Remembering Zeel, Security Wake-Up Calls, and WordPress 7.0 | WP More - Issue 31

Mourning a contributor, rethinking WordPress security, and what's coming in 7.0.

Hello WordPress friends! Happy Thanksgiving! How’s black friday going for you?

Welcome to this month’s WPMore newsletter issue 31. This week’s newsletter carries a heavier weight than usual. We’re reflecting on a devastating loss to our community, confronting uncomfortable truths about WordPress security, and looking ahead to what 2026 holds for the platform. There’s also a heartwarming reminder that our ecosystem is at its best when we give back. Let’s dig in.

---

In this Issue:

• The WordPress Community Loses a Bright Light

• 111,000+ Infected Sites Had Security Plugins, Here’s What Went Wrong

• WP Gives a Hand Returns December 22–28

• The Core Program Team Sets Its Sights on Roadmaps

• WordPress 7.0 Targets Spring 2026 with Three Major Releases Planned

---

The WordPress Community Loses a Bright Light

The WordPress community is mourning Zeel Thakkar, a web developer from Ahmedabad who collapsed on stage at WordCamp Surat on 16 November and passed away shortly after. She was addressing the audience when she fell, and despite being rushed to the hospital, she couldn’t be revived. Local authorities suspect cardiac arrest.

Zeel had been contributing to WordPress since 2023, quickly becoming a fixture in the community. She helped organize multiple WordCamps, contributed to WordPress 6.7 and 6.8, served as a Training Team mentor, and was part of the WordCamp Asia 2026 operations team. She received the Kim Parsell Memorial Scholarship in 2024 and traveled to Manila for WordCamp Asia 2025 as a volunteer. Tributes have poured in across Slack, X, and LinkedIn from contributors worldwide, all remembering her passion, kindness, and the lasting impact she made in such a short time.

• She started contributing just two years ago after a WordPress 20th anniversary event

• Recognized as an all-star mentee in the Contributor Mentorship Program

• Her legacy lives on through the communities she helped build

The loss reminds us how precious and fragile life is, and how much one person can accomplish when they show up with genuine care for others.

Read the full report on The Repository Here.

Speaking of security, this next story is a wake-up call we all need to hear.

---

111,000+ Infected Sites Had Security Plugins—Here’s What Went Wrong

If you think installing a security plugin means your WordPress site is protected, this will make you uncomfortable. In September alone, malware removal team WeWatchYourWebsite cleaned 111,354 infected WordPress sites. Every single one had at least one security plugin installed. Nearly 20% were running two leading security plugins simultaneously. None of them stopped the attacks.

The root cause? A staggering 81% were compromised through stolen admin credentials or hijacked authentication cookies. Attackers didn’t exploit vulnerabilities, they walked in using legitimate login access. Traditional security plugins watch for malicious files and suspicious activity, but they can’t stop someone who has your password or session token. Even more telling: on 1,377 sites running SolidWP’s security plugin, attackers followed a deliberate pattern, they authenticated first, then immediately deactivated the security plugin before installing backdoors.

The article argues that most security services fail at something critical: root cause analysis. Cleaning malware without understanding how attackers got in means the same vulnerability remains. Sites get reinfected weeks later because the stolen credentials are still valid, the weak password is still in use, or the vulnerable plugin is still installed.

• Use passkey authentication or hardware-based 2FA (not SMS or email codes)

• Monitor continuously for post-compromise indicators like file changes

• Update ALL plugins, not just your security plugin

• Demand root cause analysis from any security service you hire

Effective WordPress security in 2025 requires layered defense: strong authentication, traditional hardening, continuous monitoring, and regular updates. One layer alone won’t cut it.

Read the full report here.

Now for something that reminds us why this community matters beyond code and features.

---

WP Gives a Hand Returns December 22–28

It’s that time of year again. WP Gives a Hand, the WordPress community’s annual charity initiative, runs from December 22 to 28 this year. The concept is simple: participating WordPress businesses donate a portion of their revenue to charities of their choice, then share the results publicly.

The initiative started in 2020 when people across the WordPress ecosystem decided to do something meaningful instead of just offering Christmas discounts. It wasn’t about raising money alone, it was about shifting the conversation toward compassion and responsibility. The idea caught on, and #WPGivesAHand has returned every December since.

