David Snead, director of the Secure Hosting Alliance and a long-time Internet policy leader, shares his perspective on the complexities that emerge when technological solutions like age verification are implemented in the digital infrastructure space. Dave’s reflection highlights how the push for more secure, regulated environments can unintentionally create barriers for vulnerable or less tech-savvy […]
How to Connect AI Agents With WordPress using MCP (Step by Step)
AI assistants like Claude Code, Cowork, and ChatGPT are incredible productivity boosters, and if you wished that you could connect these AI tools with WordPress directly, then you’re not alone.
Lately, I have been using WordPress MCP by WPVibe to let my AI assistant manage my website, and it’s truly amazing how much time this saves. You can simply ask it to create a post, upload image, handle admin tasks, and more from a single conversational prompt.
In this step by step tutorial, I’ll show you how to connect your favorite AI tools with WordPress using MCP along with sharing a few work examples, so you can see what becomes possible when you combine WordPress + AI.

You can use the quick links below to jump to any section:
- What is a WordPress MCP and What Can It Do?
- What You Need Before Getting Started
- Step 1. Set Up MCP on Your WordPress Website
- Step 2. Connect Your AI Tools to WordPress
- What You Can Do Once You’re Connected (Worked Examples)
- Is WordPress MCP Safe?
- Troubleshooting Connection Issues
- Frequently Asked Questions About WordPress MCP
What is a WordPress MCP and What Can It Do?
MCP stands for Model Context Protocol. It is as an open standard that lets AI assistants connect to outside tools and services.
Think of it as a universal adapter. Instead of every AI tool building a custom integration with every service, they all speak the same language, so any tool and service that support MCP can work together.
With a WordPress MCP, your AI assistant can see what your website supports and carry out tasks from a plain-text prompt. It does this using a connection WordPress already has built in (the REST API), so there’s nothing extra to install.
You can use WordPress MCP to manage your WordPress site and perform tasks including:
- Draft and publish posts – Create blog posts as drafts, set titles, add categories and tags, and publish when you’re ready.
- Upload media – Pull images from any public URL directly into your WordPress media library.
- Manage categories and tags – Create or rename taxonomy terms and assign them to posts.
- Run admin tasks – Flush your site cache, check which plugins are active, and activate or deactivate plugins.
- Use plugin abilities – On WordPress 6.9+, many plugins register their own actions the AI can discover and run automatically
Each of these can be done from a plain-text prompt from your favorite AI tool like Claude Code, Cursor, ChatGPT, etc. I’ll show you the exact prompts once you’re fully set up.
What You Need Before Getting Started
- Self-hosted WordPress 6.9 or later – With the REST API enabled (it’s on by default). You need version 6.9 or later for plugin abilities API which is allows you to use AI to manage plugins like AIOSEO, WPForms, etc.
- A publicly accessible site – Your site must be reachable on the internet because local development sites won’t work unless exposed via a tunnel.
- A free WPVibe account — You’ll create this during setup.
- An HTTPS-enabled site — WordPress application passwords require SSL and they won’t function on
http://sites. See our guide on how to add SSL and HTTPS to WordPress.
Step 1. Set Up MCP on Your WordPress Website
The easiest way to add MCP to a self-hosted WordPress site is with WPVibe.ai. It’s free and runs on a hosted server, so there’s no infrastructure to configure. It also works with every major AI tool through a single setup.
You can read our full WPVibe review for a deeper look at everything it can do, but this guide covers what you need to get connected.
Other ways to set this up: There’s also an official WordPress MCP Adapter, which pairs with the new Abilities API in WordPress 6.9, but it’s built for developers and needs manual configuration.
Install and Activate the Vibe AI Plugin
First, you will need to install and activate the free WPVibe plugin. If you need any help, our guide on how to install a WordPress plugin covers each step.
Along with connecting your AI tools, the WPVibe plugin unlocks WP-CLI commands, theme file editing, and the plugin abilities that I talk about later in this guide.
Once activated, go to Vibe AI » Vibe AI in your WordPress dashboard. You’ll see the MCP server URL and a three-step setup guide.
Keep this tab open. You’ll need the URL in the next step.

Step 2. Connect Your AI Tools to WordPress
With WPVibe set up, connecting your AI tool takes under a minute. You add the same server URL to any AI client you use: https://mcp.wpvibe.ai/mcp.
You’ll find instructions on how to do this in the official WPVibe documentation. But let me show you exactly where to find that setting in some popular AI platforms.
Connecting Claude
If you’re just getting started, I recommend beginning with Claude.
The simplest method is to add the WPVibe URL once via Claude.ai on the web, and it syncs automatically to Claude Desktop, Claude Code, and the Claude mobile apps with no separate setup needed.
Note: On Team and Enterprise workspaces, only an Owner or Admin can add connectors. Individual members on those plans can authenticate with WPVibe once the admin has added it, or use the Claude Code method in step 3 below.
- Free, Pro, and Max plans: In Claude.ai, go to Customize » Connectors. Click the + button, select ‘Add custom connector’, and paste
https://mcp.wpvibe.ai/mcp. - Team and Enterprise (admin only): Go to Organization settings » Connectors. Click ‘Add’, select Custom » Web, and paste the WPVibe URL.
- Claude Code (any plan): In your terminal, run
claude mcp add --scope user wpvibe --transport http https://mcp.wpvibe.ai/mcp. Then, open Claude Code, type/mcp, select wpvibe, and choose ‘Authenticate’.
Once saved, follow the on-screen prompt to authorize your WordPress site.

Connecting ChatGPT
WPVibe is available directly in the ChatGPT App Marketplace, so both free and paid users can connect without copying server URLs or editing config files.
In ChatGPT, click ‘Apps’ in the sidebar and search for WPVibe. Then click ‘Connect’ on the app page and sign in with your WPVibe account when prompted.
After connecting, ChatGPT pre-fills ‘@WPVibe’ at the start of each message. You can delete it with backspace for prompts unrelated to WordPress. Leave it in place when following the authorization step below.

Connecting Cursor
Cursor adds MCP servers through a JSON config file. In Cursor, go to Settings » MCP and click the ‘Add new global MCP server’ button. This opens the mcp.json file.
Add the following entry and save:
{
"mcpServers": {
"wpvibe": {
"url": "https://mcp.wpvibe.ai/mcp"
}
}
}
Make sure you restart Cursor after saving.
WPVibe will appear in the MCP list once it connects.

Connecting Windsurf
In Windsurf, open the Cascade panel and click the ‘Plugins’ icon (puzzle piece). Search for WPVibe, click ‘Enable’, and complete the sign-in flow when prompted.
To configure manually instead, edit ~/.codeium/windsurf/mcp_config.json and add the following, then restart Windsurf:
{
"mcpServers": {
"wpvibe": {
"serverUrl": "https://mcp.wpvibe.ai/mcp"
}
}
}
Note: Windsurf uses serverUrl (not url) in its config file. Using the wrong key will cause the connection to fail.
Authorize Your WordPress Site
With the MCP URL added to your AI client, go back to Vibe AI » Vibe AI in your WordPress dashboard.
Under step 3, you’ll find a ready-to-copy prompt with your site’s URL already filled in.

Paste that prompt into your AI chat. Your AI assistant will call WPVibe and return a one-click authorization link. Simply click it to approve the connection.
You never see or copy a password. WordPress and WPVibe handle the credentials securely in the background.

What You Can Do Once You’re Connected (Worked Examples)
Once your AI tool is connected to WordPress, here are the first prompts I tried, including one for WooCommerce store owners.
My examples are from Claude Code terminal, but these will work with whichever AI tool you connected.
1. Write and Draft a Blog Post
Type this into your AI tool: ‘Create a draft WordPress post titled “How to Start a Blog” with an intro paragraph explaining why blogging is still worth it.’

Your AI assistant calls the WordPress REST API, saves the post as a draft, and returns a confirmation with a link to edit it in wp-admin.
Nothing goes live until you choose to publish it yourself.

2. Upload a Photo to Your Media Library
Type: ‘Upload this image to my WordPress media library: [paste a public image URL]. Set the alt text to “A person working at a laptop”.’

WPVibe validates the source URL, downloads the image, and adds it to your media library with the alt text you specified.
You can reference it in any post from there.

Note: The prompt above uses a public URL, which is the simplest approach. Uploading a local file from your computer works too, but WPVibe will generate a browser upload link as an intermediate step.
3. Manage Your WooCommerce Store
WooCommerce 10.9 ships with native MCP support, which exposes product and order abilities through the same standard that WPVibe uses.
If your site runs WooCommerce, try: ‘Draft a new product called “Summer T-Shirt” with a short description and a price of $29.95.’

The product saves as a draft in your store. Beyond creating products, your AI can also query orders, update their status, and add order notes, so you can handle routine store admin from the same chat window.
You can see the example below.

The next three examples go beyond WordPress’s built-in actions. On WordPress 6.9 or later, plugins can register their own actions (called ‘abilities’) that your AI discovers automatically, so if you use these tools, you can drive them from the same chat.
4. Optimize Your SEO with AI
If you use AIOSEO, then you can ask your AI to handle common SEO tasks from the chat window. It can check TruSEO scores, generate meta titles and descriptions, and run SEO audits.
My starting point was to ask it to find every post missing a meta description and write one for each.
Try this prompt: ‘Find all posts missing meta descriptions and write and apply them in one go.’

Your AI checks every post, writes the missing meta descriptions, and applies them through AIOSEO in one step.
See our complete AIOSEO setup guide to get it configured first.

5. Manage Landing Pages and Maintenance Mode
If you use SeedProd, then your AI can manage your coming soon page, maintenance mode, and landing page settings without going into wp-admin.
For example: ‘Check if maintenance mode is currently active’ or ‘Enable the coming soon page.’
6. Build a Form with AI
If you use WPForms, then your AI can build forms from a plain-English description.
Try: ‘Create a contact form with name, email, and a message field.’ WPForms creates the form in your dashboard, ready to configure and embed.
Before using this, make sure you enable write access under WPForms » Tools.

