Welcome back to the WordPress.com changelog!
We have lots to update you on, including information about a new core version running on every WordPress.com site, how you can repurpose your written blog content in audio and visual forms, and so much more.
Core
WordPress 7.0 is here
WordPress 7.0 (“Armstrong”) shipped on May 20, and your WordPress.com site has been automatically updated.
The pieces you’ll experience right away:
- See what changed before you hit publish: Your post revisions now have visual markers to help you understand changes in a more intuitive way.
- Design your mobile menu like you design the rest of your site: Navigation overlays give the mobile experience its own dedicated editing canvas.
- Show different things on phone, tablet, and desktop: Responsive block visibility lets you pick which blocks appear on which device without writing CSS.
- More design pieces out of the box: New Breadcrumbs and Icon blocks, plus finer block-level controls for when you want a specific change.
- One place to manage your fonts: To use across every theme on your site.
On WordPress.com, this release ships with our AI features already in place to assist you in the editor, with your favorite AI agent, and beyond, plus real-time collaboration on select plans, so multiple people can write in the same post at once.
Reader
One place to read Bluesky, Mastodon, and blogs
Keeping up with your audience shouldn’t mean tab-hopping between different apps. Connect your Bluesky, Mastodon, or Fediverse accounts to the WordPress.com Reader and you can read those timelines next to the WordPress.com blogs you already follow — and like, repost, quote, and reply — in the Social Feeds section.
You can write to those followers from the same place. Start with a short social post, and if you need more room, expand it into a full blog post without starting over.
One spot to read what matters, react to it, and publish your own thoughts.
Writing
When you’re in the flow, the editor gets out of your way
Sometimes you just want to write. Not pick a block, not configure a layout, not browse a sidebar — just write. Write is exactly that: one page, a blinking cursor, simple formatting, and nothing else.
It’s in beta on every WordPress.com plan, including Free. Open Write, pick your site, and start typing. What you write is a real WordPress post — it lives alongside everything else, works with your theme, and you can open it in the full block editor whenever you need the rest of the toolkit.
Reach the people who’d rather listen than read
Whether your audience is commuting, multitasking, or simply prefers to learn through audio, your content can meet them there.
Posts to Podcast turns a post you’ve already written into a two-host conversation episode, saves it to your Media Library, and queues a draft post with the audio and transcript so you can publish in a couple of clicks. One post, two ways for people to find you.
Find it in your dashboard under Media → Create AI Podcast. Available on every WordPress.com site.
P.S. If you want to host the podcast on WordPress.com instead, you can also set up podcasting with Jetpack Podcast and publish episodes from your site.
Spin a post into a short social-ready video (experimental preview)
Short-form video (like on Instagram and TikTok) is popular and engaging, but turning a blog post into one has meant needing a second tool, a video editor, or someone you pay.
Feature Clips generates a short, vertical video based on your post content directly from the editor sidebar. Pick a suggestion drawn from your post, or write your own prompt to steer the look.
Your clip lands in your Media Library, ready to share to Instagram via Jetpack Social or download as an MP4 for TikTok and YouTube Shorts. It generates short instrumental clips meant to tease your content.
Available now on WordPress.com plans that support video uploads — Premium and up. You get ten generations per site per day, with a thumbs up / thumbs down feedback tool on each clip so you can easily send your thoughts back to our team.
Settings and plans
Shape your URLs (and four more settings) on every paid plan
The structure of your URLs matters — for SEO, for sharing, for how users understand your site at a glance. That setting (called Permalinks) used to be locked behind higher plans. Now, every paid plugin-enabled WordPress.com plan (Personal, Premium, Business, and Commerce) can change permalink structure directly.
Fixes and improvements
We also shipped some reliability and polish updates across the WordPress.com experience:
- The Reader sidebar now shows your site’s custom domain instead of its free subdomain.
- Receipt amount, type, and date now show inline on your Billing History page at narrower widths.
