In a blog post, WordPress announced the rollout of a new update, version 6.9.1, a maintenance release. WordPress has stated that this update brings a total of 49 bug fixes throughout the core and block editor. Further mentioning that, it will address issues affecting multiple areas of WordPress, including the block editor, mail, and classic themes.

Since the rollout has just begun, for those who have automatic background updates enabled, the update process will run in the background. However, if you haven’t turned on the automatic updates, you will get a notification soon in your dashboard area. From there, you can click “Updates” and then click “Update Now”, by following the onscreen instructions for the same.

It also confirms that the next update’s version will be 7.0 and will be rolled out on April 9th, 2026, at WordCamp Asia. To check out the complete list of bug fixes, you can check it out from the official release notes.

The post WordPress 6.9.1 Maintenance Update Now Rolling Out with 49 Bug Fixes; Version 7.0 Coming April 9th appeared first on The Tech Outlook.

To enhance testing and iteration in WordPress, Brandon Payton (WordPress contributor) has published wp-playground, a new AI agent skill designed to run WordPress via the Playground CLI.

A new AI agent skill has been introduced that streamlines testing and iteration in WordPress and works with Playground. This innovative tool reduces setup time from minutes to seconds, enhancing collaboration and creativity.

Test it out today: https://t.co/LP7NWA8Jz5 pic.twitter.com/Xq6ujsp9vy

— WordPress (@WordPress) January 30, 2026

This new AI agent skill is said to give agents an easy way to test WordPress code and make building and experimenting with WordPress a lot more accessible.

During testing, agents were able to start WordPress, build playful plugins, and validate behavior in a tight feedback loop. Once Playground was running, the agent alternated between tools such as curl and Playwright to interact with WordPress, verify results, apply fixes when needed, and then re-verify with Playground.

When launched, this skill starts WordPress and detects where the current code should live inside a WordPress install. This helps agents move from “generated code” to “running site” with fewer manual steps. It is revealed that helper scripts handle startup and shutdown, so an agent doesn’t waste time guessing when WordPress is ready. This reduces the “ready to test” moment from roughly a minute to a few seconds on the author’s machine. The Playground CLI can also log in automatically to easier WP-Admin access during testing.

Availability

To try this new AI agent skill in Claude Code, Codex, or another AI agent, installation requires Node.js and npm.

In addition to the new AI agent skill, WordPress has also made an announcement of a new experimental GitHub repo where WordPress is testing how AI agents can work with WordPress tools. It’s an early step in exploring how AI agents can collaborate with WordPress tooling and is open to community contributions. It is revealed that future additions being explored include persistent Playground sites based on the current directory, running commands against an existing Playground instance (including wp-cli), and Blueprint generation.

The post New AI Agent Skill introduced for WordPress that streamlines testing and iteration, and works with Playground appeared first on The Tech Outlook.

WordPress is considered to be the most popular software that is relied on to create websites and it stands out to be the most user-friendly content management system that is currently available. This article is intended to take readers through the steps which will let them manually install and run WordPress on a Linux server.

Read more about it below.

Install WordPress Manually on a Linux Server – Step by Step Guide

• Firstly, there are a few prerequisites that have to be ensured from the users’ end before proceeding to install WordPress on a Linux server – A basic understanding about Linux commands is needed, a Linux system that has admin privilege, and a stable internet connection.
• After meeting these, the next step is to see whether the Linux server is up to date – sudo apt update && sudo apt upgrade -y command ensures that it is up to date.
• Next, a web server which will host the WordPress site has to be set up and Apache is said to be the widely-used choice. Use sudo apt install apache2 command to install Apache, and it will thus be serving as the engine behind the WordPress site. With the sudo systemctl enable apache2 command, its service can be enabled.

With the sudo systemctl start apache2 command, the Apache server can be started. The status of the running Apache server can be checked with the Systemctl status apache2 command.

