July 2025 highlighted the ongoing balancing between stability, security, and innovation. With the release of a new core maintenance version, new proposals shaping the roadmap for 6.9, and a series of critical security alerts across plugins and themes, July provided a mix of steady refinement and sharp warnings.
This month’s updates underline two central realities for business owners, developers, agencies, and content creators. WordPress continues to expand its capabilities with more innovative development tools while facing an increasingly complex threat landscape. Staying ahead means embracing both better workflows and tighter security practices.
This comprehensive roundup for July 2025 covers everything from core updates and vulnerabilities to industry trends and community highlights. Let’s dive in.
Mergers, Acquisitions, and Strategic Investments
July 2025 was a quiet month on the business front. No major mergers, acquisitions, or investment rounds were announced within the WordPress ecosystem. This stability reflects what analysts increasingly view as a consolidation phase in the market.
Instead of rapid expansion through corporate maneuvers, leading players appear focused on strengthening their offerings, refining products, and investing in their existing user bases.
For agencies and developers, this period of calm translates into consistency. Fewer market shake-ups mean more predictable partner ecosystems, and businesses can confidently decide that primary tools will remain stable in the near term.
The absence of acquisition headlines also underscores that WordPress’s real momentum comes from community-driven development and incremental innovation, rather than sudden corporate reshuffling.
WordPress Core Updates: Refinement and Stability
The latest maintenance release focused on fine-tuning performance, resolving persistent bugs, and improving the overall editing experience. These refinements highlight WordPress’s ongoing commitment to delivering a stable and reliable platform for users and developers alike.
WordPress 6.8.2 Released
On July 15, 2025, WordPress released version 6.8.2, a maintenance update focused on bug fixes, performance refinements, and UI consistency. The update addressed 35 issues, spanning both Core and the Block Editor. While not a groundbreaking release, it represents the steady progress that keeps WordPress secure and functional for millions of users.
Key highlights include:
- Speculative loading support improves performance by preloading pages in the background and reducing perceived waiting times for visitors.
- Enhancements to the Interactivity API, giving developers more tools for creating dynamic and reactive interfaces within WordPress.
- Fixes for image handling bugs, including a longstanding issue with macOS screenshots.
- Improvements to the
wp_get_attachment_image_attributesfilter, which now properly includes height and width attributes.
The release was coordinated by Jean-Baptiste Audras, Estela Rueda, and Zunaid Amin, supported by contributions from 96 community members. Their work reflects the collaborative nature of WordPress development, with volunteers and professionals working side by side to ensure stability.
Core Development Activity
July was also an active month in WordPress trunk, the development branch for future releases:
- 132 commits were shipped.
- 133 tickets opened, 261 closed, and 25 reopened.
- 116 contributors participated, including 22 first-time contributors.
Key areas of work included:
- Bundled themes (21 commits, about 24 percent of total activity).
- Coding standards (15 commits, 17 percent).
- Documentation updates, API enhancements, media fixes, and block editor refinements.
The most active contributing organizations included rtCamp, Human Made, Whodunit, Automattic, Yoast, and 10up. This demonstrates that independent developers and major WordPress agencies remain deeply engaged in pushing the project forward.
WordPress 6.9 on the Horizon
Beyond 6.8.2, planning for WordPress 6.9 gained traction in July. Key proposals include:
- Phased plugin rollouts, a feature inspired by mobile app stores. This system would allow plugin updates to be deployed gradually across subsets of users, reducing the risk of site-wide breakages. If accepted, this could be one of the most significant workflow enhancements for developers and site owners in years.
- Gutenberg 21.1 updates, including the ability to register custom social icons such as IMDB, Signal, or Ko-fi, expanding branding flexibility.
- Taxonomy label improvements and refinements to block patterns, further streamlining theme and content creation.
One of the more forward-looking discussions centered on an Abilities API. While still conceptual, this would make WordPress functionality more “machine-readable,” opening doors for deeper AI integrations in the future.
Security Alerts and Plugin Vulnerabilities
July 2025 again underscored that security remains one of WordPress’s most pressing challenges. Several critical vulnerabilities emerged, some already being exploited in the wild.
End of Legacy Security Support
A significant change arrived in July: WordPress officially ended security support for versions 4.1 through 4.6. Although less than one percent of sites still run these outdated versions, they now face elevated risks. Administrators using them see persistent notices urging immediate upgrades. This shift frees the security team to focus on modern versions starting from 4.7, representing over 99 percent of installations.
Gravity Forms Supply-Chain Attack
One of the most alarming events was a supply-chain attack on the widely used Gravity Forms plugin around July 9–10, 2025. Malicious code was introduced into versions 2.9.11.1 and 2.9.12, enabling attackers to collect metadata, execute remote code, and create unauthorized admin accounts.
Fortunately, automatic updates delivered through Gravity Forms’ API were not compromised. The plugin’s developers quickly released a clean version (2.9.13) and notified users. Still, the incident highlights how even trusted plugins can be targeted in sophisticated attacks.
