferences, but Rich Tabor says that’s what made it special. (Source)