WordPress 7.0 includes both immediate editor improvements and deeper foundational changes. Some improvements are visible right away, like visual revisions, responsive controls, and a cleaner dashboard. Others work behind the scenes are more foundational, giving plugins, tools, and AI services a more consistent way to work with WordPress over time.
The result: A release that makes everyday site work smoother and opens the door to optional AI tools that actually feel a part of WordPress.
For a deeper technical look, check out the WordPress 7.0 Source of Truth.
What’s new in WordPress 7.0
WordPress 7.0 brings updates across AI, editing, design, performance, accessibility, and developer tooling. These changes affect how you build, update, and manage your sites.
WordPress 7.0 updates include:
- AI foundations: The AI Client, Connectors API, and Connectors screen give WordPress a more consistent way to connect with AI providers and external services.
- Editing and admin improvements: Visual revisions, a refreshed dashboard, smoother transitions, Command Palette access, and broader font management make everyday site work clearer.
- Flexible design controls: Custom navigation overlays, responsive block visibility, and pattern editing make it easier to shape pages without adding workarounds.
- New and improved blocks: Breadcrumbs, Icons, gallery lightbox improvements, Heading block updates, and block-level styling controls bring more practical tools into the editor.
- Performance, accessibility, and developer updates: Under-the-hood improvements support faster loading, better editor stability, stronger accessibility, and more consistent foundations for plugins and custom builds.
Building a foundation for AI workflows
WordPress 7.0 introduces a new shared AI layer designed to make AI tools feel more native across WordPress.
Instead of every plugin building its own separate AI setup, WordPress now includes a common system for connecting tools and services. Plugins can communicate with AI models such as Claude, ChatGPT, and Gemini through the new AI Client. The Connectors screen provides site owners with a single place to manage those integrations.
Note: These AI features are optional and need to be enabled by the site owner. Nothing is automatically shared with AI services when WordPress 7.0 is installed.
The optional AI plugin already brings features like title and excerpt generation, image generation and editing, and suggested alt text directly into the editor. As more plugins build on the same system, AI tools across WordPress become easier to use, manage, and extend.
On WordPress.com, this builds on AI tools already available across the platform, including the AI Assistant, Claude connections, and WordPress Studio workflows.
Want to understand how this all fits together? Take a closer look at how WordPress 7.0 is building the foundation for AI-powered sites.
Creative freedom inside the editor
Visual revisions make it easier to understand changes in a post or page. Instead of scanning a dense comparison view, you can review revision history with visual markers, navigate versions, and restore the one you want with greater confidence.
The dashboard also feels more modern and cohesive. WordPress 7.0 introduces a new default admin color scheme, smoother screen transitions, and a Command Palette shortcut in the top admin bar for faster access to tools.
Font management is also easier. The Font Library now works across block, hybrid, and classic themes, giving more sites one place to browse, install, upload, and manage fonts.
A new canvas for every screen
Designing for mobile used to mean making compromises. WordPress 7.0 changes that with a dedicated canvas for navigation overlays, responsive block visibility, and simpler pattern editing.
Navigation overlays now have their own editing canvas, allowing mobile menus to go beyond a simple list of links. You can start with a template or build your own overlay with blocks, columns, typography, and custom close buttons.
Responsive block visibility lets you choose which blocks appear on desktop, tablet, or mobile. That makes it easier to create cleaner layouts for different devices while keeping alternate versions available as you iterate.
Patterns are also simpler to update. A pattern can behave like a single block, so you can swap text and images or adjust styles without digging through every nested block. Advanced controls are still available when you need them.
Flexible design tools for richer layouts
WordPress 7.0 brings more practical control into the editor, making it easier to shape pages without relying on extra tools for every small design need.
The new Breadcrumbs block helps visitors understand where they are on a site, while the Icon block adds simple visual cues from a built-in library. Gallery lightbox improvements make image browsing smoother, and Heading block updates make it easier to work with page structure.