Furthermore, to check local IP address on the browser, use http://server-ip-address.

• To store data generated from the WordPress CMS (content management system), MariaDB is being used here (any database can be used – MySQL/PostGRES). Use the sudo apt install mariadb-server mariadb client command to install MariaDB, and then use sudo systemctl enable –now mariadb and sudo systemctl start mariadb commands to respectively enable and start it. Status can be checked with the systemctl status mariaDB command.

Also, to enable security within the installed database, use sudo mysql_secure_installation command to initiate the MySQL Secure Installation Wizard. The prompt will ask users to configure multiple security options.

• PHP and other essential extensions can be installed with the sudo apt install -y php php-common php-mysql php-xml php-xmlrpc php-curl php command, and the installed PHP version can be check with php –version command.
• Now to setup WordPress on Linux, use sudo apt install wget unzip command to install the necessary tools and then use wget https://wordpress.org/latest.zip command to download the latest WordPress version. With sudo unzip latest .zip command, extract the WordPress archive. Using cd wordpress command, navigate to the WordPress directory, copy WordPress files to the Web Server Directory with sudo cp -r * /var/www/html command, navigate to the directory using cd /var/www/html command, remove default index file with sudo rm -rf index.html command, and install additional PHP modules with sudo apt install php-mysql php-cgi php-cli php-gd -y command. By running the sudo systemctl restart apache2 command, restart Apache so that the changes can be successfully applied. Using sudo chown -R www-data:www- /var/www/ command, the ownership for the Apache server can be set.
• To create a database for WordPress, login to the database server using sudo mysql -u root -p command, establish a dedicated database using create database new_DB; command, create a user account linked to the database using CREATE USER ‘new_user’@’%’ IDENTIFIED BY ‘your_password’ ;, and finally authorize the user with the GRANT ALL PRIVILEGES ON new_DB.* TO ‘new_user’@’%’; command. Also to add, new_user, new_DB, and your_password can be changed accordingly.

• For setting up the WordPress CMS Web Interface Setup, access the WordPress site on the browser and visit the endpoint (http://your-server-ip-address/wp-admin/setup-config.php). Next, add the IP address of the Linux server in place of your-server-ip-address. Then select the preferred language and click on Continue.

• To add database information to WordPress, click on Let’s go!

On the WordPress setup wizard, enter all the necessary credentials and click on Submit.

Click on Run the Installation to complete this process.

• Finally to create admin user and password, add site title, username, and password. Then press the Install WordPress button.

To get to the backend, make use of the created admin credentials.

Following these above mentioned steps, anyone will be able to easily install and run WordPress on the Linux server.

The post Here’s How to Install WordPress Manually on Linux Server appeared first on The Tech Outlook.

Up to 47,337 malicious plugins have been identified on 24,931 unique websites, and 3,685 of those plugins were offered for sale on trustworthy marketplaces, earning the hackers $41,500. Results from a new program named YODA that seeks to detect rogue WordPress plugins and trace their origin, according to an 8-year study conducted by a group of scholars from the Georgia Institute of Technology
In use today are almost 44,000 of these plugins or more than 94%.

While posing as developers of useful plugins, attackers distributed pirated plugins to spread malware. Harmful activity peaked in March 2020, and there have been a growing amount of malicious plugins on websites throughout time. It’s surprising to see that 94% of the malicious plugins that were installed throughout those 8 years are still active. It was found in the long analysis that threat actors had infected plugins after they had been released, costing a total of $834,000, by looking at WordPress plugins installed on 410,122 different web servers going back to 2012.

YODA can be installed either by directly integrating it into a website and web server hosting provider or by using a marketplace for plugins. The framework can be used to find out a plugin’s owner and provenance in addition to finding out where add-ons are hidden and malware-rigged. In order to locate the plugins, it analyses the server-side code files and the associated metadata. Then, it conducts a syntactic and semantic analysis to find malicious activities.