WPForms Lite supports basic field types. Paid plans add phone, date/time, file upload, and more.
See What Your Site Can Do
You don’t have to guess which of your plugins support this. Because WPVibe automatically discovers every registered ability, you can just ask your connected AI: ‘What can you do on my WordPress site?’
It will list the abilities your installed plugins expose, so the answer stays accurate no matter which plugins you run.
Is WordPress MCP Safe?
I had the same concern when I first tested this. Here’s how WPVibe handles security.
WordPress manages the connection using application passwords, a built-in feature that creates a separate password for each external tool you connect. The AI only gets the permissions of the user account you connected.
So, it’s worth connecting with a limited, non-admin account rather than your main administrator login. If you create a dedicated Editor-role user for the connection, then the AI can only do what an Editor can do.
WPVibe encrypts your application password before storing it, using a separate key for each site, and keeps it on secure servers hosted by Cloudflare. Every connection between your AI client, WPVibe, and your WordPress site is encrypted too, so your credentials are never exposed along the way.
WPVibe also doesn’t store your conversation content. It stays within your AI client.
On the WordPress side, new posts always save as drafts and deletions go to the trash rather than permanent deletion.
To fully revoke access at any time, go to Users » Profile in your WordPress dashboard and scroll down to the Application Passwords section to delete it.
Troubleshooting Connection Issues
Connecting your AI client to WordPress is the step that trips people up most often.
If the connection fails or WPVibe doesn’t appear, then work through these checks:
- WPVibe isn’t in your client’s tool or MCP list – Restart the AI client after saving the config. New MCP servers only load on a fresh start.
- The connection fails silently in Windsurf – Windsurf uses the
serverUrlkey, noturl. The wrong key produces no error message, so double-check it. - Application passwords won’t authenticate – Your site must run on HTTPS. Application passwords don’t work over
http://. - Your AI client can’t reach the site – The site has to be publicly reachable. A local development site won’t connect unless you expose it through a tunnel.
- Authorization keeps failing – Re-check that you pasted the correct MCP server URL:
https://mcp.wpvibe.ai/mcp.
Frequently Asked Questions About WordPress MCP
Is WPVibe free?
Yes. WPVibe has no API key costs and everything in this guide works on the free plan. There is now a paid Pro plan (early-access pricing, $99 per year) that adds higher daily usage limits and priority support, not new features, so you don’t need it for anything covered here.
Does WordPress MCP work with all AI tools?
WPVibe works with Claude.ai (web), Claude Desktop, Claude Code, ChatGPT, Cursor, and Windsurf. Because MCP is an open protocol, any new AI tool that adopts the standard will work with the same WPVibe setup automatically.
Does WordPress MCP work with WordPress.com?
No, not through WPVibe. WordPress.com has its own built-in MCP setup that works differently. This guide covers self-hosted WordPress (WordPress.org) only.
Do I need WordPress 6.9 to use MCP?
No. You can create posts, upload media, and run admin tasks on WordPress 6.0 or later. WordPress 6.9 is only required if you want to use plugin abilities like those from All in One SEO or SeedProd.
Can I connect more than one WordPress site to WPVibe?
Yes. WPVibe supports multiple sites under one free account. Install the Vibe AI plugin on each additional site and complete the site authorization step. Your existing WPVibe account covers all your sites.
What happens if I disconnect WPVibe from my site?
You can remove a site from WPVibe in the plugin admin or on wpvibe.ai at any time. To fully revoke access, also delete the credential under Users » Profile » Application Passwords.
I hope this article helped you get WordPress MCP set up on your site. You may also want to see our guide on the best AI Automation Tools for WordPress.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
The post How to Connect AI Agents With WordPress using MCP (Step by Step) first appeared on WPBeginner.
Dennis Snell: See DATA, CDATA, RCDATA, and PCDATA oh my!
HTML and XML are markup languages based on plaintext files. This means that any given character could be part of a syntax form (a tag, a comment, a character reference, etc…) or it could be representing itself the way it reads in the file literally.
<tag>· Text node</tag>
Whenever a character might be ambiguous, both languages require explicit indication of the intent of the character. In HTML this occurs via escaping, while XML allows escaping or wrapping the content in a marked section, specifically a CDATA section.
<tag><![CDATA[<tag>· Text node</tag>]]>
These terms confuse me at times, especially since CDATA and CDATA sections are distinct forms of the same content, and it’s easy to conflate each term. This post is here to disambiguate the terms, their meanings, and why they exist.
The punchline comes at the end, but the story is hopefully worth the read.
Markup and mixed content
One of the first jobs of a parser for any plaintext-oriented format is to determine if the next input character represents real text or is part of a syntax form that carries special meaning. If it’s a syntax form we would call it markup, but if the characters are part of real text meant for display or rendering or reading then we call it data.
Anything that is not syntax is data.
The interpretation of the next character depends on the region of the document in which it’s parsed. While the rules for syntax forms are complicated1, this post will focus on the data forms.
PCDATA — “parsed character data”
May form: tags, comments, sections, character references, literal text.
Characters in this region could be data or could form the start of a new markup element. It’s “parsed” because it needs parsing before determining what it represents.
The HTML specification renames this to Data, which is simpler and a bit harder to search for. In XML, however, it’s used in a document-type definition (DTD). When an element may contain content — text — its data model must include #PCDATA. Otherwise the only characters allowable within that element are other elements, comments, and whitespace. XML documents are required to be valid SGML documents, so its own specification adopts the terminology from SGML’s.
Those who have worked with DTDs might note that elements in XML may contain #PCDATA while attributes contain CDATA instead. First of all, the # is there only to make it explicit that PCDATA is referring to the reserved keyword, rather than a <pcdata> element. Secondly, there’s a good reason for this, which is that attributes can only contain text — they can’t contain other elements of markup. If an attribute value could contain a <span> element, for example, then the attribute value would need to be #PCDATA instead, but this is prevented by design.
PCDATA actually contains more than just literal text and elements. In addition to comments, processing instructions, and other node-like syntax, one important feature of PCDATA is the character reference. These make it possible to represent characters that would conflate with syntax (such as ‘<’ — <) or which might be cumbersome to enter on a keyboard (such as ‘§’ — §). When parsing, each character in these sequences neither creates an element nor displays as the text itself; rather, the entire sequence is parsed and translates into the character it refers to.
HTML pre-specifies a fixed set of named character references, but any Unicode code point may be referenced by its decimal or hexadecimal numeric index. While XML also allows referencing code points by their index2, it only pre-specifies the five named characters which correspond to its main markup introducers: <, >, &, ', and ". In XML, any additional named character references are created through the DTD by defining entities.
CDATA — “character data”
May form: [character references], literal text.
If a character isn’t markup, then it’s character data, which means that it’s representing its literal self or it’s part of a character reference. Once the parser has entered this region it will not create markup elements.
CDATA is the most confusable kind of character data; this is because there are many kinds of CDATA that share the same name:
- XML attributes may contain CDATA, where character references are decoded.
- XML CDATA sections only contain CDATA, but character references are not decoded.
- HTML kind of has the same CDATA sections, but only in foreign elements (inlined SVG and MathML elements).
- SGML elements may be declared to have a CDATA content model, in which case all content until the appropriate closing tag is to be parsed as character data, where character references are not decoded.
CDATA sections contain only literal text
Many people are familiar with CDATA sections, but it took me far longer to understand them than my intuition led on. They are the vestige of SGML “marked regions” which tell the parser to handle a specific range of bytes in a special way. The CDATA section is one of those, which tells the parser to completely turn off until it reaches ]]>.
<![CDATA[literal characters only in here]]>
It had other marked sections, however, which served different purposes.
<![IGNORE[everything in here is ignored; it doesn’t exist.]]><![INCLUDE[in here things <em>do</em> exist as normal.]]><![RCDATA[read on to learn about RCDATA!]]>
The IGNORE and INCLUDE sections may seem strange, since SGML already has comments, and INCLUDE effectively does nothing, but the sections can be marked by replaced entities, making for conditional inclusion which can be overwritten via command-line arguments when invoking the SGML parser.
<!ENTITY % review-only "IGNORE">...<![%review-only;[<aside>Add `-Dreview-only=INCLUDE` when building drafts.This note won’t appear otherwise.</aside>]]>
XML only retained CDATA sections from SGML, while HTML never included them. They are useful because they are so easy to parse. All characters inside of them are to be treated as literal text, up until the first occurrence of the terminating ]]>. Unlike elements, the marked sections do not nest.
There are no CDATA sections in HTML
The Internet is full of discussions about the use of CDATA sections in HTML, but there are no such things, mostly. HTML itself is an amalgam of pure HTML and embedded SVG and MathML. Content inside of those embedded SVG and MathML elements is parsed differently, and within this “foreign content” there are CDATA section nodes.
When something which look like a CDATA section appears in an HTML document, it’s transformed into a “bogus” HTML comment and considered a snippet of malformed markup. To make things more confusing, the parsing rules differ inside an HTML document for these regions depending on whether they are found within HTML elements or foreign elements.
- When a real CDATA section appears within SVG and MathML, it parses as in XML or SGML — everything is literal text until the nearest
]]>. - When a malformed CDATA look-alike appears in an HTML element, it gets special treatment — the parser only turns off until the nearest
>. This means that these sections end even without a closing]]>, and when they do, all of their contained content disappears from the page.
That small difference confuses naïve parsers and is a regular source of bugs.
<div><![CDATA[There are no tags in here.]]></div><svg><text><![CDATA[<none> here either.]]></text></svg><div><![CDATA[But there <em>are</em> tags in here]]></div> the section ends here ╯ ╰ start of a real end tagThe following is the equivalent markup to the third line.<div><!--But there <em-->are</em> tags in here]]></div>
SGML contains CDATA regions outside of marked CDATA sections
SGML made it possible to define more kinds of content than XML does for a given element. For example, an element in SGML can be declared to have a CDATA content model, in which case the element itself behaves like a CDATA section. All characters after the opening tag are treated as literal text until the parser finds the nearest appropriate end tag3. XML rejected this ability because it increases the complexity of the parser and requires that every document also contains a full DTD when parsing. For example, if an element were declared to have CDATA content, then a <at> b would represent that literal string; on the other hand, if it were declared like any other normal element, it would have three children: “a ”, the <at> opening tag, and “ b”.
<!ELEMENT verbatim - - CDATA>...<verbatim>There are <no> tags in here, because this is CDATA,but you wouldn’t know without reading the DTD,overcomplicating the demands on the parser.</verbatim>
These kinds of elements do exist in HTML, though a few were modified when HTML5 was standardized in 2008. Inside of the elements, the parser essentially turns off, which makes them easy to parse and can help avoid the need to extensively escape content. These elements are, of course, <script> and <style>4.
Were it not for the CDATA declared content model, every angle bracket and ampersand would have to be escaped in included JavaScript and CSS. In XHTML this was required, because it had no CDATA declared content model (since it was XML)5.
All text in XML is CDATA
Herein lies the most-confusing aspect of discussing CDATA — XML contains CDATA sections as well as CDATA as normal text. After parsing there is no distinction between <tag> and <![CDATA[<tag>]]> in the parsed content.
Many XML generators (or serializers) provide two mechanisms for creating text content: one wraps text in a CDATA section and leaves the text as it came (apart from avoiding including the terminating sequence); the other escapes syntax characters instead. While there are times where it would be appropriate to intentionally pick one over the other, a good library design would at least offer a third mechanism (if not only providing this third mechanism) which simply produces CDATA, itself determining when to wrap and when to escape6, and whether or not to produce chunks of wrapped text interspersed with chunks of escaped text.
The real difference between these two kinds of CDATA is purely presentational in the source document, as the XML snippet below only contains one text node, not two. Creating CDATA does not imply creating a CDATA section!
<rule><![CDATA[#X13<d&r>]]> (&pp;4 &ss;3.11)</rule>
RCDATA — “replaceable character data”
May form: character references, literal text.
There’s one more confusing designation for characters in the HTML and XML input streams: RCDATA. RCDATA is almost identical to CDATA, except that in contexts where CDATA does not decode character references and entities, RCDATA will decode them into CDATA. This is confusing, because in the context of an XML attribute, the CDATA designation in a DTD automatically implies that character references are decoded, unlike the CDATA sections in content.
To this end there are no RCDATA attributes, since character references are always decoded inside attribute values. The RCDATA declaration is like the SGML CDATA content declaration: all characters following the opening tag for this element will be treated as text until the nearest matching closing tag (the difference being only that character references are recognized and decoded).
It’s worth remembering that XML rejected the CDATA content type because of how it complicates parsing, and it also rejected the RCDATA type. On the other hand, RCDATA was incorporated into HTML, but statically so. HTML has no configurable DTD, but in its specification two elements contain RCDATA content:
TITLETEXTAREA
While it’s easy to comprehend the way that <textarea> works, and that’s probably because we are used to entering text into one on a web page, the behavior of <title> is consistently confused in all manner of programming languages, platforms, and HTML-parsing code.
The TITLE element only contains character data — it cannot contain other markup. The parsing is among the easiest sections of an HTML document to parse: once the <title> opening tag is detected, the parser can capture everything until the nearest </title> closing tag. Everything it captured is literal text, after decoding character references.
<!-- the title is "<title>" --><title><title></title><!-- equivalent HTML --><title><title></title>
This complicates content management systems like WordPress which allow posts to have HTML in their post titles, because a page can show richly-formatted article titles which cannot be represented in the browser tab’s label, and care must be taken to extract the plaintext content from that HTML before display in those contexts.
Coda
HTML and XML both speak about different kinds of characters in their source documents and content models, which traces from the complicated ways that SGML documents could be constructed. SGML’s complexity almost always stems from the central idea that computers should do extra work to remove the hassle for humans to enter structured content in plaintext documents.
HTML, inspired by SGML, adopted some of the names and mechanisms for parsing those regions of text in distinct ways, but codified a single parsing standard independent of SGML. When XML was later developed, it was meant to form a simplified subset of SGML. This subset flipped the tradeoffs, leaning on humans performing extra work to remove the hassle for computers to parse structure in plaintext documents. For these text forms, this meant rejecting a few of the constructs while retaining others.
This is also another demonstration of how balanced tags are not enough to have well-behaved HTML with a naïve parser. A well-formed XML document may be parsed with a terse PERL script and regular expression, but HTML relies heavily on the context in which characters are found. Any HTML parser must know the special rules for each kind of element’s content model.
In summary