The same idea carries through to layout and styling. Responsive block visibility lets you choose which content appears on different screen sizes, while block-level CSS gives more control over individual blocks when a page needs a custom touch.
Taken together, these updates make WordPress feel more flexible in the places site owners work most: building pages, refining layouts, and helping visitors move through a site more easily.
A stronger platform for WordPress development
WordPress 7.0 provides developers with a more consistent foundation for building plugins, blocks, patterns, and site-editing experiences.
The release includes expanded APIs, PHP-only block registration, a more extensible Site Editor, and routing improvements that make it easier for plugins to build custom Site Editor pages.
These updates will not be visible to every site owner on day one, but they matter because they shape what WordPress developers can build next. Better foundations mean better tools, workflows, and site experiences over time.
Built by the WordPress community
WordPress 7.0 is a reminder of how open source software keeps evolving through shared contribution. The release reflects work from more than 875 contributors around the world. That community work is part of what makes WordPress different.
WordPress 7.0: Fully Managed on WordPress.com
WordPress.com is here to bring the best of every new WordPress release to you fast and without the setup.
WordPress 7.0 is no different. The new AI foundations build on tools already live across the platform, including the AI Assistant, Claude connections, and Studio workflows.
And on select plans, real-time collaboration is already available, letting teams work on the same site simultaneously, before it’s widely available elsewhere.
All of it backed by the security, performance, and support that comes with a fully managed platform.
You bring the vision. We handle everything else.
]]>This month, we added a new Social Feeds section to the Reader. Now you can bring in the people you follow on Bluesky, on Mastodon, and across the Fediverse. Then read, react, and post, all without leaving the Reader.
One place to read, with more people to follow
The Reader has always been one place to catch up on writing across the open web: WordPress.com blogs, Jetpack blogs, any blog with an RSS feed. That part hasn’t changed. What’s new is the company you can keep there.
In the left navigation, you’ll find a new Social Feeds section, with entries for your connected accounts. Connected social accounts include:
- Bluesky: and the wider ATmosphere, including Blacksky and other Bluesky‑compatible platforms.
- Mastodon: bring in your timeline from any instance, big or small.
- The Fediverse: via your own blog. If you have a WordPress.com site, you can join the Fediverse without creating a new account; your blog is your identity. Don’t have one yet? Start a blog, and you can join too. Our Social Web page is a good starting point if that’s new to you.
Pick a network, sign in once, and your timeline shows up in the Reader.
Already connected? You’re in
If you’ve ever used Jetpack Social to share your posts to Mastodon or Bluesky, those connections are already there. Open the Social Feeds section, and your accounts are waiting.
Read, react, and reply
Inside a Bluesky or Mastodon timeline, the actions are the ones you’d expect: like a post, repost it, quote it, reply to it. Same keyboard, same window, no second app.
Compose and post
The Reader is a place to write now, too. Click Compose, type a short post, attach an image, and send it to your followers on Bluesky, Mastodon, or the Fediverse.
When a thought outgrows a social post
WordPress.com is a tool for creators, and we didn’t want to box you into the character limits of any one network. So when a draft starts running long for a social post, the Reader offers to hand it off to your blog. You keep writing in a fresh post draft, with all the room you need, and once you hit Publish, it reaches your followers on Bluesky, Mastodon, and the Fediverse all the same.
Try Social in the Reader
Head over to WordPress.com/reader, expand the Social Feeds group in the sidebar, and connect an account. It’s free, and the support doc walks through the details if you’d like a closer look.
If you’d like more on how WordPress.com fits into the wider Social Web, our previous posts on the Social Web Foundation and our recent ActivityPub feature update are both good follow‑on reads.
Happy reading, and happy blogging!
]]>
One page. A blinking cursor. The formatting you need and nothing you don’t. That’s Write: a new, focused writing surface built into WordPress.com. In last year’s Creators survey, “simplify the editor” was the single most-requested improvement from the people already publishing on WordPress.com. So we built it.
