4 posts tagged with "DevOps"

Google just handed independent publishers a way to fight back against AI scraping with their "Preferred Sources" tool, while hackers are simultaneously punishing anyone who ignores their composer.lock with a massive new malware campaign.

Why I'm Watching This​

If you run a WordPress site in 2026, you're fighting a two-front war: visibility and integrity.

1. Visibility: AI Overviews often bury the original source. If you break a story or write the definitive guide, you want Google to know you are the primary source, not the AI summarizer.
2. Integrity: The "Widespread WordPress Malware Campaign" reported this week isn't sophisticated—it's just opportunistic. It targets the lazy.

I've been spending time this weekend auditing my sites against these two updates.

The Analysis​

Google's "Preferred Sources"​

According to the latest reports, this tool allows publishers to explicitly signal "original reporting" via structured data or Search Console configuration. It's effectively a canonical tag for facts.

Here is how the flow changes for content producers:

If you are a technical writer or news breaker, ignoring this means you are voluntarily feeding the model without getting the traffic credit.

The Malware Wave​

The report from Squared Tech highlights that this campaign specifically targets "outdated plugins." This isn't a zero-day exploit in core; it's an exploit of the "set it and forget it" mentality.

The most dangerous thing you can do right now is rely on auto-updates that might fail silently. You need active scanning.

# Don't just update; audit first.
# Check for known vulnerabilities in your lock file.
composer audit

# If clean, then update safely
composer update --with-dependencies

Dashboard -> Updates -> "Update All"

# Why this fails:
# 1. No audit trail.
# 2. PHP timeouts can leave sites in maintenance mode.
# 3. Doesn't check against vulnerability databases (usually).

The Code​

No separate repo—this is an operational update based on industry reports.

I am currently updating my drupal-eu-sovereignty-checklist (which applies to WP as well) to include a check for these "Preferred Source" meta tags, as I suspect this will become a compliance standard for EU publishers wanting to protect their IP rights.

What I Learned​

• SEO is now "Source Authority": Keywords matter less than proving provenance. If Google offers a tool to claim authorship, use it immediately.
• "Preferred Sources" needs Schema: While the UI exists, likely the heavy lifting is done via JSON-LD. I'm digging into the specs to see if NewsArticle schema needs a specific property for this.
• Composer Audit is non-negotiable: The malware campaign targeting "outdated plugins" is easily thwarted by running composer audit in your CI/CD pipeline. If you aren't blocking deployments on high-severity CVEs, you're asking for trouble.
• Old plugins are liabilities: If a plugin hasn't been updated in 6 months, replace it. The attack surface is too high.

References​

• Google's 'Preferred Sources' Tool: A New SEO Frontier for WordPress Publishers
• Widespread WordPress Malware Campaign Targets Outdated Plugins

Drupal 12 is on the horizon, and with it comes the final removal of a long-standing legacy layer: the procedural Database API wrappers.

If your codebase still relies on db_query(), db_select(), or db_insert(), you are looking at a hard break when D12 lands. These functions have been deprecated since Drupal 8, but they've stuck around for backward compatibility. That grace period is ending.

The Drupal community is gearing up for Drupal 12, anticipated for release in mid-2026. A critical part of this transition is the relaunch of the Deprecation Dashboard, a tool that provides a bird's-eye view of the readiness of contributed modules and core components.

One of the most significant changes in the Drupal 12 readiness strategy is a policy shift: most disruptive deprecations from Drupal 11.3 onwards will be deferred until Drupal 13. This move is designed to make the jump from Drupal 11 to 12 as smooth as possible, maintaining consistency in public APIs and allowing maintainers to adopt the new version earlier.

The New Deprecation Dashboard​

The relaunched dashboard, now hosted on docs.acquia.com, offers real-time insights into which modules are already compatible and which still have work to do. It leverages static analysis and automated testing to track progress across the entire ecosystem.

Key tools mentioned in the relaunch include:

• Upgrade Status Module: The go-to module for in-site assessment.
• drupal-check: A standalone CLI tool built on PHPStan.
• mglaman/phpstan-drupal: The engine behind most modern Drupal static analysis.

Building a Targeted Drupal 12 Readiness CLI​

To complement the existing tools, I've built a lightweight, targeted CLI tool: Drupal 12 Readiness CLI. While drupal-check is excellent for general deprecations, this tool is specifically configured to help developers identify the critical path for Drupal 12.

The tool wraps phpstan-drupal and phpstan-deprecation-rules into a single, zero-config command that you can run against any Drupal module or theme directory.

Key Features:​

• Automated Discovery: Automatically identifies Drupal core and dependencies in your project.
• Targeted Analysis: Focuses on level 1 analysis with full deprecation rule coverage.
• CI Ready: Designed to be integrated into GitHub Actions or GitLab CI.

View Code​

You can find the full source code and installation instructions on GitHub: victorstack-ai/drupal-12-readiness-cli

Example Usage​

# Install via Composer
composer require --dev victorstack-ai/drupal-12-readiness-cli

# Run the scan
./vendor/bin/drupal-12-readiness scan web/modules/custom/my_module

The tool will report any deprecated API calls that need attention before Drupal 12, giving you a clear roadmap for your upgrade path.

By staying ahead of the deprecation curve, we ensure that the Drupal ecosystem remains robust and ready for the next generation of digital experiences.

The Hook DDEV 1.25.0 ships experimental support for Podman and Docker rootless, opening up new corporate-friendly runtimes while introducing a few practical trade-offs.

Why I Built It The Podman and rootless workflows depend on specific global settings (ports, mount mode). I wanted a fast, repeatable way to confirm a workstation is configured before teams flip the switch.

The Solution I built a CLI that audits global_config.yaml and flags missing settings for Podman or Docker rootless, with a focused checklist for macOS Podman users.

The Code View Code

What I Learned

• DDEV 1.25.0 adds experimental support for both Podman and Docker rootless.
• Podman on macOS cannot bind to ports 80/443, so DDEV needs router ports set to 8080/8443.
• Docker rootless cannot use bind mounts, so no-bind-mounts mode is required.
• DDEV global configuration lives in global_config.yaml, and the config can live under $HOME/.ddev or an XDG location.

References​

• https://ddev.com/blog/podman-and-docker-rootless
• https://docs.ddev.com/en/stable/users/usage/architecture/
• https://docs.ddev.com/en/stable/users/configuration/config_yaml/