- When it’s unclear whether a character forms text or markup, that is PCDATA. Once parsed, there is no PCDATA anymore; it’s either a form of DATA or MARKUP.
- All text nodes in HTML are “DATA.”
- “CDATA” just means “character data” and means that after parsing, the content is text. It does not indicate whether character references are to be decoded or not; that comes from the region in the document, based on its context.
- There are no CDATA sections in HTML7.
- All text nodes in XML are CDATA, but only after being parsed.
- CDATA sections offer a convenient way to avoid escaping, but are indistinguishable from the equivalent escaped text.
- HTML contains two special RCDATA elements which only and always contain a single text node child:
<title>and<textarea>. Everything until the closing tag will be parsed as text, even if it looks like markup.
This post is already long and still over-simplifies the picture. SGML is a rich and robust specification and includes NDATA and SDATA, HTML includes a latching PLAINTEXT parsing mode in which the rest of the entire document is parsed as literal character data, and there are other surprising goodies in how entities interact with the character mode.
Thanks for making it through to the end, or jumping directly here if you couldn’t wait.
- As an example, each part of a tag — its name, attribute names, attribute values — carries its own parsing rules. The same is true for comments, DOCTYPE declarations, and every other syntax form.
︎ - XML only allows character references to the characters in its “character set,” which is almost all Unicode code points, but excludes some control characters and U+FFFE and U+FFFF.
︎ - Because SGML was designed to minimize the amount of necessary syntax, it’s not necessary to have a full end tag for an open element, but that’s a simple-enough model to understand the concept.
︎ - The
<style>element is straightforward, but the<script>element has its own complicated modification of the CDATA content model. It’s mostly CDATA, but makes it possible to escape the closing tag so that very old pages won’t break. HTML also applies this parsing mode for the<iframe>,<noembed>,<noframes>, and<noscript>elements (as well as for the deprecated<xmp>element), but these nominally should have no content inside of them (or shouldn’t be used); applying the CDATA content model prevents creating other elements as their children.
︎ - Frustratingly, in XHTML one must escape JavaScript and CSS in the page to avoid parsing failure, while in HTML one must not. This alone makes for a complicated stage in any reliable HTML/XHTML converter.
︎ - Wrapping a language like HTML inside a CDATA section is a convenient way to represent the HTML visually and retain the ability to easily modify it, but entities present a problem. The serializer must either pre-translate the entity into its resolved character content, losing the macro-like behavior and its name; or leave the entity in place, thus nullifying it because it will not be recognized as an entity on parse. However, in such a situation, a serializer is free to terminate the CDATA section, append the entity, and open a new one to continue.
︎ - As mentioned in the discussion about CDATA, embedded SVG and MathML elements can contain CDATA sections, but these are not technically HTML elements.
︎
Gutenberg Times: WordPress 7.0.1 Fixes Registration Spam, wp_kses() CSS Corruption, and 7.0 Admin Design Glitches
WordPress 7.0.1 is now available. As the first maintenance release of the 7.0 cycle, it’s strictly a bug-fix release: every included ticket addresses either a regression introduced during 7.0 development or an issue intentionally deferred at the end of the cycle.
The release ships fixes for 17 core Trac tickets and 14 Gutenberg PRs. Because this is a maintenance release, sites with automatic background updates enabled will update to 7.0.1 automatically — everyone else should update as soon as possible. Here’s what stands out for each audience.
Kudos to release lead Aaron Jorbin and his team for pushing this release over the finish line and getting it into hands of WordPress users quickly.
The most important fixes for end users
Registration page spam is shut down (#63085). The account registration page could be abused to send “Login details” spam emails from your site. This is arguably the most impactful fix in the release for anyone running a site with open registration — it protects both your users’ inboxes and your domain’s email reputation.
The 7.0 admin reskin gets its rough edges sanded off. WordPress 7.0’s refreshed admin design shipped with a handful of visual glitches that this release cleans up:
- Form elements are now standardized in the mobile viewport (#64999)
- The image editor’s scale and crop inputs no longer mismatch in size, and the info icon uses the new color scheme (#64937, #65428)
- The publish settings panel no longer crowds its primary action buttons together (#65286)
- The Media Library’s loading spinner is properly aligned in the modal filter toolbar, and the search bar no longer jumps position after a search (#65275, #65296)
- A “black flash” that briefly appeared on wp-admin pages before the interface finished loading is gone (Gutenberg #78493)
Emoji behave correctly again. Two related fixes: the emoji detection script is once more printed in the admin (#65310), and certain characters are no longer incorrectly replaced by Twemoji images (#64318).
Accessibility improvements to the new revisions experience. The Visual History / Revisions feature introduced in 7.0 receives several accessibility fixes: focus now moves to the revisions slider when entering revisions mode, and changed blocks are marked with a CSS outline as a secondary, non-color indicator — important for users with low vision or color blindness (#65122, Gutenberg #77530, #78393, #79691).
The most important fixes for developers
wp_kses() no longer corrupts valid CSS (#65270). Since 7.0 RC4, wp_kses() could mangle legitimate background-image: url(…) declarations into a broken style=")" attribute. If your theme or plugin outputs inline background images through KSES-filtered content, 7.0.1 restores expected behavior — any workarounds you shipped can now be removed.
global-styles-inline-css can be dequeued again (#65336). Since 7.0, developers were unable to remove the global styles inline stylesheet. If your build pipeline or performance optimization strips this and re-serves it another way, that control is back.
PHP 8.5 compatibility fix in wp_get_attachment_image_src() (#64742). An incorrect array access triggered issues under PHP 8.5. If you’re testing sites on newer PHP versions, this removes one blocker.
A removed Navigation function returns as a deprecated shim (Gutenberg #78484). block_core_navigation_submenu_render_submenu_icon() was removed in 7.0, breaking themes and plugins that called it directly. It’s restored as a deprecated shim — but treat this as your migration notice, not a reprieve. Update any code that references it.
Editor state management fixes reduce false “unsaved changes” warnings. Two Gutenberg fixes matter here:
- controlled/mode block changes are now marked non-persistent (#79350), and
- related navigation entities are no longer dirtied during passive renders (#79000).
Together these should mean fewer spurious dirty states and a cleaner undo history — a quality-of-life improvement if you build with template parts and navigation blocks.
Block Visibility: “hide everywhere” keeps working after a block opts out of visibility support (#65389). If you register blocks that disable visibility support, previously hidden instances now stay hidden as expected.
How to update
You can update directly from Dashboard → Updates in your site’s admin, run wp core update with WP-CLI, or download WordPress 7.0.1 from WordPress.org and install it manually. Sites that support automatic background updates for minor releases will begin updating on their own shortly.
The full ticket list is available in the release candidate announcement, Trac report 4, and the 7.0.x editor tasks board on GitHub.
What’s next: WordPress 7.1
With 7.0.1 out the door, attention turns to the next major release: WordPress 7.1 is scheduled for August 19, 2026. To see what’s planned for the release, check out the Roadmap to 7.1 on the Make WordPress Core blog.
WordPress.org blog: WordPress 7.0.1 Maintenance Release
WordPress 7.0.1 is now available!
This minor release includes fixes for 31 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress including the block editor, admin ui, and media. For a full list of bug fixes, please refer to the release candidate announcement.
WordPress 7.0.1 is a short-cycle maintenance release. The next major version of WordPress will be 7.1; it is scheduled for release on 19 August 2026 at WordCamp US.
If you have sites that support automatic background updates, the update process will begin automatically.
You can download WordPress 7.0.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. For more information on this release, please visit the HelpHub site.
Thank you to these WordPress contributors
This release was led by Aaron Jorbin, Brian Haas, Carlos Bravo and Estela Rueda.
WordPress 7.0.1 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance fixes into a stable release is a testament to the power and capability of the WordPress community.
Aaron Jorbin, Abdur Rahman Emon, Abhishek Kumar, Adam Silverstein, Adam Zieliński, Aditya Singh, Aki Hamano, Andrea Fercia, Andrei Draganescu, Andrew Serong, annezazu, Ben Dwyer, Brian Coords, Brian Haas, Carlos Bravo, cogdesign, Dan Luu, Daniel Richards, Darshit Rajyaguru, David Baumwald, Dennis Snell, Dhruvang21, Ella Van Durpe, Erick Wambua, Esteban, Estela Rueda, George Mamadashvili, Greg Ziółkowski, Himanshu Pathak, Hit Bhalodia, Huzaifa Al Mesbah, iflairwebtechnologies, James, Jarda Snajdr, Jb Audras, Joe Dolson, Joen Asmussen, Jon Surrell, Jonathan Desrosiers, Karthikeya Bethu, Khokan Sardar, Lucian R., luismulinari, Mahammad Darvishov, Manhar Barot, Marco Ciampini, Marin Atanasov, Maryam Sultana, Masum, Miguel Fonseca, Miroku, Mohammed Noumaan Ahamed, Mukesh Panchal, Mustafa Bharmal, Nik Tsekouras, Noruzzaman, Ozgur Sar, Peter Wilson, Presskopp, Rahul Kumar, ramonopoly, Riad Benguella, Rishabh Gupta, Roshni Ahuja, Sainath Poojary, Saksham Sharma, SAndrew, Scott Reilly, Sergey Biryukov, siliconforks, Stephen Bernhardt, Swanand M, Takashi Kitajima, Terence Eden, threadi, Tushar Patel, Umesh Nevase, WebMan Design | Oliver Juhas, Weston Ruter, Yogesh Bhutkar, Yusuf Mudagal
How to contribute
To get involved in WordPress core development, head over to Trac, choose a ticket, and join the conversation in the #core channel. Need help? Check out the Core Contributor Handbook.
Props to @jorbin for proofreading.
Jonathan Desrosiers: 13 Years Contributing to WordPress
Thirteen years ago today, I received my very first props for contributing to WordPress Core. If my WordPress contribution journey were a person, it would now be a teenager. It’s pretty wild to think about, but I’ve now been contributing to the WordPress project in some way for a third of my life!
What is a “prop”?
In the WordPress open source project, community participants receive credit for contributing to a given change or deliverable by receiving “props.”
Props should be given to all those who contributed to the final commit, whether through patches, refreshed patches, code suggested otherwise, design, writing, user testing, or other significant investments of time and effort. Usernames are parsed for the credits list and WordPress.org profiles.
The names of all the contributors who helped make a specific release possible are collected in the weeks leading up and added to the Credits API, which powers the Credits page in the WordPress dashboard.
To date, I have been listed on the Credits page for 24 consecutive releases starting with 4.7, and 29 of the 35 releases overall since my first credited contribution in WordPress 3.6 “Oscar”, alongside 224 other contributors.
Every year is a bit different than the last, but I can confidently say that this past year has been significantly different. What it means to develop software or contribute to open source is changing rapidly with advanced AI innovations seemingly every day combined with these tools being accessible to more people than ever before. But throughout all this, one truth holds strong: open source software is more important than ever.
Looking Back
It seemed only fitting for me to instruct AI to analyze my contribution activity over the last 365 days to try and find anything interesting!
Prompt
Today is the 13th Anniversary of my first credited contribution to the WordPress project. I try to write a blog post each year to mark the occasion.
I’m looking for ideas for this years edition. Please go and read all of my past posts (accessible here at this category feed https://jonathandesrosiers.com/category/contributing-anniversaries/feed) and give me 10-12 ideas for what to focus on this year. You can also look through the other content on my site for other ideas.
After you do that, I want you to look at the git history for the
wordpress-developandgutenbergrepositories between July 8, 2025 and yesterday (July 7, 2026). I want you to parse the logs to summarize my activity and find some particular ways to analyze the data that are interesting.Be creative! These posts are the most fun when I am able to find some unique insight into a year’s worth of contributions.
Results
Your year 13 in numbers (Jul 8 2025 → Jul 7 2026)
| Metric | Value |
|---|---|
| Core commits authored & committed | 119 (~7% of all 1,707 core commits this cycle) |
| Additional commits crediting you (props received) | 97 → ~216 credited touch points in core alone |
| Lines changed | +41,746 / −21,940 across 656 file-changes |
| Unique Trac tickets | 69 |
| Gutenberg PRs authored | 24 (+108 co-authored/credited) |
| Reverts you committed | 6 |
The headline: 80 of your 119 core commits (67%) are “Build/Test Tools.” Add Tests + General and it’s ~80%. You spent year 13 as the plumber of WordPress — CI, build pipeline, dependency stewardship, release infrastructure.
The most interesting angles the data surfaced
- The nocturnal committer. ~50 of your commits land between midnight and 4am. Tuesday (37) and Thursday (31) are your peak days; Saturday is nearly dead (3).
- The month that didn’t exist. January 2026: zero commits. March 2026: 40. Your cadence is a heartbeat synced to the 6.9 and 7.0 release cycles, not the calendar.
- The June 30th ritual. You bumped Gutenberg’s pinned hash seven times in a single day (v22.8.0 → v23.4.0) — a whole quarter of catching-up compressed into one sitting.
- Supply-chain quiet work. Pinning full-length action SHAs, replacing abandoned third-party actions, migrating release logic to a GitHub App, ca-bundle updates — you spent the year hardening the software supply chain nobody thanks you for.
- Keeping the ancient libraries breathing. lodash, underscore, backbone, getID3, Twemoji — you’re the caretaker of WordPress’s legacy vendored code.
- Future-proofing the matrix. MySQL 9.5/9.6/9.7, MariaDB 12.1, PHP 8.5 (HEIF/HEIC) — you test tomorrow’s platforms today.
- A first, quietly historic commit: “Include example for disclosing AI usage” — you helped write core’s early AI-disclosure norms.
10–12 ideas for the year-13 post
- “The Plumber’s Year: 67% of My Commits Were Infrastructure.” Own the unglamorous. A love letter to build/test/CI work — the contributions that never show up in a release announcement but without which nothing ships. This is your strongest, most authentic angle.
- “Confessions of a Nocturnal Committer.” Fun, human, data-driven: your midnight-to-4am commit cluster, Tuesday/Thursday peaks, the dead January. Chart your year as a heartbeat and reflect on what it says about maintainer rhythms (and sustainability/burnout).
- “216 Times.” Companion to your 2024 props post, flipped: this year you received credit ~216 times in core (119 committed + 97 propped). Explore the two halves of a committer’s fingerprint — the work you land yourself vs. the work you shepherd for others.
- “The Boring Commits That Keep 40% of the Web Safe.” The supply-chain security angle: pinned SHAs, abandoned-action replacement, the GitHub App migration, ca-bundle. Frame maintenance-as-security — timely and underappreciated.
- “I Test the Future So You Don’t Break in It.” MySQL 9.7, MariaDB 12.1, PHP 8.5 — a piece on being the person who runs tomorrow’s platforms against today’s code, and why the test matrix is a form of care.
- “The Commit I’m Proudest Of Was One Line About AI.” Use “Include example for disclosing AI usage” as a springboard into how WordPress (and you) navigated AI’s arrival in the contribution workflow in 2025–26. Very of-the-moment.
- “Anatomy of a Revert.” Six times this year you reverted your own or others’ work. A candid, senior-contributor essay on why reverting is a feature not a failure — iteration, humility, and trunk stability.
- “A Year in Dependencies.” The stewardship story — lodash/underscore/backbone/getID3/Twemoji. What it means to be the caretaker of code written a decade ago that you can’t just delete. Legacy as responsibility.
- “Who I Built With.” Refresh your collaborator lens for year 13: westonruter (24), jorbin (22), johnbillion (15), peterwilsoncc (14), wildworks (13)… Name the people behind the props lines and tell a story or two about the work you shared.
- “The Shape of a Release Cycle, Drawn in Commits.” Overlay your monthly commit counts on the 6.9 and 7.0 timelines — the March spike, the December bundled-themes push, the quiet stretches. Show readers what a maintainer’s year looks like mapped to what shipped.
- “Same Job, New Tools: Automating Myself Out of the Loop.” Your Gutenberg PRs are almost all release automation — GitHub App auth, GHCR publishing, reproducible builds, Dependabot. A reflective piece on spending your labor building the machine that does the labor, and what that means for the next generation of contributors.
I haven’t validated any of these numbers, but they do seem relatively accurate at first glance. I had ChatGPT create an embroidered patch that reflects the summary above.