Write started as a plugin by Jamie Marsland, who asked a deceptively simple question: what would WordPress look like if it were designed purely for writers? We loved the answer enough that we brought the plugin into WordPress.com and built on it.
The interface is intentionally minimal: a clean page, a persistent top toolbar with the essentials, and formatting that appears when you need it and gets out of the way when you don’t.
Your Write posts are real WordPress posts. They live alongside your other posts, work with your theme, and you can open them in the block editor.
Write is in beta and ready to try (see our support article for setup details). The core writing experience is solid, but we’re still building, and we’d love your input on what to add next.
Ready to write? Head to wordpress.com/write-editor, pick a site, and start. Tell us what you think in the comments.
Co-authored by Kim Brown.
]]>WordCamp Agent is a free Telegram assistant for WCEU attendees. It plans your trip, browses the schedule, remembers which sessions you care about, and pings you before they start.
All you need is a WordPress.com free account to get started. And once you’re in, you’ll also get a preview of something more interesting: a working preview of WordPress Guidelines, the agent-context system shipping in Gutenberg and on its way to WordPress Core. It’s also the easiest way to see Guidelines working end-to-end in a real production environment.
Message WordCamp Agent on Telegram
How WordCamp Agent is built
The agent lives on Telegram and is bound to a regular WordPress site at wcagent.wordpress.com. When you message it for the first time, you’re added as a contributor on that site — your conversation, preferences, and notes become real WordPress content, stored against your user, private to your account, and deletable at any time
In one chat, you can:
- Ask for travel tips for Kraków and get accurate answers.
- Browse the live conference schedule.
- Tell it which sessions interest you, who you want to meet, or what accessibility needs you have. It remembers, across sessions and devices.
- Save notes during talks that you can turn into a post or a recap.
None of that required custom application code. Every behavior — the personality, the schedule lookup, the memory of your preferences — is a published Guideline on the WordPress site behind the bot. If you can publish a post, you can extend the agent.
WordPress Guidelines: The system under the hood
WordPress Guidelines stores four kinds of agent-facing knowledge as standard WordPress content:
- Instructions: Site-wide guidance that shapes how an agent behaves. WordCamp Agent uses these for its personality and core event knowledge.
- Skills: Reusable capabilities. The live schedule and venue lookups are skills. Swap the skill, change the agent’s behavior — no code change.
- Memory: Facts the agent accumulates while working with you. Your session interests, dietary preferences, networking goals.
- Artifacts: Work-in-progress. Notes, drafts, fragments you’ll come back to.
All four are represented as a single wp_guideline custom post type, classified by a wp_guideline_type taxonomy. They use WordPress’s existing roles and capabilities, and they’re accessible via standard REST endpoints.
What this looks like for developers
Guidelines reuse primitives and conventions you already know:
- A single wp_guideline custom post type
- wp_guideline_type taxonomy for distinguishing between instructions, skills, artifacts and memories
- Native post revisions for versioning
- Capability-based access control: administrators see everything; contributors, authors, and editors get read/edit on their own private guidelines; subscribers are blocked at the post-type level
For a deeper technical walkthrough of Guidelines, take a look at Grzegorz’s post.
Coming to WordPress Core: Guidelines
Guidelines shipped in Gutenberg 23.2.2 and is already powering WordPress Agent, WordPress Workspace, Desktop Mode, Lately, PushMD, and WordCamp Agent itself.
The next step is WordPress Core.
We’re proposing it as a Core API because the alternative — every plugin shipping its own memory store, its own permissions model, its own REST surface — is exactly the kind of fragmentation WordPress has historically avoided.
Putting Guidelines in Core means every WordPress site, hosted anywhere, becomes agent-ready by default.
Try WordCamp Agent
The single best way to understand Guidelines is to use a site that’s already built on it. Ask it to plan your Kraków trip. Tell it what sessions you care about. Come back tomorrow and watch it remember.