Post SMTP Vulnerability
A critical flaw (CVE-2025-24000, CVSS score 8.8) was discovered in the Post SMTP plugin. The vulnerability allowed low-privilege users to access email logs and potentially take over admin accounts. A patch was released in version 3.3.0 on June 11, yet by late July, around 160,000 sites (40 percent of active installs) had not updated, leaving them exposed.
“Alone” Theme Exploit
The Alone – Charity Multipurpose Non-profit theme was hit with a serious Remote Code Execution (RCE) vulnerability (CVE-2025-5394). The flaw allowed attackers to upload malicious files via AJAX. Exploits surged in mid-July, with over 120,900 attack attempts recorded. The issue was fixed in version 7.8.5, released June 16, but many sites remained vulnerable due to delayed patching.
Vulnerability Reports
SolidWP’s weekly monitoring reports illustrate the scale of ongoing threats:
- July 2: 213 new vulnerabilities reported (175 plugins, 38 themes), with 149 still unpatched.
- July 23: 167 new vulnerabilities, 42 unpatched.
- July 30: 113 new vulnerabilities, 53 unpatched.
Cybersecurity firm Quttera also flagged the top 10 critical CVEs of July, rated above 9.0 on the CVSS scale. These included severe file upload and privilege escalation flaws, which can enable complete site takeovers.
The message is clear: site owners must treat updates and proactive security layers as non-negotiable.
Industry Trends and Technological Insights
The WordPress ecosystem is evolving faster than ever, shaped by new technologies and changing user expectations. July 2025 showcased clear shifts in how developers, businesses, and creators build for the future.
Block-First Development Becomes Standard
By July 2025, the shift toward block-first development is essentially complete. Block themes and theme.json configurations are now the baseline. Developers are moving away from bulky custom CSS toward declarative design systems, which give precise control over layout, typography, and spacing while improving performance.
AI Integration into Workflows
AI has become a core part of WordPress operations:
- Jetpack AI Assistant helps with content drafting and on-site edits.
- CodeWP assists developers with AI-generated code snippets.
- Rank Math AI streamlines SEO optimization.
These tools are reshaping content production, site management, and development, making WordPress more accessible for small businesses and power users alike.
Headless WordPress Expansion
The headless CMS model continues to grow, with developers using WordPress primarily as a backend while building frontends in frameworks like Next.js, Gatsby, Astro, and Nuxt.
Tools like WPGraphQL make this approach more accessible, reducing complexity and allowing for performance-driven, modern web applications.
Performance Optimization
With Google’s Core Web Vitals influencing rankings, performance optimization is a top priority. Popular approaches include:
- Caching with Redis or server-side solutions.
- Image optimization with WebP and AVIF.
- Tools like WP Rocket, Perfmatters, and FlyingPress.
- Lazy loading and CDN integrations for global reach.
PHP 8.3 Compatibility
In July 2025, WordPress achieved full compatibility with PHP 8.3. This ensures better performance and stronger security while maintaining backward compatibility with older code. For developers, it signals that WordPress is committed to aligning with modern PHP standards.
Community Spotlights & Outstanding Contributors
The strength of WordPress lies in the people who build, support, and innovate within its ecosystem. This month’s spotlights celebrate individuals and organizations whose contributions continue to push the platform forward.
Theme of the Month: Avada
Avada remains one of the WordPress ecosystem’s most versatile and feature-rich themes. Its July update introduced powerful features like an Inline Dynamic Data System and a new Text Path Element, solidifying its market leadership.
Plugin of the Month: Jetpack
Jetpack remains a foundational plugin for many WordPress sites, offering a comprehensive security, performance, and marketing tool suite. Its ongoing development, including new AI-powered features, highlights its role as a versatile and evolving tool that serves as a one-stop solution.
Agency of the Month: Seahawk Media
Seahawk Media earned recognition for its exceptional WordPress development services, white-label solutions, and commitment to delivering high-performance websites. Their expertise in custom development and ongoing maintenance services exemplifies the quality standards that drive WordPress ecosystem growth.
Host of the Month: Namecheap
Namecheap demonstrated outstanding WordPress hosting performance in July, combining affordability with reliability. Their WordPress-optimized infrastructure, automated updates, enhanced security features, and responsive customer support continue attracting both new WordPress users and experienced developers.
Founder of the Month: Andrew Palmer
Our founder is Andrew Palmer, co-founder of Atarim. Andrew has revolutionized WordPress project collaboration through innovative visual feedback and project management tools, streamlining communication between clients, developers, and designers.
Looking Ahead to August 2025 & WordCamp US Portland
August is shaping to be an exciting month for the WordPress community, especially with the year’s flagship event: WordCamp US! The event will be held in Portland, Oregon, from August 26th to 29th, including a Contributor Day on August 26th.
We look forward to seeing what new announcements, collaborations, and innovations emerge from this highly anticipated conference. The following month’s edition will be packed with coverage of this pivotal event, which will shape WordPress’s future.