And some of those writing suggestions are pretty good ideas! I’m out of time for today, so I’ll file these in the backlog for another day. But here’s to another year of helping the world find their voice to share their stories using WordPress. 
Past Milestones
“Props” Anniversaries: Ten, Eleven, Twelve (archive).
Commit-iversaries: Two, Five, Six, Seven (archive).
Featured image credit: CC0 licensed photo by Mark Westguard from the WordPress Photo Directory.
The post 13 Years Contributing to WordPress appeared first on Jonathan Desrosiers.
Matt: Code for the People

Lights! Camera! Action!
Todd Spangler at Variety writes: Automattic’s ‘Code for the People’ Documentary Is a Rallying Cry for Users to Fight for the Open Internet, from the NYC premiere last week.
I’m looking forward to the San Francisco premiere of the documentary, and then tomorrow everyone can stream it for free on codeforthepeople.com! Appearances by Anne McCarthy, Beau Lebens, Eric Binnion, Ian Stewart, Marjorie Asturias, Mary Hubbard, Matías Ventura, Matthew Miller, Paolo Belcastro, and Paul Maiorana.
We need to tell the story of Open Source in as many ways and places as possible. It’s never been more critical.
Film is new to us, and it’s funny how quickly things change: There’s a segment with a few “OpenAI not open” sound bites, but to their credit, they have been releasing open-weight models (Safeguard is particularly interesting). That said, the top open-weight models are all from China, save for Nvidia’s Nemotron, in ~12th place.
When I went to the first WordCamps in Beijing and Shanghai in 2009, it was a very different time. They were the biggest in the world at the time! I don’t think you could take photos in Tiananmen Square as freely as I did then; now to visit I think you need an appointment, ID checks, and security checks.
Even during WordCamp, it felt like the freedom of Open Source was in high demand, but it also created a lot of fear. I found out later that one of the student volunteers who helped their professor organize everything had been taken in for hours of questioning following the event.
On that trip, I saw how fine-grained the Great Firewall could be when individual posts (IIRC, about bad milk from a factory harming babies) wouldn’t load, but the rest of the site would. WordPress.com had been totally blocked, taking about a quarter of our traffic at the time, but behind the Firewall, Open Source continued to thrive and grow, and now the frontier open models are being driven by China in a way I never would have predicted!
Once you’ve had a taste of freedom, it’s hard to go back.
#224 – David Snead on Building Trust and Collaboration in the Hosting Industry With the Secure Hosting Alliance
Transcript
[00:00:19] Nathan Wrigley: Welcome to the Jukebox Podcast from WP Tavern. My name is Nathan Wrigley.
Jukebox is a podcast which is dedicated to all things WordPress. The people, the events, the plugins, the blocks, the themes, and in this case, building trust and collaboration in the hosting industry with the Secure Hosting Alliance.
If you’d like to subscribe to the podcast, you can do that by searching for WP Tavern in your podcast player of choice, or by going to wptavern.com/feed/podcast, and you can copy that URL into most podcast players.
If you have a topic that you’d like us to feature on the podcast, I’m keen to hear from you, and hopefully get you, or your idea, featured on the show. Head to wptavern.com/contact/jukebox, and use the form there.
So on the podcast today, we have David Snead. David has been involved in the hosting industry since 1999, starting out as legal counsel for one of the earliest shared hosting companies, and going on to work with over 50 others. He helped found the i2Coalition, serve as in-house counsel for cPanel and WebPros, and now leads the Secure Hosting Alliance.
If you’re listening to this podcast, I’m sure that many of you will have worked closely with hosting companies. Perhaps you run an agency, or business, that depends on the reliability, ethics, and security of hosting providers. David is here to talk about cross-industry collaboration in the hosting world, specifically around improving security, professionalism, and communication between hosts.
The conversation focused on why, and how, the Internet Infrastructure Forum, or IIF, is building a framework for real-time intelligence sharing and abuse reporting, aiming to help the entire ecosystem detect and prevent attacks faster than adversaries can adapt.
David talks about the challenges hosting companies face, especially smaller ones, in keeping up with security, and how this evolving project hopes to ease this by sharing actionable, non-proprietary abuse information across registrars, hosting providers, DNS services, and more.
He discusses the growth of both the Secure Hosting Alliance and the IIF, the business case for collaboration, and the nuances of legal and technical information sharing across borders.
If you’re in hosting, run a web agency, or just want to know how the backbone of the web is working to stay more secure and connected, this episode is for you.
If you’re interested in finding out more, you can find all of the links in the show notes by heading to wptavern.com/podcast, where you’ll find all the other episodes as well.
And so, without further delay, I bring you David Snead.
I am joined on the podcast by David Snead. Hello David.
[00:03:20] David Snead: Hello.
[00:03:21] Nathan Wrigley: Very nice to have you with us. David’s got a really interesting background, and a really interesting, I’m going to use the word project. I don’t know if that’s the right word. It feels like it’s got more solidity and it’s got a lot more history than that. It’s something which is, I think going, but we’ll find out a little bit more about it. It’s all about the hosting industry and trying to get hosts to, I guess communicate with each other in ways going forwards.
[00:03:44] David Snead: That is a part of it. There are really two goals and one is to level up the ethics and professionalism in the hosting industry. And the second is to facilitate more comradery and interaction among hosts. Something that folks felt occurred in the early 2000s, and with all the consolidation that occurred went away. And so that’s something that we’re also trying to facilitate.
[00:04:16] Nathan Wrigley: Okay. So given that we’re going to be talking about hosting, I guess it’s a good idea to paint your credentials and find out a little bit more about you. So a short opportunity to just tell us a little about you and your background in WordPress and hosting specifically, I suppose.
[00:04:29] David Snead: Sure. So I have been working in the hosting industry since 1999. As I often say, I was working in the hosting industry when hosting was cool. It is not so cool anymore. In fact most people don’t really pay attention to it.
You know, and I started as a lawyer for a hosting company, and I was in-house counsel for a company that actually owned a hosting company and was one of the earliest hosting companies that specialised in shared hosting. And so I was their general counsel. And for some reason it stuck, and I’ve just kind of turned it into a career.
So after that I had a private practise as a lawyer and I worked with probably 50 different hosting companies, mostly writing policies that nobody ever reads, which makes me super fun at parties.
And then from there, my friend Christian Dawson and I formed the i2Coalition as a response to some legislation in the US that would’ve been kind of the death nail for internet providers. So we started the i2Coalition. I then went in-house for cPanel and worked at cPanel and WebPros for 10 years, and then started the Secure Hosting Alliance.
[00:05:52] Nathan Wrigley: Okay. So you’ve got all all the history. That’s pretty good. You know, if we’re going to talk about hosting.
[00:05:57] David Snead: All the hosting history in one person. That’s kind of a very scary idea, no?
[00:06:02] Nathan Wrigley: But that’s excellent. So do you still offer counsel? Is that still, so you haven’t sort of sidestepped and do half of the week on a sort of more technical basis? It’s still the legal side that you’re involved in.
[00:06:13] David Snead: I do. Right now I’m doing mostly M&A work for, it’s weird. So I don’t know if anybody has ever said this to you before, but web hosting is kind of like the Hotel California. It’s like, once you start in the web hosting industry, you never leave. And so I have all these clients from 15 years ago who are now running like little baby hosts, and they’re talking to bigger hosts and they want to get acquired. So I’m doing some of that now. I am not writing any of the policies that nobody ever reads because that was just, I did that for too long.
[00:06:51] Nathan Wrigley: There were too many moments parties.
[00:06:53] David Snead: Yes, exactly. Yeah.
[00:06:55] Nathan Wrigley: Okay, so I’m going to read into the record the title and the blurb that went with the presentation that you are doing or done.
[00:07:02] David Snead: I did it yesterday.
[00:07:03] Nathan Wrigley: Okay, we’ll get into that in a moment. So the title is coordinating the fight, cross industry collaboration, and the blurb goes as follows. WordPress hosting threats cross company lines. When one provider falls victim, the entire ecosystem suffers. This session explores how the Internet Infrastructure Forum, or IFF, enables hosting providers, registrars and registries to coordinate abuse response through real time intelligence sharing. Learn how operational collaboration helps responsible operators detect and stop attacks faster than adversaries can adapt. And why working together produces results no single provider could achieve alone.
When I read that, immediately was, yeah, that’s a really sensible idea. Why are we separately, as hosting companies, I say we, I mean the hosting companies. Why are they all trying to do the same work over and over again, separately? When presumably this aspect of the work, the security bit is something they all have in common.
[00:08:05] David Snead: Right? So that’s the fundamental question, right? So the IIF is a voluntary organisation that is made up of everyone in the infrastructure stack. So from registrars, registries, DNS providers, hosting providers, cloud providers, everyone in the stack. So it is facilitated by the Internet and Jurisdiction Foundation. They’re based in Paris, and they’re the actually the secretariat for it.
And what it’s designed to do is create a common way for everyone who’s in the infrastructure stack to share information about abuse and abuse issues. And it’s one of the fundamental problems that you referred to is everybody is operating in a silo, right? And that’s mostly because that’s the way the internet is architected, right?
So the internet is architected, so it’s distributed, right? Registrars and registries basically do their own thing with domain names. They might have a small hosting component or maybe a cloud component, but by and large, all they do is domain names.
Hosting providers probably resell domain names, but they’re not part of that industry. And so how do they all coordinate? And that’s what the IIF is trying to facilitate, is more information sharing among the participants.
[00:09:39] Nathan Wrigley: Well I imagine some of the hosting companies are probably fairly good. You know, they’ve got a giant customer base. Let’s imagine hosting company X over there, they’ve got millions of customers. They’ve got a huge budget that they can put over to, let’s say, security things. Well that’s all well and good, brilliant. But then there are other companies who are much scrappier. You know, they maybe have only a few thousand customers. And so their budget for the exact same work is going to be reduced.
How will this work? Is it going to be like a subscription service basically? Will you have a membership, which is in some way equal to the number of clients that you’ve got? Will there be some expectation that, okay, we’ll look at your revenue, your membership will be equivalent to a percentage of your revenue? How will that all work?
[00:10:20] David Snead: We don’t know. This is a very early stage project. Right now we are in a prototype phase where we have just figured out what information folks should submit to the secretariat.
So the way it works is, you submit the information that you collect for a particular abuse issue to the secretariat, who then enriches it with all the other information that’s been submitted and sends it to the right person.
So a great example is, let’s say a registrar reported a phishing domain. They turn off the phishing domain and they have maybe a timestamp, an IP address where it was submitted from. They submit that to the secretariat, who then finds the hosting company who is providing the services for the hosting and says, this came in about this particular site. Can you take action on that? So that’s the way it works.
Right now it’s very early stage. It’s in the first phase of a test, and we’re going to look at whether the way we’ve architected it, or the way the group has architected it, actually makes sense.
[00:11:39] Nathan Wrigley: Is this going to be then a sort of slow on ramp whereby you bring a few companies in at the beginning, hopefully. And then one or two more and iron out the wrinkles, and then some more and some more? Because I imagine, if you just threw the switch, everybody’s in, a lot could go wrong at that point. And I’m guessing there’s going to be more of a slow on ramp.
[00:12:00] David Snead: So you’ve pointed out my particular frustration with the IIF, and the reason that the secretariat is moving slowly, right? So fortunately, or unfortunately, based on my cultural background, I’m just sitting here going, this needs to move faster. We need to have everybody involved, we need to have all the hosts involved, we need to have all the registrars and registries. And other folks who are a little bit more skilled in this type of work say, no, we need to figure out what we’re doing and that requires a small number of people.
The phase that we’re in right now is looking for more folks who are interested in sitting at the table and being part of the discussion. Particularly in the hosting industry and in the web design and marketing industry. Those are folks who don’t generally participate in these kind of industry led collaboration exercises. And that’s the reason that I’m at WordCamp, is to talk to web designers, marketing agencies about why they should participate in something like this.
[00:13:13] Nathan Wrigley: So this really isn’t bound in any way to WordPress, is it? It just so happens that WordPress has a significant chunk of the internet, so this is a good place to start. But if you happen to be a, I don’t know, Drupal user, or you’re just into writing PHP code or whatever it may be, this is still applicable. There’s no real WordPress layer to this. This is just a good place for you to come because, well, there’s probably, what, 30 hosts, 100 yards away from us out there.
[00:13:37] David Snead: I know. And I haven’t seen all of them yet.
[00:13:39] Nathan Wrigley: Yeah, there’s work to do. But agnostic to any platform, basically.
[00:13:42] David Snead: It is completely platform agnostic, yeah.
[00:13:43] Nathan Wrigley: Okay. Okay, that’s interesting. But WordPress is a, is certainly a good place to start.
Now, I’m imagining, if I was a hosting company and I was the chief executive, I definitely have some questions for you in terms of, okay, we’re going to share our valuable intel with you, what are you going to do with that? How can we trust you? How do we know that the sharing is going to be done effectively and what have you?
So I guess really what I’m getting to is, what is the assurances or checks and balances that you, in the end, will hope to offer the host? That you can assure them that, look, if you hand us this body of work, you don’t need to think about it again. You can trust us to do it honourably, effectively, collaboratively. You get where going.
[00:14:26] David Snead: Yeah, yeah. And I suspect that you wanted to be a lawyer at some time, because that’s one of the issues that we’re facing. Information that can be shared freely, as an example, in the United States, might not be capable of being shared so freely in the European Union, or in Brazil, or in India or someplace like that.
So one of the things that’s being done, not by me, but by another group, another working group that’s part of this, is analysing the legal issues around information sharing.
The information that’s being shared, to answer the proprietary and confidentiality question, is not proprietary or confidential information. So it’s things like timestamps, domain names, IP addresses for the initial abuse submission. Things like that that really don’t indicate some sort of company confidential information. And it’s further abstracted into xarf, which is a language that’s used for abuse reporting, that we all can share. And so I think that the only thing that would be of concern is whether that information is personal information that’s subject to jurisdictional restrictions around the world.