]]>Posts to Podcast gives your audience another way to keep up with what you publish.
Starting today, WordPress.com bloggers can turn recent posts into AI-generated podcast episodes directly from their dashboard. Choose the posts you want to include, generate a two-host audio conversation, review the draft, and publish it when you’re ready.
Find it in your dashboard
You’ll find Posts to Podcast under Media -> Create AI Podcast in your WordPress.com dashboard. Choose a time range, such as the last week or month, or select specific posts yourself.
The episode below was generated from recent WordPress.com blog posts using the same feature we’re announcing today:
How it works
Posts to Podcast turns the posts you select into a two-host audio conversation. The finished episode is saved to your Media Library, and WordPress.com prepares a draft post with the audio and transcript already included.
From there, you stay in control: review the draft, make any edits you want, and publish it like any other post. Since the audio is saved to your Media Library, you can also reuse it elsewhere, upload it to another platform, or keep it as part of your site’s media archive.
More ways to share your posts
Use Posts to Podcast to create weekly recaps, monthly digests, audio companions to newsletters, or listening-friendly versions of recent posts.
- Summarize your latest posts for subscribers who prefer listening.
- Turn a month of updates into a conversational recap.
- Share an audio companion to a newsletter, publication, or personal blog.
- Make your archive easier to revisit in a new format.
Available to all WordPress.com sites
Posts to Podcast is available to all WordPress.com sites. Whether you publish daily updates, weekly essays, tutorials, newsletters, or personal reflections, you can turn recent posts into a listenable episode directly from your dashboard.
A new format for your writing
Your words do the work. Posts to Podcast gives them a microphone.
Open your dashboard, go to Media -> Create AI Podcast, and turn your recent writing into something your audience can listen to.
]]>If things have felt a little busier around WordPress.com these past two weeks, there’s a good reason: we shipped a lot, including a new home for your podcast, a weekly letter for close friends, and a new Mac app that uses your site context, so you can get more done without leaving your flow.
Here’s what’s new on WordPress.com to help you create, publish, and grow:
Podcasting
Jetpack Podcast is now live on WordPress.com
Launch a podcast that lives alongside your blog and newsletter — no separate hosting platform or tool needed. Find it in your site sidebar at Jetpack → Podcast.
- If you have a Free site, you can publish episodes by linking to audio hosted elsewhere, with Distribution and Settings tabs to manage your show.
- If you have a Premium plan or above, you can host your audio on WordPress.com, see stats, manage episodes, and embed your show with the new Episode Player Block.
Learn more about running your podcast on WordPress.com in our blog post.
Newsletters
Lately — weekly letters to your closest readers (beta)
For the corner of your life where you’d rather email a few close friends than post to the world.
Lately is a weekly letter for the people closest to you, compiled automatically from notes you send during the week, and delivered every Friday to the friends you choose.
It runs through Telegram: message the WordPress Agent as things happen, and it handles sending your curated newsletter each week. Available now as a beta for new sites.
AI
WordPress Workspace — one app for all your WordPress.com work (beta)
If you blog, publish, or run a business on WordPress, your site has been accumulating useful context since day one: your voice, audience, archive, offers, media, guidelines, and the shape of your work.
Workspace is a new Mac app that puts all of that to work. At its center, the WordPress Agent helps you write, research, and ship without you having to start from scratch every time you want to get something done.
Use it to draft a post from your notes, update a page, generate an image, or get a quick answer about your site — all from a keyboard shortcut and without leaving what you’re working on.
Available now as a beta on every WordPress.com plan — learn more and try it today.
Heading to WordCamp Europe? There’s an assistant for that
If you’re heading to WordCamp Europe in Kraków in just a few weeks, open Telegram and message @wordcamp_agent_bot.
It’s a free travel and conference assistant for attendees. It can help plan your trip, browse the schedule, remember which sessions you care about, and ping you before they start.
It’s your WordCamp assistant in your pocket — chat with it today.
