Alert: WordPress Security Team Impersonation Scams

The WordPress Security Team is aware of multiple ongoing phishing scams impersonating both the “WordPress team” and the “WordPress Security Team“ in an attempt to convince administrators to install a plugin on their website which contains malware.

The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password.

If you receive an unsolicited email claiming to be from WordPress with instructions similar to those described above, please disregard the emails and indicate that the email is a scam to your email provider.

These emails link to a phishing site that appears to be the WordPress plugin repository on a domain that is not owned by WordPress or an associated entity. Both Patchstack and Wordfence have written articles that go in to further detail.

Official emails from the WordPress project will always:

  • Come from a @wordpress.org or @wordpress.net domain.
  • Should also say “Signed by: wordpress.org” in the email details section.
Screenshot of email sent by a WordPress.org email account. The details include "mailed-by wordpress.org" and "signed-by wordpress.org".

The WordPress Security Team will only communicate with WordPress users in the following locations:

The WordPress Plugin team will never communicate directly with a plugin’s users but may email plugin support staff, owners and contributors. These emails will be sent from plugins@wordpress.org and be signed as indicated above.

The official WordPress plugin repository is located at wordpress.org/plugins with internationalized versions on subdomains, such as fr.wordpress.org/plugins, en-au.wordpress.org/plugins, etc. A subdomain may contain a hyphen, however a dot will always appear before wordpress.org.

A WordPress site’s administrators can also access the plugin repository via the plugins menu in the WordPress dashboard.

As WordPress is the most used CMS, these types of phishing scams will happen occasionally. Please be vigilant for unexpected emails asking you to install a theme, plugin or linking to a login form.

The Scamwatch website has some tips for identifying emails and text messages that are likely to be scams.

As always, if you believe that you have discovered a security vulnerability in WordPress, please follow the project’s Security policies by privately and responsibly disclosing the issue directly to the WordPress Security team through the project’s official HackerOne page.


Thank you Aaron Jorbin, Otto, Dion Hulse, Josepha Haden Chomphosy, and Jonathan Desrosiers for their collaboration on and review of this post.

Introducing the WordPress Developer Blog

With much activity happening in the WordPress development space every day, keeping up-to-date with the latest updates can be challenging. The new WordPress Developer Blog is a developer-focused resource to help you stay on top of the latest software features, tutorials, and learning materials relevant to the open source project.

This blog is the culmination of a community effort that began last year. Formed by experienced WordPress community members and developers, the editorial group has since worked on a wide range of content already available—from theme and block development tutorials to tips and tricks for leveraging WordPress in the site editing era.

A new home for developers

As a complementary resource to the WordPress documentation, the Developer Blog aims to provide a shared space to stay informed of development-related updates, keep up with ongoing discussions and ideas, and explore cutting-edge use cases.

In other words, consider it as a central hub for developers and extenders of different backgrounds and skill levels to learn with quality content from reliable sources, share knowledge, and drive WordPress development forward.

True to the open source way, the blog will likely evolve. As its editors and readers learn and create more content, it will adapt in response to the needs of community members like you.

Everyone is welcome to chime in on-topic discussions, share ideas or contribute. Learn more about how to get involved.

What about the content?

Content on the WordPress Developer Blog covers many topics, including tutorials on theme development, plugins, and block development. You can also expect posts on WordPress APIs, best practices for working with WordPress, updates on upcoming releases, and learning resources for beginners and seasoned developers.

These articles offer a good hint at what’s already in store for you:

Sounds interesting?

Subscribe to the Developer Blog to keep up with the latest content in the WordPress development space.

Props for content and peer review @chanthaboune @rmartinezduque @mburridge @marybaum @bph @greenshady @webcommsat.

Dropping security updates for WordPress versions 3.7 through 4.0

As of December 1, 2022 the WordPress Security Team will no longer provide security updates for WordPress versions 3.7 through 4.0.

These versions of WordPress were first released eight or more years ago so the vast majority of WordPress installations run a more recent version of WordPress. The chances this will affect your site, or sites, is very small.

If you are unsure if you are running an up-to-date version of WordPress, please log in to your site’s dashboard. Out of date versions of WordPress will display a notice that looks like this:

WordPress update notice: "WordPress 6.0.2 is available! Pleaes update now."

In WordPress versions 3.8 – 4.0, the version you are running is displayed in the bottom of the “At a Glance” section of the dashboard. In WordPress 3.7 this section is titled “Right Now”.