[00:15:48] Nathan Wrigley: Would the idea be that this organisation would do the remedial work? So is there any notion that, let’s say for example, some sort of security problem was discovered by hosting company A over there, and they share that intel with you. Maybe the question is kind of asking, will you then appoint people to figure out what the patch is for that? Or is your idea just to, oh, red flag, we’ve got this problem, now you all know about it. Is it just information sharing as opposed to fixes?
[00:16:17] David Snead: Yeah, it’s the latter. So the thing that we’re solving for right now, so there’s just one issue that, one abuse issue, that we’re testing out and it’s issues related to fake shops. And so the fake shop issue is the test abuse issue for the project, and where folks are sharing information. It’s a particular problem right now with credentials harvesting. And so that’s what we’re trying to look at.
[00:16:43] Nathan Wrigley: And how has the conversations that you’ve had thus far, how have they gone? Has this been warmly received or are you facing a little bit of pushback?
[00:16:50] David Snead: So, look, I’ll be very direct with you. If something isn’t just an immediate threat to them, it’s very difficult to conceptualise why you should participate. And I am pretty used to answering that question simply based on the political work that I do with the i2Coalition. But once you talk about, so let’s use fake shops as an example. Fake shops, and you’re providing services to fake shops, actually has an impact on your bottom line.
So if you are providing, let’s say, payment processing to an entity that is running a fake shop, it very easily can make your credit card processing charges higher. It ends up eating bandwidth. It will tax your abuse resources.
One of the things that you referred to initially is, you know, larger hosts have a lot of money. I wouldn’t say they have a lot of money, but they have more bandwidth to handle a vast fire hose of abuse issues. Most smaller hosting companies might only get five or six abuse issues in a month. But if you have a fake shop, that’s going to generate a huge amount of abuse, and it’s taking away resources that you can use to actually grow your business. So that argument actually is relatively persuasive in getting folks to pay attention.
I find that the business argument around abuse is a much more compelling discussion than kind of moral persuasion. I don’t think moral persuasion works in the context of a community that is trying very hard just to keep their heads above water.
[00:18:42] Nathan Wrigley: It feels to me from what you’ve just said, and I could be reading too much between the lines, but it feels to me as if a good target audience would be smaller hosts to begin with, simply because they’re probably going to be more receptive because they have less bandwidth themselves. And so would welcome anything that can make the burden of sharing this information easier. So 10 of the small hosts combined is, well, it’s much bigger than each of them individually would be, whereas I suppose you’ll have to get a critical mass of them on board until maybe some of the bigger hosts start to look at you with favourable eyes, let’s say that.
[00:19:15] David Snead: Well, so we have some pretty large hosting companies who are participating. So as an example, both GoDaddy and Newfold are participating. But we also have smaller hosts. But I agree with you, the information that’s being provided, particularly since it is actionable, realistic information that can be adapted for bespoke systems, is invaluable, right?
So if you only get five or six abuse complaints and you get an abuse complaint, and you can go to the secretariat and say, we got a complaint about this domain, and the secretariat says, here’s what the registrar did. Here’s what Cloudflare did. Here’s the information they provided us. And you can use that to make a decision on how to address that problem. It saved you hours and hours and hours of research time.
[00:20:09] Nathan Wrigley: Technically speaking, what would the conduit of information both toward you and away from you look like? So if I’m hosting company X, how are you imagining that I will supply you with that information? But also, if I’m just looking for information from you on a daily, weekly basis, whatever it may be, how do I receive that? Is this like a, I don’t know, a website or an API or?
[00:20:33] David Snead: It’s an API. So it’s a file. It’s just a general file download.
[00:20:37] Nathan Wrigley: Right, okay. So it’s readily available 24/7?
[00:20:40] David Snead: Right. That’s the goal. Right now it’s not, but the goal is to kind of figure out a way to make something like that possible.
[00:20:47] Nathan Wrigley: Yeah, okay. I also suppose that the hosting companies, whilst this is good for their business if they can minimise costs and hand a lot of this work over to you, there’s a part of them which would also probably like to put some sort of badge on their website to say, this is what we’re doing. We’re part of this alliance, for want of a better word. Is that something that you are looking to develop as well, you know, some sort of credentialing system to demonstrate that you’re in this?
[00:21:12] David Snead: So that’s not something that the IIF is working on. It’s something that the Secure Hosting Alliance does. The Secure Hosting Alliance has a trust seal that we give to hosts who fulfil our Trust Seal Certification provisions. But that’s not something that the IIF does.
Talking about like why, other than business reasons, folks should participate in this, one of the things that is going on that I would suggest that most hosts know about, is there’s a little bit of a moral panic going on in the world about what contents you have. And regulation is actually a very real thing for the hosting industry, who has not ever been regulated. This is the time where you can say, hey, this is what we’re doing, right? We’re dealing with issues. This way a trust seal is the same thing, right? It’s something that you can say, we are actually taking steps to make the internet a better place.
[00:22:18] Nathan Wrigley: I think if you are a general agency owner or, I don’t know, just a freelancer, hosting is one of those things that you, once you’ve done it once, you’re in it for the long haul until something goes wrong. But you’re also browsing around for any tiny indication of why is this host slightly different? You know, what is it that they’re doing that, I don’t know, is faster? What is it that they’re doing that’s more secure? So it feels to me if you had a credentialing system and I began to hear about it and see it pop up again and again, it would be one of the metrics which I would weigh up when looking at hosting.
[00:22:51] David Snead: I would think so. One of the things that a trust seal does is it indicates that there’s been some vetting of the host. That someone has determined the things that are important to the hosting industry and are important to the web design industry. The agency industry are also important to the host.
Great example of that is one of the provisions of the Secure Hosting Alliances’ Trust Seal Certification is that a contract is presented to the customer before they sign up, which is super customer friendly.
One of the things as a lawyer that you hear about all the time when people are dissatisfied with their services is, yeah, well, I never saw that contract. Or it was just a hyperlink in an email that I got. That’s one of the differentiators for a Trust Seal certified host is that the contract is actually presented to them, to the customer beforehand.
[00:23:57] Nathan Wrigley: So in terms of the WordPress crowd, is this a thing that you are pitching only to hosts? Like when you step out of here, are you trying to have conversations only with hosts? Or is there some bit of the WordPress community, the freelance, the agency owners? Are you trying to communicate with them just to scope out what they need?
[00:24:15] David Snead: So for both the Secure Hosting Alliance and for the IIF, it is that. I really enjoy talking to agencies and developers about whether this is important to them, or why it might be important to them.
[00:24:31] Nathan Wrigley: In terms of how long this project’s been going, I’ve only heard of it because of your participation here, but I don’t know if you’ve been banging this gong for a decade or, I mean you’ve been in the industry for long enough to have been banging it for decades. Is this a new initiative or is this something which has a long and storied history?
[00:24:49] David Snead: So the Secure Hosting Alliance has only been active for a year, a little bit over a year. I’ve been talking about abuse for a long time, but the Secure Hosting Alliance has only been around for a year.
[00:25:01] Nathan Wrigley: And have you, in that year, got any intuitions that you’ll be here for another year? Is it basically going in the right direction?
[00:25:09] David Snead: It is going in the right direction. So we started out with two or three charter members. We now have 25 hosting members. We have three security vendors who are members as well. We have, I think, 17 Trust Seal Certified members, and we’re launching in 2027 a trust seal for security vendors who provide services to hosting companies.
[00:25:40] Nathan Wrigley: I know that several owners of hosting companies listen to this podcast. They may very well be the people that you’ve spoken to already, but if they are not, and they are people who would like to investigate this further, I suppose the thing that’s going to be in their head is, okay, Nathan and David, you’ve explained what I’ll get out of it, what do I need to put into it? So is this an annual financial commitment? How does it all work from that point of view?
[00:26:02] David Snead: Yeah, so you become a member of the i2Coalition. And so the Secure Hosting Alliance is a working group of the i2Coalition. So you would be a general member and you would participate in the Secure Hosting Alliances’ working groups. You also have the ability to participate in the i2Coalition as a whole, which is a much larger trade association that represents almost everyone in the internet infrastructure vertical. Mostly doing policy work, primarily in the US and the EU. Although there’s, we’re doing some work in India right now as well.
[00:26:40] Nathan Wrigley: And does membership allow you to steer the future of the project? I know that lots of chefs in the kitchen results in terrible food, but that, I fear, is something that could happen. You’ve got 87 members, 260 members. And then the 260 members all start to bicker and, you know, we want this, no. You see how it goes.
[00:26:59] David Snead: I do.
[00:26:59] Nathan Wrigley: What’s the position there? You know, is there sort of gated levels of membership? How are you organising all of that?
[00:27:04] David Snead: There are not. The membership is based on self-reported revenue. The membership is not horrifically expensive from my perspective. And I think that that, most of our members would say that it is, it’s actually relatively affordable, particularly for the small to medium sized hosts. And registrars or design agencies, anyone who’s participating.
The question about, who’s running the show, comes up quite a bit. We haven’t really faced that issue, particularly in the Secure Hosting Alliance. Folks seem to get along. But the organisation runs on the idea of rough consensus. And so decisions end up not being controlled by one member or not. Some of the i2Coalition has some very large companies who everybody knows about, who get along with startups, and folks against whom they compete directly. And policies still get made. The organisation still moves forward.
[00:28:11] Nathan Wrigley: Yeah, I guess you’re in a space where, obviously all of these hosting companies commercially are vying for everybody else’s business. But in this particular situation, that is not the case. Nobody’s vying for their websites to be less secure. They all want the same level of security. So at least in that sense, you would hope that consensus could be maintained even if, commercially, the two companies that are in the room, the 10 companies that are in the room might be commercially at loggerheads with each other. At least on this they could agree. That would be the hope, I suppose, anyway.
[00:28:47] David Snead: It seems to be, not only the hope, but the actual way that things work. You ask about how compromise is reached. What comes to mind is I have a much different concept of privacy than, particularly when I was at WebPros, than other folks in the i2Coalition had. And another company just called me up and we worked through our disagreements about how privacy should be handled within the i2Coalition and were able to move forward.
The industry I’ve found to be hugely collaborative, particularly the hosting industry. Everybody knows what their competitor is doing. But when it comes to addressing an issue like, how are we going to deal with abuse as a community? Folks come together. CEOs of hosting companies while they compete tend to be relatively good friends.
As I said at the very beginning, it really is like the Hotel California, right? You come in as a CEO of a hosting company, you grow it and you sell it to another company. All of a sudden you’re at the bottom again with a server in your grandma’s basement, you know, trying to start again.
[00:30:08] Nathan Wrigley: It’s a really curious effort. I suppose really at the bottom of this entire podcast is your endeavour to be heard and to reach out and get some conversations going. So with that in mind, where do people find the information about this? So maybe there’s a website that we could mention. But also, is there a specific place where you hang out? Is there a place where you would like to be contacted most?
[00:30:33] David Snead: Sure. So our website is hostingsecurity.net. I’m not too afraid of getting too much spam. So folks can email me at snead@i2coalition.com And the two is the numeral two. So it’s snead@i2coalition.com. And I’m happy to answer questions.
In terms of hanging out, I am at most industry conferences in the hosting industry. In the WordPress industry, I’ll be at WordCamp US. We also participate very heavily in ICANN. So there is an i2Coalition member at every single ICANN meeting.
[00:31:12] Nathan Wrigley: So if you go to wptavern.com and you search for the episode with David Snead, S-N-E-A-D, you’ll be able to find those details. I’ll put everything into the show notes. So anything that I missed? Was there a particular focus that we didn’t touch?
[00:31:26] David Snead: No, this is actually one of the most thorough podcasts I’ve been on recently.
[00:31:31] Nathan Wrigley: That’s love to hear it. Well, David Snead, thank you very much for joining me today.
[00:31:35] David Snead: Glad to be here. Thanks for having me.
On the podcast today we have David Snead.
David has been involved in the hosting industry since 1999, starting out as legal counsel for one of the earliest shared hosting companies and going on to work with over 50 others. He helped found the i2Coalition, serve as in-house counsel for cPanel and WebPros, and now leads the Secure Hosting Alliance.
If you’re listening to this podcast, I’m sure that many of you will have worked closely with hosting companies. Perhaps you run an agency or business that depends on the reliability, ethics, and security of hosting providers. David is here to talk about cross-industry collaboration in the hosting world, specifically around improving security, professionalism, and communication between hosts.
The conversation focused on why and how the Internet Infrastructure Forum (IIF) is building a framework for real-time intelligence sharing and abuse reporting, aiming to help the entire ecosystem detect and prevent attacks faster than adversaries can adapt.
David talks about the challenges hosting companies face, especially smaller ones, in keeping up with security, and how this evolving project hopes to ease this by sharing actionable, non-proprietary abuse information across registrars, hosting providers, DNS services, and more. He discusses the growth of both the Secure Hosting Alliance and the IIF, the business case for collaboration, and the nuances of legal and technical information sharing across borders.
If you’re in hosting, run a web agency, or just want to know how the backbone of the web is working to stay more secure and connected, this episode is for you.
Useful links
HeroPress: “Listen… the birds are already singing” – “Послухай… пташки заспівали”
![Pull Quote: WordCamp Europe has become one of the few places where [Ukranians] can reassemble in person. WordCamp Europe став одним із небагатьох місць, де [українці] можуть знову зібратися разом наживо.](https://heropress.com/wp-content/uploads/3026/07/volodymyr_banner.webp)
Це есе також доступно українською.
“Listen… the birds are already singing,” said Danylo — a Ukrainian I’d met at a previous WordCamp — as we were wrapping up the last hour of the WCEU afterparty in Krakow. “It’s time for us to go.” He started singing “Hei! Hei! Hei, sokoly! Omynaite hory, lisy, doly.” I started singing with him. The Polish guys next to us continued singing in Polish “Dzwoń, dzwoń, dzwoń dzwoneczku, Mój stepowy skowroneczku.” Some people behind us joined the choir. That was “Hey Sokoly” — a Ukrainian-Polish folk song — carrying us out of Bastion III, a 19th-century Austrian fortress on the edge of Krakow’s Old Town, as the night turned to morning.
But to explain how I ended up there, I need to go back to where it all began.