The semantic model considers a variety of red flags, including web shells, the capacity to add new posts, password-protected code injection, spam, code obfuscation, blackout SEO, malware downloaders, malvertising, and cryptocurrency miners.
Spam injection was made possible via 3,452 plugins that were accessible in trusted plugin markets.
40,533 plugins were infected with malware on 18,034 websites after being distributed.
unauthorized plugins WordPress plugins or themes that have been altered to download malicious malware from the servers made up 8,525 of the malicious add-ons. Approximately 75% of the stolen plugins stole $228,000 from their creators.
By using YODA, plugin creators and marketplaces can inspect their plugins before distribution, and website owners and hosting providers can search the web server for potentially harmful plugins.

The post Up to 47,000 malicious plugins have been identified on 25,000 WordPress websites appeared first on The Tech Outlook.

On Saturday, WordPress sites are being hacked for displaying fake Cloudflare DDoS protection pages to circulate malware that installs the NetSupport RAT and the RaccoonStealer password-stealing Trojan.

DDoS protection screens are commonplace on the internet, that protects sites from bots, pinging them with bogus requests which aim to overwhelm them with garbage traffic.

Internet users treat these welcome screens as an unavoidable short-term annoyance that keeps their favorite online resources protected from malicious operatives. Unfortunately, this familiarity serves as an excellent opportunity for malware campaigns, Bleeping Computer reports.

According to the reports by Sucuri, hackers are attacking poorly protected WordPress sites to add a heavily obscure JavaScript payload, displaying a fake Cloudflare protection DDoS screen.

In June 2022, Raccoon Stealer returned to operations when its authors released its second major version and made it available to cybercriminals under a subscription model.

Raccoon 2.0 targets passwords, cookies, auto-fill data, and credit cards saved on web browsers, a wide range of cryptocurrency wallets, and it also has the potential of performing file exfiltration and taking screenshots of the victim’s desktop.

The post WordPress sites being hacked with fake Cloudflare DDoS to distribute malware appeared first on The Tech Outlook.

You can remotely publish articles using a tablet, a smartphone, or Windows Live Writer thanks to WordPress’ fantastic XML-RPC tool. When you leave XML-RPC enabled on your WordPress blog, there is, however, a risk. Recently, using xml-rpc on one of my WordPress blogs, an attacker transmitted some spam traffic to several domains. Because it was an outdated WordPress version (on an abandoned domain), even the xml-rpc may have been vulnerable to an attack. The xml-rpc in the most recent WordPress version, however, concerns me as to its security. If you ever want to disable xml-rpc on WordPress, there are three ways to do it.

99% of pingbacks are spam. By sending a pingback notification and collecting link juice from the targeted website because pingbacks are usually shown as regular comments, spammers will try to construct a linkback to their content. Furthermore, by abusing the XML-RPC pingback features, distributed denial of service assaults may be made easier (DDoS). By taking advantage of reliable blogs and websites, this vulnerability may persuade them to voluntarily participate in DDoS attacks against particular websites.

How does Pingback DDoS operate?

In order to launch a DDoS attack against a target system, a malicious hacker sends a large number of innocent WordPress blogs that have enabled pingbacks specially crafted pingback instructions, deceiving them into believing the originator is the target system. By sending a deluge of answers, the bloggers will unwittingly deliver erroneous traffic to the target system.

If you stop pingbacks, DDoS assaults against your blog are no longer possible.Actually, you should just disable some of the supported XML-RPC functionality. If you don’t, you can experience issues with certain of your plugins, like JetPack, which rely on XML-RPC to communicate with distant servers.

Method 1: using onboard means

The simplest fix is to uncheck the item in WordPress’ settings. Under Settings->Discussion, uncheck the box next to “Allow link notifications from other blogs (pingbacks and trackbacks)”. Select “Save Changes” after that.