"At a Glance" section of the WordPress dashboard. The final line includes the exact version of WordPress the site is running.

The Make WordPress Security blog has further details about the process to end support.

Join us for WordPress Translation Day Global Events in September 2021

WordPress contributors around the world are celebrating the sixth Global WordPress Translation Day throughout the entire month of September! That’s 30 days dedicated to help and encourage the volunteers that translate the software and its related resources. One of the highlights will be a series of exciting global events, starting on September 17 2021 and finishing on the United Nations’ International Translation Day itself on September 30, 2021.

Everyone is welcome to watch these events live on YouTube and to share their translation stories which will be featured during the celebrations and beyond. The global events will be in English and include presentations on how and why to you should join the thousands of translators in the project, tips and tools, interviews, and much more.

There are now 205 locales translating in what is a remarkable open source effort, bringing the opportunities of the software and its community to people in their own native languages.

Inaugural session: Introduction and latest news on WordPress Translation

Friday, September 17, 2021 at 10:00 UTC

We will start the global events with a panel featuring the latest update on what is happening in the world of WordPress polyglots. Panellists will include translators and polyglot supporters Petya Raykovska and Erica Varlese. There will be a video demonstration on how to translate WordPress, a short presentation on translation statistics, a run down of upcoming events, and more.

Watch the event live on YouTube (or click on the play button below) – sign-up for notifications in the video stream right now so you don’t miss it when it goes live! 

Friday, September 17, 2021 at 11:00 UTC

Right after the livestream, there will be a ‘drop-in’ translation sprint on Zoom video-conferencing, open to all. You can join and hang out virtually with your Polyglots friends from all around the world and translate WordPress in your own language! RSVP for the session now and get joining links!

Check out the other exciting global events

Sunday, September 19, 2021 12:00 UTC

Panel on Polyglots Tools
Join Jesús Amieiro, Peter Smits, Vlad Timotei, and Vibgy Joseph to talk about the tools they’ve contributed to or developed to help translators and translation editors.

Tuesday, September 21, 2021 11:00 UTC

Panel on Open Source Translation Communities (YouTube link – opens in a new tab)
Join Zé Fontainhas (WordPress), Ali Darwich (WordPress), Michal Stanke (Mozilla), and Satomi Tsujita (Hyperledger Fabric) to learn about nurturing translation communities.

Thursday, September 30, 2021 16:00 UTC

Closing Party – Why do you translate?
Our finale event for 2021 with emcee Abha Thakor and a panel from the WordPress Translation Day Team. It will feature highlights from some of the local and global events during the month and a selection of results. Some of the nominees for this year’s polyglots appreciation will join the livestream to share their stories.

The livestream will be followed by an after party celebration for anyone who has taken part in the event or is a WordPress polyglot. Book now for the session on Zoom.

Ideas on how to get involved this September

There’s lots of ways to take part – discover this list of ideas.

You can also nominate translation contributors to be featured in this year’s celebrations.

Help us spread the word about #WPTranslationDay

For more information on the 2021 WordPress Translation Day celebrations, visit the WordPress Translation Day website.

Props to @webcommsat, @harishanker, @lmurillom, @oglekler, @meher, @nalininonstopnewsuk, @evarlese for contributing to this story.

The Month in WordPress: August 2021

I really believe in WordPress’ mission to democratize publishing. And I, for one, will never stop learning about what gives people more access to the software, and what makes the software more usable, and especially how we can combine usability with accessibility in a way that puts form and function on a level playing field.

That was Josepha Haden on the “The Art and Science of Accessibility” episode of the WP Briefing Podcast, talking about accessibility and exploring how it applies to the WordPress open source software. You will find that many of our updates from August 2021 tie in closely with the core principles of access, accessibility, and usability. Read on to find out more!


Join the 2021 WordPress Translation Day Celebrations in September

WordPress Translation Day 2021 September 1 - 30, 2021

Join WordPress contributors around the world on WordPress Translation Day celebrations for the entire month of September! The sixth edition of #WPTranslationDay – which is a cross-team effort led by the Polyglots and Marketing Teams, has a host of fun programs aimed at helping WordPress speak all languages of the world. Want to join the fun? Here’s how.

 For more information, check out the translation day website and the Polyglots blog.