Mykolaiv
It all started in Mykolaiv, the city of shipbuilders and brides, where I spent my childhood. I graduated from two universities I had been attending simultaneously and started looking for a job during a gap year. I planned to find work to earn some money for further education while preparing for the entrance exams to one of the Finnish universities. Mykolaiv didn’t provide good opportunities for graduates unless you had very good connections, but I managed to find a job at an “IT” company. In 2011, the term “IT” didn’t mean much to me, but they required English, which was my major, so I thought — why not. The work wasn’t particularly difficult: I had to pretend to be “Bob” from the United States, helping customers who had purchased physical products by tracking their orders and walking them through setup instructions. I was fired after a month and a half. Maybe I underperformed, or maybe somebody just didn’t like me — either way, it’s water under the bridge.
The first job I’d gotten entirely on my own, the first paycheck that proved I could be independent, and the first time being fired — all of it hit me at once. The last part was devastating, made worse by comments like “it was too good to be true,” “we told you they’d trick you,” and “look at so-and-so, doing such-and-such and earning properly.” It was hard to sit with feeling like a failure. But somewhere in that difficulty, I got tougher — and more determined to prove everyone wrong.
TemplateMonster
The first job was a failure, but it gave me one clear answer: I needed to stay in IT. The next job was TemplateMonster.com — well known in certain circles. It was the complete opposite of what I’d experienced before. In 2012 they were selling templates for the most popular CMS platforms of the time: WordPress, Joomla, Drupal, and various e-commerce solutions. The onboarding alone took two months, which tells you something about how seriously they took their people — staff rarely left, and when they did, it was for personal reasons, not because they were pushed out.
My job was to help customers with their templates: installation, editing, customization. Difficult, but genuinely interesting — I liked it. This was the first time I encountered WordPress. I worked six nights a week, and Sundays were the strangest — your day off, but your body had adjusted to night shifts and refused to cooperate. None of that bothered me much. Being able to build sites and make things look exactly right was addictive. I overworked, learned constantly, pestered developers with questions, all just to quench my thirst for knowledge. It ended quickly: I got accepted into three master’s programs in Finland, chose one, and left for Central Finland.
Helsinki