This will only block pingbacks (and trackbacks) for upcoming posts and pages; it won’t have an impact on the present posts and pages. In order to disable additionally for the already-existing posts and pages, you must run a few SQL queries. You can utilise the phpMyAdmin tool for this. Simply look for the phpMyAdmin tool in your web hosting account’s CPanel control panel. Once there, locate the database for the blog and select the SQL tab. then type the subsequent commands:

[UPDATE wp_posts SET ping_status=’closed’

WHERE post_status = ‘publish’ AND post_type = ‘post’;

UPDATE wp_posts SET ping_status=’closed’

WHERE post_status = ‘publish’ AND post_type = ‘page’;]

To find out which database is used by your blog follow these steps:

1. Connect to your hosting account with an FTP client, for example, WinSCP;
2. Navigate to your site’s root directory, usually public_html;
3. Locate and open to view wp-config.phpfile;
4. Within this file locate the string DB_NAME; it should bring you to a declaration like this: define(‘DB_NAME’, ‘pref_wp239’);  The second parameter is the name of the database.

Method 2: Using Plugins

One of the simplest of them that does exactly what it says is disable-xml-rpc-pingback. This free plugin disables only the pingback part of XML-RPC API.

Just go to Plugins->Add New and enter “disable xml rpc pingback” in the search box. Then install “Disable XML-RPC Pingback” by Samuel Aguilera. When done, you have to activate it.

Method 3: A little coding

ust go to Appearance->Editor, then choose functions.php and add this code at the end:

[// disable pingbacks

add_filter( ‘xmlrpc_methods’, function( $methods ) {

unset( $methods[‘pingback.ping’] );

return $methods;

} );]

Don’t forget to click on “Update File” when finished.

The post How to Disable XML-RPC Pingback in WordPress? appeared first on The Tech Outlook.

Recently, a new phishing kit has been discovered attacking PayPal users to steal their confidential data which includes user’s government identification documents and photos.

Phishing kits are simple tools that quickly creates fake websites to steal the victim’s personal data. Accordingly, hackers uses these phishing kits to hack the confidential data from their victims. Some kits also includes tools like sending out fraud e-mails, a control panel and dictionaries to locate the cyberattacks.

Consequently, the kit is been hosted on the hacked WordPress websites which allows the kit to avoid the system recognition. However, the security experts at internet technology company Akamai found the phishing kit after the hackers hosted it on their WordPress website.

The kit presents a CAPTCHA challenge to the users and asks them to log into their PayPal account using their email ID and password. The threat actor also asks for more verification information from the users. Afterwards, the victim is asked to give the host their personal and financial details, including debit card details, with the card verification code, address, social security number and others. This doesnot stops here. The fraudulents also asks victims to link their email account to PayPal which gives the hacker to access the contents of the provided email address.

The post A new phishing kit has been discovered attacking PayPal users! Read more appeared first on The Tech Outlook.

Creating a website is like starting your career in such a vast empire called the internet. Nowadays, almost every human being has access to the internet. Whatever information we need to know, we search for innumerous websites.

But to create a website, we need to learn certain skills about how to work on creating a website. There is a lot of softwares which helps to create a website but WordPress is considered as one of the most successful software which helps to develop a website.

What is WordPress ?

WordPress is a content management system (CMS) which helps to develop unique content and build websites. The features of WordPress are extremely helpful to make a website.

Moreover, WordPress contains plugin architecture and a template system. So you can customise any website to fit your business, blog, portfolio, or online store.

Steps to create a website on WordPress

In WordPress, there is WordPress.org and WordPress.com. out which, WordPress.com needs to be selected for developing a website.

So let’s learn how to create a website in WordPress.com –

1)Select WordPress.com Plan –

First, start the WordPress com and select the plan you require. In WordPress.org, there is a free plan available but, you will require to buy your domain, hosting provider, plugins, themes, and other related features.

So one should select a WordPress.com plan which is relevant.