WordPress Studio
A library of ready-made WordPress setups, now built into WordPress Studio
Calling all developers, designers, and vibe coders: starting a new WordPress project locally just got a lot faster.
The new Blueprints Gallery in WordPress Studio (desktop version 1.9.0 and later) gives you a curated library of pre-configured WordPress setups — for blogging, ecommerce, plugin testing, design exploration, and more — that you can launch as a local site in a couple of clicks.
Use the Live Preview button to try a Blueprint before you commit to it, and then sync with a WordPress.com hosting plan when you’re ready to go live.
If you’ve been hand-configuring the same kind of WordPress site over and over, this is your shortcut.
Just for fun
Achievements, badges, and activity streaks for everyone
Rewards for showing up, making progress, and getting things done.
WordPress.com users now have an Achievements page. Track your daily activity streak, earn badges for milestones, and check out other people’s achievements when they make their profiles public.
Do you know the Konami code?
Try it on a logged-in WordPress.com page. Try it in WordPress Studio. Two different surprises, both worth finding.
Type ↑↑↓↓←→←→BA on your keyboard to unlock these easter eggs.
Fixes and improvements
We’ve also shipped reliability and polish updates across WordPress.com, like:
- Adding a “Performed by” filter to the Activity Log so you can drill into actions by specific people, apps, or system events.
- Adding a QR-code sign-in page for the WooCommerce mobile app, so you can sign in by scanning instead of typing.
- Updating the block editor with the latest improvements and bug fixes.
For custom or community Blueprints, using them in Studio often meant bringing in a configuration from outside the app, whether through a URL, ZIP file, JSON configuration, or GitHub example. Now, with Blueprints Gallery, you can browse, preview, and launch ready-to-use WordPress setups directly inside Studio.
Studio is WordPress.com’s fast, free, open source desktop app for building, testing, and managing WordPress sites locally.
What are Blueprints?
Paired with Studio’s no-server-setup local environment, Blueprints make repeat projects faster to start and easier to keep consistent.
Blueprints are reusable JSON configurations that automatically set up a WordPress environment with specific themes, plugins, content, and settings. Think of them as advanced site recipes: instead of manually setting up your ideal configuration from scratch, you can launch a fully configured site in just a few clicks.
Whether you are building a portfolio, testing a plugin, experimenting with WooCommerce, or spinning up a local development environment, Blueprints help you get started faster and with less repetitive setup work.
What is the Blueprints Gallery?
The Blueprints Gallery is a curated collection of ready-made WordPress site setups now available directly in Studio. It gives you quick access to Blueprints designed for different workflows, use cases, and experiments.
Instead of leaving Studio to find or import Blueprint configurations, you can browse a growing library of pre-configured environments tailored for things like blogging, ecommerce, development, design exploration, or plugin testing.
Each Blueprint is designed to help you skip repetitive setup steps so you can spend less time on setup and more time working in WordPress.
For developers, the Blueprints library is also available through Studio’s CLI. With the blueprint command, you can list available Blueprints and launch a fully configured local WordPress site directly from your terminal in just a few steps.
How to access the Blueprints Gallery
The Blueprints Gallery is available in Studio desktop version 1.9.0 and later. First, make sure to update Studio. Then, click on the “Add site” button in the sidebar:
Next, choose “Build a new site” and scroll down to the “Explore more Blueprints” section.
That’s it! Choose a Blueprint that fits your workflow and spin up a local WordPress site in seconds.
You can also use the Live Preview button to explore Blueprints before creating your site. Previews are powered by WordPress Playground, making it easy to quickly test layouts, themes, plugins, and overall site experience.
Looking for something specific? Use the search box to quickly find Blueprints that match your needs.
Want to build your own Blueprints? This guide will teach you the basics of creating a custom Blueprint.
Blueprints Gallery: Now available in WordPress Studio
The Blueprints Gallery is now available in Studio 1.9.0 and later.