Studying in Finland was genuinely different from anything I’d known in Ukraine — in the best possible way. Once the mandatory courses were done, I started looking for work. It was harder than I expected: a year of passive searching, then six months of applying every day. Eventually, I landed at a Helsinki-based agency building WordPress websites — which is still what I do today. A friendly team, around ten people — I’m still close with many of them. We built sites of varying complexity during the day and spent evenings playing board games, swapping stories, and throwing the occasional party.
That’s also where I attended my first WordPress event: WordCamp Helsinki 2017, a two-day conference. It didn’t blow me away, but it opened something. When you work in a small agency, you live inside your own bubble — and then suddenly a whole other world appears. You see the other side of WordPress: the community, the people pushing it forward, the people wrestling with the same problems you are and finding creative ways through.
That first local WordCamp was enough to make us want to go further. In 2019 the team went to Berlin for WCEU — my first trip abroad outside of the Finland-Ukraine route I knew well. We spent a few days exploring the city and attending the event. WordCamp Europe is a different scale entirely: thousands of attendees, hundreds of volunteers making it happen. Standing in that crowd, I knew I wanted to be part of it — not just as a visitor. And then corona happened.
Porto

WCEU 2020 and 2021 were online, and I felt they were missing the whole point — thousands of people in one place, feeding off each other’s energy. So when Porto was announced for 2022, I started packing. This time, I joined as a volunteer, to see WordCamp from the inside. It was the right call. It was also a difficult time for Ukrainians — the full-scale invasion was by then well into its second year, and everyone was finding their own way to cope. For me, this event became a source of strength. I connected with the Ukrainian community, had real conversations with speakers, and came away feeling like I’d experienced what WCEU is actually for.
That trip also clarified something I’d been circling around for a while. I’ve always loved traveling, but there was a barrier that had nothing to do with visas or money — though those were factors too. It was a justification problem. Coming from a culture where time should be spent purposefully, traveling for its own sake felt hard to defend. A work conference, though? Completely justifiable. Nobody asks how much fun you had. I’ve been to Germany, Portugal, Italy, Switzerland, and Poland this way. Spain is next.
Attending WordCamps is one thing. Building a similar event is another.
WP Suomi
In 2025 I became the lead organizer of WP Suomi — the first independent Finnish WordPress event, held in Helsinki. The months before October 10th were intensive in ways I hadn’t anticipated: budgets, logistics, gifts, merch, catering, venue coordination, a hundred small details that needed to be right simultaneously. I remember waking up at midnight worrying that I hadn’t ordered something in time and it wouldn’t arrive before the event. Most of the work that goes into an event like this is invisible to the people attending. They see the schedule, the food, the afterparty. They don’t see the half a year of pieces being polished before the puzzle comes together.

On the day of the event, there was nothing left to worry about. Whatever needed doing had been done — if something had been missed in the preparation, it would show up now and there would be little we could do about it. So why worry? The time for that was the preparation, not the day itself. The team — experienced, reliable, no hand-holding required — knew exactly what they were there for.
Around 300 people attended WP Suomi. Forty filled out our feedback form afterward, giving an overall score of 4.47 out of 5. But the number mattered less than what people wrote: networking, atmosphere, meeting old friends and new ones, a community that welcomes everyone openly. Reading that, I recognized the same feeling I’d had at WordCamp Helsinki 2017 — something new, interesting, and full of possibility.
Organizing WP Suomi gave me a clearer understanding of what goes into making these events happen. Having been a volunteer at WCEU and then a lead organizer at WP Suomi, I arrived in Krakow with a slightly different perspective — a better sense of what the people around me were going through. This year I’m back on the WP Suomi organizing team as speakers coordinator — a different role, another angle.

Krakow
WordCamps have changed for me over the years — less about the sessions on stage, more about what happens between them. As an organizer, you miss most of the talks anyway, pulled in ten directions at once. But real life happens in the corridors, and at the parties in the evenings.
This matters especially for the Ukrainian community. The war has scattered us across Europe — different countries, different companies, different lives. WordCamp Europe has become one of the few places where we reassemble in person: to share what the year brought, to meet people we only knew online, to see the community still growing despite everything. Many couldn’t make it to Krakow, some would not be able to visit these events anymore. For those of us who could, the room carried extra weight.
That’s what Danylo and I were singing about at dawn outside Bastion III, even if neither of us said it out loud. I hope to do that someday in the afterparties in Helsinki and Kyiv — whenever that becomes possible again.

Volodymyr’s Work Environment
We asked Volodymyr for a view into his development life and this is what he sent!
HeroPress would like to thank Draw Attention for their donation of the plugin to make this interactive image!
“Послухай… пташки заспівали”
«Послухай… пташки заспівали», — сказав Данило, українець, з яким я познайомився на попередньому WordCamp — ми якраз протеревенили останню годину afterparty WCEU у Кракові. «Значить нам теж час іти». І тут він від душі почав співати «Гей, гей, гей, соколи, оминайте гори, ліси, доли». Я підхопив пісню разом із ним. Поляки, що ішли поруч продовжили польською: «Dzwoń, dzwoń, dzwoń dzwoneczku, mój stepowy skowroneczku». Хтось позаду теж приєднався до хору. Це була «Гей, соколи» — українсько-польська народна пісня — під акомпанемент якої нас виносив натовп із Бастіону III, австрійської фортеці XIX століття на околиці краківського Старого міста, саме тоді, коли вже ніч переходила у ранок.
Щоб пояснити, як я там опинився, доведеться повернутися до самого початку цієї історії.