2)Set your domain and hosting provider –

In WordPress, selecting a domain and a hosting provider happens at the same time. Moreover, it allows you to decide whether you want a custom domain or not. It depends on the plan you choose, but it takes care of the hosting for you.

On the other side, hosting providers affect the websites speed, privacy, and security.

3)Install WordPress –

Click on the WordPress app to begin its installation. After finishing installation, you will have to answer a few questions about the domain you want to select.

4)Choose your theme –

There are many themes and templates available in WordPress. There are a variety of layouts, formatting styles, font types, font colours, images, videos and many more. Choose your themes according to your genres of website blogs.

5)Add your post and page for your website –

After choosing the themes, add your content along with the feature image. Also type your content with difficult styles of writing to get more views. Check your readability and SEO score and review your content. And at last, publish your article.

6)Build your website –

Keep updating your website with varieties of contents. Build your website while adding your site title. In the dashboard, select general settings and add your website title and tagline. You can also add other basic information like email id, zone, time, etc.

7)Make your website to bring your page in light –

After completing all the above procedures, review and re-check your content with readability score and SEO score. Lastly, publish your article on your website and keep your website updated with all trending information.

The post How to create a website on WordPress? appeared first on The Tech Outlook.

Technique 1: Using/?author=1 Query Parameter

At some point, I had quite recently set up another blog and thought I’d covered up my administrator zones really well. Incredibly, my security modules began sending me lockout takes note. This implies that in addition to the fact that hackers were ready to discover my login page, they had the option to figure my WordPress username too! I opened up my crude access signs in cPanel, and discovered this:

Evidently, programmers can discover your username in WordPress by affixing the inquiry/?author=1! You can find in the screen capture over, that my worker quickly returned the creator page – which obviously, uncovered the username. So disregard making your username hard to figure. It’s privilege out there in the open!

Here’s what it looks like. In the first place, type in your blog name and type/?author=1 after the URL like this:

This will redirect to this page

A few specialists guarantee that uncovering WordPress usernames isn’t a security hazard. As per them, making a solid secret key and utilizing two factor confirmation is the correct approach. However, I say there’s nothing incorrectly sequestered from everything however much data as could be expected from programmers. Possibly on the off chance that somebody is genuinely resolved to know my username, they can. However, that doesn’t mean I need to make it simple for them! I need expected assailants to attempt to break into my site. Ideally, this will prevent 90% of them.

In the event that programmers don’t have the foggiest idea about your username, they will not spam your site attempting to figure your secret word. This implies less burden on your worker. I’ve been cut down once before by programmers DDoS’ing my login page. I would prefer not to hazard that once more.

So how would we close this escape clause? There are two different ways to keep WordPress from uncovering your creator name through the boundary hack.

Fix 1: Modifying .htaccess

This is my favored procedure since it’s a lot quicker than the other option. By making a straightforward .htaccess rule, you can promptly impede all endeavors to get to your WordPress username through the ?creator boundary. In the event that you approach it, open the covered up “.htacces” record in the root registry of your WordPress establishment, and glue in the accompanying code toward the end:

RewriteEngine On RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} author=\d RewriteRule ^ /? [L,R=301]

This is how the code will look like after you have made the changes to the .htaccess file

Fix 2: Adding a Code Snippet to WordPress

The subsequent strategy is to add a code scrap to WordPress that achieves something similar. In the event that you don’t have the foggiest idea how, read my previous bit by bit instructional exercise on the most proficient method to do this. Here is the code you need to glue into your custom module or functions.php:

function redirect_to_home_if_author_parameter() {

	$is_author_set = get_query_var( 'author', '' );
	if ( $is_author_set != '' && !is_admin()) {
		wp_redirect( home_url(), 301 );
		exit;
	}
}
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );

Like the .htaccess code, this does the very same thing. It verifies whether you’re not in the administrator region, and whether somebody is attempting to get to the creator name by means of the “?creator” boundary. Assuming this is the case, it diverts back to the landing page.