WordPress Release Updates

The Core Team commenced work on the next major release – WordPress 5.9. The team aims to ship some cool features such as intrinsic web design to blocks, improved block patterns, navigation menus, better design tools, edit flows for block themes, and a new interface for theme.json. Check out the WordPress 5.9 development cycle to know more. This release is set to go out in December 2021. The team is also working on shipping a minor release WordPress 5.8.1 –– its release candidate is already out and the final release will launch on September 8.

Want to contribute to WordPress core? Join the #core channel, follow the Core Team blog, and check out the team handbook. Don’t miss the Core Team chats on Wednesdays at 5 AM and 8 PM UTC. You can also help translate WordPress to your local language – and what better time to do it, than in September, during the translation month celebrations? Another fun way to contribute would be to share about WordPress 5.8 on social media!

Say Hello to Gutenberg Versions 11.2 and 11.3

We launched Gutenberg version 11.2 and version 11.3 this month. Version 11.2 adds customizing/color options to the search block, a flex layout for the group block, and a new button for creating posts as part of the publishing flow. Version 11.3 offers a new dimensions panel (replacing the spacing panel) with more styling options, dimensions control for the feature image block, and significant performance improvements for block inserters.

Want to get involved in building Gutenberg? Follow the Core Team blog, contribute to Gutenberg on GitHub, and join the #core-editor channel in the Make WordPress Slack. The “What’s next in Gutenberg” post offers more details on the latest updates. 

Get Excited about WordCamp US 2021

The biggest WordCamp in North America – WordCamp US 2021- is barely a month away. Get your (free) tickets, if you haven’t already! The organizing team has opened up calls for musicians, contributor stories, and media partners. Check out the event website and follow the event on Twitter, Instagram, and Facebook to stay updated on all that #WCUS news.

Important Announcements/Updates

Feedback/Testing Requests from Contributor Teams

WordPress Event Updates

  • WordCamp Florianopolis 2021 was held on August 11-12, 2021. The event, which sold 390 tickets, had 11 speakers and 4 sponsors. Catch the event recap on YouTube!
  • WordCamp Galicia 2021 is being held from September 30 – October 2, 2021! 
  • do_action Karnataka 2021 was held from August 7-15, 2021. Check out the recap!
  • The Core Team organized a hallway hangout to compare the ‘experimental’ Gutenberg navigation feature with the built-in core feature. The team decided to wait until feature parity with core nav menus, to move the feature from experiments to the main plugin.
  • The Diverse Speakers Training group (#WPDiversity) of the Community Team held their first “Allyship for WordPress Event Organizers” workshop on August 19, 2021. The event had 13 attendees from six countries who reported a 52% increase in preparedness to help create inclusive WordPress events. Stay tuned for their next workshop in November!

Further Reading

Have a story that we should include in the next “Month in WordPress” post? Please submit it using this form

The following folks contributed to August’s Month in WordPress:  @evarlese @meher @nao @jillbinder @webcommsat

An Update on the Classic Editor Plugin

Before the release of WordPress 5.0 in 2018, the Classic Editor plugin was published to help ease the transition to the new block editor. At the time, we promised to support the plugin through 2021 and adjust if needed as the deadline got closer. After discussing this with Matt, it’s clear that continuing to support the plugin through 2022 is the right call for the project as well as the community.

Still, if you’ve been putting off using the block editor, this is an excellent time to give it another shot. Since it first appeared in 2018, hundreds of WordPress contributors have made a lot of updates based on user feedback. You will be pleasantly surprised at how far it’s come!

Big thanks to everyone who has been working on WordPress, Gutenberg, and the Classic Editor plugin. And thank you to every WordPress user and tester who has provided the feedback we need to make the software even better.

~ Josepha

Returning to the block editor for the first time in a long time? You can give feedback early in the process by joining the outreach program! Looking at it for the first time ever? Get your bearings with some workshops or check out this demo!

A New Design is Coming to WordPress News

After many years of a tidy, white-space filled design on WordPress.org/news it’s time to bring new life to the way we present our content. So much has changed since this site was first created: the people who read it, the type and variety of what is published, even the way WordPress works has changed.

Which means it makes sense to change our theme.

Earlier this year, Matt requested a new design from Beatriz Fialho (who also created the State of the Word slides for 2020). The design keeps a clean, white-space friendly format while incorporating a more jazzy, playful feeling with a refreshed color palette.

More detail on this modern exploration have been posted on make.wordpress.org/design. I encourage you to stop by and read more about the thoughts behind the coming updates; and keep an eye out for the new look here and across WordPress.org!