Миколаїв
Ця історія бере свій початок у Миколаєві – місті суднобудівельників і наречених, де я виріс. Здобув освіту у двох університетах, де навчався одночасно і почав шукати роботу під час року перерви перед продовженням навчання. Я планував знайти собі роботу, щоб заробити грошенят для продовження навчання, готуючись до вступу в один із фінських університетів. У Миколаєві було важко знайти якісь серйозні перспективи для випускника, хіба що в тебе є зв’язки, але я примудрився знайти роботу в “IT” компанії. У 2011 термін “АйТі” нічого мені не говорив, але там потрібна була англійська, яка була моїм основним предметом в університеті, тому я подумав, а чом би й ні? Робота не була важкою: треба було казати, що я “Боб” із США і допомагати клієнтам, які купували фізичні продукти, відслідковувати їх замовлення і давати інструкції, як використовувати оте, що вони поназамовляли. Мене звільнили через півтора місяці. Можливо, я щось не так робив, можливо, просто не вдався обличчям — у будь-якому випадку, що було, то загуло.
На цю роботу я влаштувався самостійно, без будь-якої підтримки, перша заробітна плата була символом моєї незалежності, і перше звільнення — це був бурхливий вир емоцій. Але остання частина просто вибила землю з-під моїх ніг, гірше тільки зробили коментарі на кшталт: “це було занадто добре, щоб бути правдою”, “та ми тобі казали, що там надурять”, і “подивись на нього — він робить те та й се, ще й добре заробляє”. Дуже важко було бути вдома і відчувати себе невдахою. Але це відчуття зробило набагато більше ніж будь-яка ефемерна підтримка — воно мене загартувало і пробудило палке бажання довести, що всі помилялися щодо мене.
TemplateMonster
Хоч перша робота виявилась провалом, вона дала мені чітке розуміння, що треба продовжувати шукати роботу в IT. Наступну роботу я знайшов у TemplateMonster.com — добре відому у певних колах. Вона була повною протилежністю моєму минулому досвіду. У 2012 році вони продавали шаблони для більшості популярних CMS-ок того часу: WordPress, Joomla, Drupal, і для різних рішень електронної комерції. Лише ознайомлення з роботою і навчання зайняло два місяці, що промовисто свідчить про те, наскільки серйозно компанія сприймала своїх людей — майже ніколи не звільняли, а якщо люди й ішли з роботи, то з власних причин.
Моїм завданням було допомагати клієнтам із шаблонами, які вони придбали: встановлення, налаштування, редагування. Було доволі складно, але дуже цікаво — мені подобалося. Тоді я вперше познайомився із WordPress. Я працював шість ночей на тиждень, а неділі були найважчими, бо тіло звикало до активності вночі і відмовлялося спати. Хоча такий графік мене не дуже турбував. Можливість створювати будь-які сайти і кастомізувати їх саме під себе — оце було до дідька захопливо. Я багато перепрацьовував, вивчав щось нове, заколупував розробників питаннями, щоб хоч трохи вгамувати жагу до знань. Але усе закінчилося несподівано швидко: я отримав три листи про зарахування на магістратуру у Фінляндії, вибрав один університет і поїхав до Центральної Фінляндії.
Гельсінкі
Система навчання у Фінляндії побудована зовсім по-іншому — і, на мою думку, на краще. Коли я закінчив основні курси моєї спеціальності, я почав шукати роботу. Завдання було не з легких: рік я шукав пасивно, де-не-де подаючи заявки на роботу, і ще пів року я зайнявся цим активно, відгукуючись на декілька вакансій щодня. Зрештою, доля занесла мене у Гельсінське агентство, що розробляло сайти на WordPress — цим я займаюся і сьогодні. У нас була дуже дружня команда, приблизно з десяти людей, з більшістю з них я досі дружу. Ми будували сайти дуже різного рівня складності, удень, вечорами грали в настолки, ділились історіями зі свого життя і влаштовували грандіозні вечірки.

З цією командою я вперше відвідав подію WordPress: WordCamp Helsinki 2017 — дводенну конференцію. Я не був вражений наповал, але вона відкрила мої очі на дещо. Коли ти працюєш у маленькому агентстві, і живеш у своїй бульбашці, а тут неочікувано відкривається цілий всесвіт. Ти бачиш іншу сторону WordPress — спільноту, людей, які рухають увесь проект вперед, людей, які стикаються з тими самими проблемами, які знаходять творчі способи ці проблеми вирішити.
Того першого місцевого WordCamp’у було достатньо, щоб нам захотілося рухатися далі. У 2019 році наша команда поїхала до Берліна на WordCamp Europe — це була моя перша закордонна поїздка за межі звичного для мене маршруту між Фінляндією та Україною. Ми провели кілька днів, досліджуючи місто й відвідуючи конференцію. Масштаб відчувався зовсім по-іншому: тисячі учасників і сотні волонтерів, які усе організовують. Стоячи серед цього натовпу, я зрозумів, що хочу бути частиною цього, і не просто як відвідувач.
А потім почалася пандемія коронавірусу.
Порто

WordCamp Europe 2020 і 2021 років проходили онлайн, і мені здавалося, що вони втратили найголовніше — тисячі людей, зібраних в одному місці, які заряджають одне одного своєю енергією. Тож коли оголосили, що WCEU 2022 відбудеться в Порту, я почав збирати валізу. Цього разу я приєднався до команди волонтерів, щоб побачити WordCamp зсередини. І це було правильне рішення. Для українців це був непростий час — повномасштабне вторгнення вже тривало, і кожен шукав свій спосіб впоратися з новою реальністю. Для мене цей захід став джерелом сили. Я ближче познайомився з українською спільнотою, жваво дискутував зі спікерами й повернувся з відчуттям, що нарешті зрозумів, нашо той WordCamp.
Та поїздка також допомогла мені усвідомити дещо, над чим я давно розмірковував. Я завжди любив подорожувати, але існував бар’єр, який не мав стосунку ні до віз, ні до грошей — хоча й вони теж відігравали свою роль. Проблема була в тому, як виправдати саму подорож. Я виріс у культурі, де час потрібно витрачати з користю, тому подорожувати просто заради подорожі здавалося чимось, що важко пояснити. А ось робоча конференція — зовсім інша справа. Це цілком виправдана причина. Ніхто не питає, скільки задоволення ти на ній отримав. Саме так я побував у Німеччині, Португалії, Італії, Швейцарії та Польщі. Наступна — Іспанія.
Відвідувати WordCamp — це одне. Створювати подібний захід — зовсім інше.
WP Suomi
У 2025 році я став головним організатором WP Suomi — першого незалежного фінського заходу, присвяченого WordPress, що відбувся в Гельсінкі. Місяці, які передували 10 жовтня, виявилися набагато напруженішими, ніж я очікував. Бюджет, логістика, подарунки, мерч, кейтеринг, координація локації — і сотні дрібниць, які мали зійтися в потрібний момент. Пам’ятаю, як прокидався посеред ночі з думкою, що не встиг замовити щось вчасно і воно не приїде до початку події. Більшість роботи, яка стоїть за такими заходами, залишається непомітною для учасників. Вони бачать програму, їжу, афтепаті. Але не бачать тих пів року, протягом яких окремі деталі поступово складаються в єдину картину.

WP Suomi відвідали близько 300 людей. Після заходу сорок учасників заповнили форму зворотного зв’язку, оцінивши його в середньому на 4,47 із 5. Але для мене важливішою була не сама оцінка, а те, що люди писали: нетворкінг, атмосфера, зустрічі зі старими друзями й нові знайомства, спільнота, яка відкрито приймає кожного. Читаючи ці відгуки, я згадав себе і те саме відчуття, яке пережив на WordCamp Helsinki 2017, — це щось нове, захопливе й сповнене можливостей.
Організація WP Suomi допомогла мені значно краще зрозуміти, що стоїть за проведенням таких заходів. Після досвіду волонтера на WCEU, а згодом і головного організатора WP Suomi, я приїхав до Кракова вже з іншим поглядом — набагато краще розуміючи, через що проходять люди, які працюють поруч. Цього року я знову в команді організаторів WP Suomi, але вже в ролі координатора спікерів. Інша відповідальність, інший погляд.

Краків
За ці роки WordCamp для мене змінився. Тепер він менше про доповіді на сцені й більше про те, що відбувається між ними. Як організатор, ти все одно пропускаєш більшість виступів, адже тебе одночасно тягнуть у десять різних боків. Але справжнє життя вирує в коридорах і на вечірках після завершення основних сесій.
Особливо важливо це для української спільноти. Війна розкидала нас по всій Європі — різні країни, різні компанії, різні життя. WordCamp Europe став одним із небагатьох місць, де ми можемо знову зустрітися наживо: поділитися тим, що приніс цей рік, побачитися з людьми, яких досі знали лише онлайн, і переконатися, що наша спільнота продовжує зростати попри все. Багато хто не зміг приїхати до Кракова, на жаль дехто вже ніколи не зможе побувати на цих заходах. Для тих із нас, кому це вдалося, ці зустрічі мають особливе значення.
Саме про це ми з Данилом співали на світанку біля Bastion III, хоча ніхто з нас не сказав цього вголос. Сподіваюся, колись мені ще доведеться робити це на афтепаті в Гельсінкі та Києві — щойно це знову стане можливим.

The post “Listen… the birds are already singing” – “Послухай… пташки заспівали” appeared first on HeroPress.
BuddyPress: BuddyPress 14.5, 12.7, 11.6
BuddyPress 14.5.0, 12.7.0, and 11.6.0 are now available.
These are security and maintenance releases that include two security fixes, along with a number of compatibility improvements, bug fixes, and code modernization updates. We strongly recommend updating your sites as soon as possible.
Highlights
- Two security issues:
- Prevent user ID spoofing in the Messages REST API endpoint via improved validation.
- Restrict Component management to Users with the appropriate Capabilities.
- Improves compatibility with WordPress 6.9, including support for block style loading optimizations and replacement of deprecated WordPress APIs where appropriate.
- Includes numerous bug fixes across BuddyPress, including BP Nouveau, Groups, Friends, Activity, Administration, and several PHP 8.x compatibility improvements.
Download
You can update automatically from your WordPress Dashboard, or download BuddyPress 14.5.0 directly:
For the complete list of changes included in this release, see the changelog:
Many thanks to our 14.5.0 contributors
Thanks to everyone who contributed patches, testing, reviews, bug reports, and responsible security disclosures that helped make this release possible.
Contributors include: emaralive, vapvarun, westonruter, joelkarunungan, nikunj8866, shawfactor, r-a-y, t.schwarz, dcavins, noruzzaman, rollybueno, potcus, pratiklondhe, yatesa01, bhargavbhandari90, amitraj2203, GaryJ., espellcaste, needle, and johnjamesjacoby.
Security issues were responsibly disclosed via the WordPress Bounty Program over at HackerOne and through the WordPress Plugins Team. If you were not properly attributed for your contribution here, leave a comment and we’ll get you added.