Here’s how it works: companies, agencies, freelancers, and developers choose a charity, decide what percentage of revenue they’ll donate, announce their participation publicly using the #WPGivesAHand hashtag, and share their final results after the week ends. The initiative builds momentum, when one company gives, another sees it and joins. When users buy from participating businesses, it encourages others to do the same.

• WordPress businesses can join by reaching out to WP Gives a Hand and announcing participation

• WordPress users can support participating products during the campaign week

• The movement grows each year because it’s authentic, transparent, and impactful

Whether you’re a business or a user, there’s a role for you in making this December’s campaign the biggest yet.

Read the full report on wpbakery.com here.

Now on the WordPress roadmaps, what you should know —

---

The Core Program Team Sets Its Sights on Roadmaps

The WordPress Core Program team has announced its main focus for Q4: creating a unified approach to roadmaps across the project. Tammie Lister shared the proposal following discussions on GitHub, explaining that the team wants to concentrate energy efficiently rather than spreading efforts too thin.

The roadmap initiative will start as a discovery task, gathering and documenting all existing roadmaps across WordPress teams to understand how they’re built, maintained, and communicated. From there, the team plans to suggest a lightweight process for teams that don’t have roadmaps yet and find a central location, potentially a roadmap page; where contributors can see what needs work across the entire project. The goal isn’t to replace individual team roadmaps but to provide a bird’s-eye view of WordPress development.

Beyond this main focus, the Core Program team identified several collaboration opportunities. They’ll support WP Credits as it grows, explore ways to help Five for the Future, assist with tooling for WordCamps (currently in discovery), and work on improving recognition of invisible contributions, efforts already underway in the Documentation team and around non-dev contributions.

• The discovery phase will document how existing roadmaps work and recommend formats others can follow

• A central roadmap location would help contributors identify where help is needed

• Multiple teams are working on contributor recognition from different angles, potential for collaboration

The team is now gathering feedback on the proposed focus before starting work together.

Read the full report here.

Meanwhile, the WordPress project is making plans for a busy year ahead.

---

WordPress 7.0 Targets Spring 2026 with Three Major Releases Planned

WordPress is returning to three major releases in 2026, a shift from earlier plans to ship just one due to ongoing legal matters and Automattic’s pause in contributions. According to notes from this week’s Core Committers Check-in, WordPress 7.0 is targeted for March or April, with two more releases to follow later in the year.

The meeting covered several potential features for 7.0, including template activation, the Tabs block, and client-side media editing. The most extensive discussion centered on the WordPress AI Client, which shipped version 0.1.0 last week. The AI Client provides a native, provider-agnostic way for plugins and themes to interact with AI services without hard-coding specific providers. Committers see it as a strong candidate for core because it encourages the ecosystem to build on solid foundations. However, they stressed that WordPress will remain agnostic—no specific AI model will be baked in, and the project won’t favor certain third-party services.

The admin redesign also came up. Contributors clarified it won’t be a full overhaul but rather a “fresh coat of paint” refreshing what’s already there. The redesign is part of Phase 3: Collaboration, but there’s still no timeline for when it might land. The last major admin refresh shipped over a decade ago in WordPress 3.8.

• February was ruled out since beta would fall during holiday season

• Committers discussed raising minimum PHP version to 7.4 but made no decision

• The group wants clear use cases for AI features in “default WordPress” before proceeding

It’s encouraging to see the project returning to a healthier release cadence and thinking carefully about how to integrate emerging technologies responsibly.

Read the full report on The Repository Here.

Other reports from The Repository you might like to read:

• WordPress 6.9 RC3 Arrives as Field Guide Drops and Final Release Nears

• WordPress 6.9 to Introduce Notes, Bringing Asynchronous Collaboration to the Post Editor

• Inside FAIR’s Approach to Security: A New Model for WordPress Package Safety

• FAIR and Patchstack Build Security MVP at CloudFest USA Hackathon

• WP Engine Moves to Dismiss Automattic’s Counterclaims, Arguing They Were Filed Too Late

• Letters of Protest Fail to Stop ‘Managed WordPress’ and ‘Hosted WordPress’ U.S. Trademark Bids

• Real-Time Collaboration Flagged for WordPress 7.0 Amid Ongoing Technical Challenges

• State of the Word 2025 Set for San Francisco, Coinciding With WordPress 6.9 Release

Don’t forget to subscribe & support them, they do some amazing hard-hitting WordPress journalism.