The thing that matters is that this executes at the WordPress level, and is consequently marginally more wasteful than the main strategy. Yet, on the off chance that you don’t approach .htaccess, it’s the solitary alternate way. Checking your entrance logs will uncover precisely the same thing paying little heed to which strategy you pick.

So while some may reject that noteworthy usernames is a security danger, my rule is that the harder you make it for somebody to nose about your site, the better. Also, in the event that you need to forestall animal power assaults, and to keep programmers from discovering your WordPress username, one of these two bits of code will get the job done!

In case you’re taking a gander at truly benefiting from WordPress, you ought to consider specific facilitating. Various organizations have various arrangements, and you can see the correlations of the WordPress facilitating costs at one look.

Fix 3: Use Cloudflare Page or Firewall Rules

A ton of sites use Cloudflare in any case, so this is a simple arrangement. Simply add another page rule or a firewall rule to prohibit the risky URL. You can either divert the page to the landing page, or square it out and out. The free form of Cloudflare accompanies 3 free page rules and 3 free firewall decides that you’re presumably not utilizing in any case. So we should use them!

Technique 2: Using WordPress JSON REST Endpoints

Visit the accompanying URL on your WordPress site:

https://[yoursite]/wp-json/wp/v2/clients/1

Supplant [yoursite] with your site name. You ought to get something like this:

That is your WordPress username on display! This is on the grounds that WordPress uncovered certain REST APIs as a matter of course and this permits anybody to specify the clients by means of JSON.

Fix: Disable by means of Code

Luckily, we can simply impair these endpoints by means of this basic code scrap:

function disable_rest_endpoints ( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }
    return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');

The post Want to know how hackers find your wordpress username? Details Inside appeared first on The Tech Outlook.

With over 50,000 plugins and themes, WordPress is one of the most shared content management systems (CMSes) in the world, enabling pros and novices alike to create excellent websites with ease. But WordPress is also a focus of cyber-criminals finding ways to unleash their disruptive operations, with great success and readily available production options.

SEO Spamming continues to be a top objective

For branded blogs, the hijacking of WordPress for SEO spamming raises significant problems.

• In a newly uncovered event, a new cyber crime group leveraged weak WordPress pages to install scammy e-commerce stores to lower the rating and credibility of a site’s search engine.
• Via brute-force attacks, the attackers gained access to the site’s admin account, after which they overwrote the main index file of the site and added malicious javascript.
• To maintain a steady influx of SEO spam connections, researchers have also found that attackers insert malicious PHP files into WordPress pages.

Vulnerable themes and plugins fuel more attacks 

In addition to SEO spamming, WordPress plugins provide cybercriminals with a handy avenue to attack.

• An ongoing large-scale attack involving mass scanning of WordPress pages with Epsilon System themes vulnerable to Feature Injection attacks was recorded on November 17 by Word fence researchers.
• These insecure themes, built on more than 150,000 pages, could lead to a complete site takeover.
• Also, instances of insecure WordPress plugins such as Ultimate Member and Welcart e-Commerce were found to be impacted by extreme vulnerabilities during early November that could cause attackers to hijack pages.

In this mess, WordPress is not alone

• Equally lucrative options for cyber-attacks are not only WordPress but other CMSes like Drupal and Joomla.
• Recently, administrators of sites operating on Drupal were advised to patch a safety hole that depended on the trick of the double extension.
• Drupal developers believed that the weakness was because sure” file names were not sanitized by the Drupal CMS, enabling any malicious files to slip through.

Main Takeaways

It is no wonder that unpatched bugs in the core applications of WordPress are driving cyber attackers’ disruptive ambitions. Plugging security vulnerabilities at the right time and following best cyber security practices is also a solution to cyber attacks to secure WordPress pages.

The post Hurl a flood of attacks on compromised WordPress pages by cyber criminals appeared first on The Tech Outlook.