Agency News Weekly

One Major WordPress Release Per Year? How This Proposal Could Impact Your Agency.

Last week, Matt Mullenweg opened a discussion in the Make WordPress Slack aimed at scaling back WordPress releases from four per year to just one.
Matt suggested that the only core release for 2025 would be 6.8, with 6.9 coming in 2026, and 7.0 delayed until late 2027.
The rationale behind the proposal is the widespread pullback of core commitment hours by Automattic and others (most recently Newfold Digital) in the wake of the recent unpleasantness between Matt, Automattic, and WP Engine.
Read full coverage about the new release proposal from The Repository.
So what does this mean for your agency? Maybe not much at all.
The last several major core releases have focused mainly on refinements in the Site Editor without much improvement in other needed areas (like the Media Library and an overall admin refresh).
Even after years of development, it’s common to hear agency owners describe the Site Editor as still not ready for primetime and certainly not ready to replace established tools for client work.
As a result, the quarterly cadence of core updates has been met with indifference by many, and annoyance by others at features they neither want nor use.
So unless you’re one of the few who are all-in on the Site Editor, a once-per-year core release might not be a bad thing after all.

Patchstack has published their State of WordPress Security in 2025 report in partnership with Sucuri.
Last year, nearly 8000 vulnerabilities in were discovered in the WordPress ecosystem, approximately 22 each day, up 34% from 2023.
A shocking 43% of these vulnerabilities required no authentication to exploit, making them especially dangerous.
More than 1000 of last year’s vulnerabilities affected plugins with more than 100,000 installs (popularity ≠ security).
A particular emphasis in the report is the European Union’s Cyber Resilience Act (CRA) which requires open source developers to have processes in place to notify authorities and users about actively exploited or severe vulnerabilities.
Patchstack notes that last year, more than half of developers to whom they reported a vulnerability did not patch the issue before it was officially disclosed to the public.
“This raises concerns about whether the WordPress ecosystem is ready for the CRA or other security regulations.”
Read the full State of WordPress Security in 2025 report here, which contains numerous helpful statistics for talking to clients about WordPress security.

The US Department of Justice has filed suit against Google in US District Court in the first stage of its plans to break up its search monopoly.
It is asking the Court to force Google to “promptly and fully” divest itself of Chrome and any assets required for its operation.
The suit, filed on March 9, claims that “Google’s illegal conduct has created an economic goliath, one that wreaks havoc over the marketplace to ensure that—no matter what occurs—Google always wins,”
The new Trump Justice Department is stopping short of the previous administration’s requirements that included Google’s selling off of its AI investments and Android.
Instead, the DOJ’s lawsuit requires they be notified of new AI investments, and be prohibited from making its search or AI products mandatory on Android.
Google is of course disputing the Justice Department’s position, claiming that their remedies would “harm America’s consumers, economy, and national security.”

Ben Meredith’s book Sustainable Support – Blow your Customer’s mind… Without Losing Yours is available for pre-order with special bonuses through March 20.
Google and OpenAI are asking the US government to let them train their AI models on copyrighted material to “avoid forfeiting” America’s lead to China.
Hilarious. This AI refused to generate code for a developer and told him to develop the logic himself.
SEO isn’t dead. It’s just not only about Google now.