It’s now easier to discover, preview, and launch reusable WordPress setups directly inside Studio. As the gallery continues to grow, you will see more Blueprints added for different workflows, learning experiences, and creative use cases.
Explore the Blueprints Gallery, and find your next starting point for building locally with Studio.
]]>The Essential Plugin supply chain attack is one example of what that looks like in practice. When malicious code was found across a portfolio of plugins, WordPress.com security teams identified affected hosted sites, updated detection systems, deployed a DNS-level block against the attacker-controlled domain, and removed malicious code from impacted environments.
This post explains what happened, how WordPress.com responded, and why proactive, managed security matters for those who need WordPress flexibility without having to manage every security risk alone.
How the Essential Plugin attack unfolded
In early 2026, the WordPress community experienced a large supply chain attack on plugins by the “Essential Plugin” developer.
A buyer had quietly acquired the entire Essential Plugin portfolio (formerly WP Online Support) — a collection of 30+ plugins built up over eight years of legitimate development. Roughly six months after the acquisition, malicious code — wpos-analytics — was added to the plugins’ source.
For months, the malicious code sat dormant. Then, in early April 2026, the backdoor was activated. The compromised plugins began phoning home to analytics.essentialplugin.com, where the attacker could ship arbitrary payloads to every site running an affected version.
On April 7, 2026, WordPress.org patched and permanently closed all 31 plugins in the portfolio. The patch stopped active exploitation by preventing the backdoor from executing, but WordPress.com’s security team chose to go further on the sites we host by removing the attacker’s code from affected plugin files.
Why the Essential Plugin backdoor was different
What made this incident different was that the compromised code arrived through plugins that had previously been trusted. Site owners had not ignored updates or installed obviously suspicious software; the issue came through a familiar plugin supply chain.
A patch can stop malicious code from executing, but cleanup can go further. In this case, WordPress.com removed the attacker’s code from affected sites we host, rather than relying only on a disarm.
That distinction matters because WordPress.com’s security model is not limited to waiting for site owners to notice a problem or manually apply a fix. Our teams can detect, mitigate, and clean up issues across hosted sites at the platform level.
How WordPress.com contained the threat
Waiting for sites to be flagged through normal scanning would mean some sites could be carrying dormant attacker code for months or longer. This is why WordPress.com took a proactive approach to protect sites and mitigate this attack.
Within hours of the disclosure, WordPress.com security specialists obtained a full list of every WordPress.com hosted site running one or more of the affected plugin slugs — over 2,200 sites. We then:
- Updated our malware detection system to flag the malicious
wpos-analytics module, the injected code block in each plugin’s main file, and flag suspicious activity unique to the malware. - Deployed a DNS-level block across WP Cloud for
analytics.essentialplugin.com, preventing affected sites from reaching the attacker-controlled domain entirely. - Surgically cleaned up all affected sites by completely removing the
wpos-analyticsdirectory and removing specific malicious code from the plugin files. - Coordinated with WPScan to publish vulnerability records so site owners across the wider WordPress ecosystem — not just on WordPress.com — could be alerted by their security tooling.
The result: WordPress.com removed the attacker’s code from affected hosted sites and blocked the attacker-controlled domain at the platform level.
How WordPress.com approaches security
WordPress.com’s security model is built on proactive protection. That includes automated scanning, infrastructure hardening, proactive mitigation, and human-led incident response working continuously behind the scenes.
Continuous monitoring and threat detection
Every WordPress.com site is scanned daily by Jetpack Scan against a constantly updated library of malware and vulnerability signatures. Suspicious behavior and compromised files are surfaced quickly so security specialists can investigate and respond before issues spread further.
When new threats emerge, detection systems can be updated rapidly across the platform, helping identify affected sites at scale.
Platform-level protection and mitigation
WordPress.com runs on a managed infrastructure designed to reduce common attack paths before they reach customer sites. Servers are patched and isolated, login abuse is rate-limited, and suspicious bot traffic is filtered automatically.
