WordPress and related ecosystem
View All Tags
WordPress malware campaigns share a pattern. Attackers exploit one vulnerable plugin, drop a backdoor, then pivot across the entire installation. Most site owners discover the breach weeks later, after search engines have already flagged the domain.
For over a decade, Drupal developers have relied on Drupal.ajax — a powerful but heavy abstraction layer over jQuery — to handle dynamic interactions. With jQuery's slow sunset and the rise of "HTML-over-the-wire" paradigms, the HTMX in Drupal Core initiative is the most sensible thing to happen to Drupal's frontend in years.
I built a proof-of-concept module to test what this migration actually looks like in practice.
Drupal 12 lands mid-2026. The deprecation list is long, the database API is changing, and most teams will not discover their exposure until the upgrade breaks something in production. Static analysis catches the problems early. But terminal output is not enough when you need to share findings with project managers, clients, or stakeholders who do not read diffs.
The Drupal 12 Readiness CLI now ships with an HTML report generator, GitHub Actions CI across three PHP versions, and coverage for all 32 deprecated database API functions.
Today I contributed a fix for a subtle but impactful operator precedence bug in Drupal Core's DefaultTableMapping class. The bug affects how SQL table names are constructed when a database prefix is used and entity type tables are not explicitly configured.
Drupal 12 is on the horizon, and with it comes the final removal of a long-standing legacy layer: the procedural Database API wrappers. If your codebase still relies on db_query(), db_select(), or db_insert(), you are looking at a hard break when D12 lands. These functions have been deprecated since Drupal 8, but they have stuck around for backward compatibility. That grace period is ending.
AI is making vulnerability discovery faster and cheaper. That is the easy part. The hard part is what happens next: an open-source maintainer with limited hours receives a flood of security reports and must decide which ones deserve immediate attention, which are false positives, and which can wait.
I built a lightweight WordPress plugin that encourages users to follow a site on Google News and set it as a preferred source. When a user follows your publication, they are more likely to see your content in Discover and "For You" feeds. This plugin makes adding that CTA a one-step operation.
I had two collections of plain arrays and needed to associate them relationally, but I was not working with Eloquent models. Laravel's Collection class is powerful, but it has no built-in way to express a one-to-many relationship between two arbitrary datasets. I built laravel-collection-has-many to fix that.
The first version of Drupal AI Content Impact Analyzer was a minimal proof-of-concept: a single scoring function, no tests, no documentation worth mentioning. It proved the idea worked. It did not prove the idea was useful to editors who need to know exactly why a piece of content scores the way it does. The upgrade rewrites the core into a 6-dimension scoring engine that tells editors precisely what to fix.
The honeymoon phase of "generate everything with AI" is officially over, as major platforms like WordPress and Cloudflare are now forced to build guardrails against the resulting tide of low-quality "slop."
The AI model landscape just shifted again with the simultaneous drop of Opus 4.6 and Codex 5.3, and for once, the "System Card" is more interesting than the marketing splash page.
I tore apart CVE-2025-9318 — a critical SQL injection in the Quiz and Survey Master WordPress plugin affecting every version up to 10.3.1. Classic $wpdb concatenation, trivially exploitable by any authenticated subscriber.
The Drupal AI Hackathon: Play to Impact 2026, held in Brussels on January 27-28, was a pivotal moment for the Drupal AI Initiative. The focus was on practical, AI-driven solutions that enhance teamwork while upholding trust, governance, and human oversight.
The most compelling challenge: creating AI Agents for Content Creators — not simple content generation, but agentic workflows where AI acts as collaborator, researcher, or reviewer.
The "Drupal Pivot" is not just another conference; it is a signal that the public sector is finally prioritizing digital sovereignty over vendor lock-in. Drupal is becoming the foundation of their strategy to escape proprietary ecosystems and guarantee data residency.
The Cloudflare 2025 Q4 DDoS threat report just dropped, and the numbers are brutal. A record-breaking 31.4 Tbps attack mitigated in November 2025, and hyper-volumetric attacks up 700%. For Drupal site owners, these are not just statistics — they represent a fundamental shift in the scale of threats your infrastructure must handle.
Simon Willison shared research on running Pydantic's Monty in WebAssembly. Monty is a minimal, secure Python interpreter written in Rust, designed specifically for safely executing code generated by LLMs. I put together a demo project to test both the Python integration and the WebAssembly build.
This is one of the few sandboxing approaches I have seen that actually addresses the real problem.
Caching is usually the answer to everything in Drupal performance, but there is a crossover point where the overhead of the cache itself -- retrieval and unserialization -- outweighs the cost of just doing the work.
If you have ever wondered how Drupal magically discovers all its breadcrumb builders, access checkers, or authentication providers, you are looking at the Service Collector pattern. It is the secret sauce that makes Drupal one of the most extensible CMSs on the planet.
As AI agents become part of the Drupal workflow, you need infrastructure that makes automation traceable, predictable, and composable. I built four small Drupal modules that together form an MCP Toolkit for agent-driven site management.
The first version of drupal-entity-reference-integrity could scan a Drupal site and report broken entity references. That was the easy part. The hard part -- actually fixing them at scale without taking the site down -- was missing. This upgrade adds auto-fix mode, batch processing, and the test coverage needed to trust both in production.