---

WordPress Must Read

→ Understanding the Abilities API: What It Is, Why It Matters and How It’s Going to Transform WordPress (therepository.email)

→ Breaking free from subscription fatigue: Why Nag Me Not switched to pay once (nagmenotwp.com)

→ The State of Ecommerce in 2025 (storeleads.app)

→ WordPress needs to catch up to the web (progressplanner.com)

→ The importance of a good changelog (developer.wordpress.org)

→ Enterprise Doesn’t Doubt WordPress. They Doubt Us. (jamesgiroux.ca)

→ We need to reinvent contributor days (progressplanner.com)

→ Did the UK budget leak because of WordPress? (altis-dxp.com)

---

On other WordPress News

→ The PHP Foundation is Seeking a New Executive Director (thephp.foundation)

→ WooCommerce 10.4: Pre-release updates (developer.woocommerce.com)

→ Preview Gutenberg Development Branches in Your Browser (make.wordpress.org)

→ WordPress Importer can now migrate URLs in your content (make.wordpress.org)

→ MCP Adapter v0.3.0 is now available. (make.wordpress.org)

→ PHP 8.5 support in WordPress 6.9 (make.wordpress.org)

→ Introducing the WordPress AI Client SDK (make.wordpress.org)

→ Call for Mentors: Join WordPress Campus Connect! (make.wordpress.org)

→ A Month in Core – October 2025 (make.wordpress.org)

→ In Loving Memory of Zeel Thakkar (asia.wordcamp.org)

→ Meet your 2026 Training Team Representatives (make.wordpress.org)

→ What’s new for developers? (November 2025) (developer.wordpress.org)

→ Playground CLI adds ImageMagick, SOAP, and AVIF support (make.wordpress.org)

→ Automattic Inc. Claims It Owns the Word ‘Automatic’ (404media.co)

→ Rethinking Contributor Recognition in Documentation Team (make.wordpress.org)

→ Monthly Education Buzz Report – October 2025 (make.wordpress.org)

---

From WordPress Community

→ The WP Community Collective Celebrates Contributor Day Table Leads With Appreciation Campaign (therepository.email)

→ Summary of Hallway Hangout on content creation across different mediums (make.wordpress.org)

→ WordPress Udupi Community Empowers 300+ Students Across Coastal Karnataka Through Campus Connect (central.wordcamp.org)

→ WordCamp Canada: Reflections from an Organizer (troychaplin.ca)

→ Celebrating #YourDay: Four years of the 4-day work week (wpbakery.com)

→ Life at Automattic: Communication is oxygen (jonathanbossenger.com)

→ Shape the Future: SiNC Seeks Senior Leaders to Mentor WordPress Contributors (supportinclusionintech.com)

→ FAIR: rethinking how WordPress software is distributed (fair.pm)

→ Finding the Next Right Thing (mattcromwell.com)

→ Why people really choose WooCommerce (in the words of the community) (barn2.com)

→ The Story Behind Checkout Summit: the New WooCommerce Conference (publishpress.com)

→ How Page Builders Transformed WordPress and What’s Next for the Web | Raitis Sevelis (WPBakery) (youtube.com)

---

What's Your Thought?

This week brought us loss, lessons, and opportunities to come together. Zeel’s memory reminds us to show up fully and support each other. The security data reminds us that protection requires more than good intentions. And the planning for 7.0 and WP Gives a Hand show a community that keeps moving forward, building better tools and making space for kindness.

What’s on your mind after reading this issue? Hit reply and let me know. I read every response.

Nishat, WPMore

Follow → X.com | LinkedIn | BlueSky | Facebook

Join Our Community → Sub-Reddit | X Community

P.S. — If these stories resonated with you, forward this to someone who needs to hear them. And if you have a story about why you’re still here, hit reply and tell us. We read every one.