Core, plugin, and theme updates can also be applied automatically where appropriate. A managed Web Application Firewall helps block known exploit patterns at the edge before they ever reach your site.
WordPress.com also uses virtual patches: platform-level mitigations that can block known critical vulnerabilities even when an affected plugin has not yet been updated, or no developer fix is available.
During the Essential Plugin incident, WordPress.com also deployed a DNS-level block across WP Cloud for the attacker-controlled domain tied to the attack infrastructure.
Human-led security response
Automation matters, but large-scale incidents still require human investigation and judgment.
WordPress.com security specialists handle malware analysis, vulnerability research, incident response, and site cleanup across the platform. When widespread threats emerge, the team coordinates detection updates, investigates affected environments, and works with plugin and theme authors on responsible disclosure.
In the Essential Plugin incident, WordPress.com identified affected hosted sites en masse and removed malicious code directly from impacted environments rather than relying solely on patches that disabled execution.
Recovery and resilience
Security also means being able to recover quickly when something goes wrong.
Automated off-site backups through Jetpack VaultPress Backup allow affected sites to be restored to a known-good state, often within minutes.
Here’s a closer look at the protections and the steps you can take to keep your site safe and secure on WordPress.com.
Build on WordPress.com with confidence
The flexibility of WordPress is one of its greatest strengths. Plugins, themes, and integrations give site owners the freedom to build what they need, but that freedom works best when it is supported by a strong security infrastructure behind the scenes.
That is where WordPress.com’s managed approach matters. Platform-level monitoring, virtual patches, malware scanning, backups, and human security specialists help reduce the operational burden on site owners without taking away the flexibility that makes WordPress powerful.
Security work is often invisible when it is working well. You may never see the scans, mitigations, cleanup, and response happening in the background, but they are part of what helps keep your site running securely so you can focus on building, publishing, selling, and growing on WordPress.com.
]]>The first post you publish. The first comment that turns into a conversation. The day you realize you’ve shown up all week—not because you had to, but because you wanted to.
Now WordPress.com has a place to celebrate those moments: Achievements.
Achievements are about making the small acts of building, publishing, reading, and connecting on WordPress.com visible.
You can find your Achievements page in your Reader profile, or go straight there:
A new home for your milestones
Your Achievements page is a record that celebrates your efforts on WordPress.com, from publishing posts to joining conversations, helping you feel recognized for your ongoing activity.
You’ll see:
- Unlocked achievements for milestones you’ve already reached.
- Locked achievements you can work toward next.
- Progress indicators for achievements that build over time.
- Activity streaks for showing up day after day.
Some achievements are simple milestones. Others are a little more unexpected. We won’t spoil all the surprises, but if you enjoy small quests, secret badges, and oddly specific internet accomplishments, you may want to poke around.
Meet your activity streak
Your activity streak grows when you do things that help make WordPress.com feel alive: publish a post, leave a comment, like a post or a comment, or follow a site.
Keep it going day after day, and your streak grows with you. After seven consecutive days, you’ll earn a streak freeze. If you miss a day, your freeze will automatically protect your streak.
Tiny bit of magic. Tiny bit of mercy.
You’re in control
Your Achievements page is private by default. If you want to share it, you can make it visible to other logged-in WordPress.com users from the settings menu on the page.
You can turn off achievement notifications if you prefer to unlock things quietly; you’ll still earn achievements and maintain your activity streak, just without the alerts.
Start exploring your achievements
WordPress.com has always been about showing up: writing, reading, commenting, following, liking, sharing, and building a little corner of the web that feels like yours.
Achievements are a fun way to recognize that effort. They’re not homework. They’re not a leaderboard. They’re just a friendly nudge, a little confetti, and a reminder that the small things you do here add up.
It’s another way WordPress.com helps turn publishing and participation into a habit you can build in your own corner of the web.
So go take a look. You may have already unlocked more than you think.
]]>