9.0.0 — Growing Up – ActivityPub for WordPress

Major versions are the right moment to fix things properly instead of patching around them. In ActivityPub plugin 9.0.0, unpublishing a federated post sends a real Delete instead of a placeholder text, and federation can be tuned down so it doesn’t overwhelm smaller servers. The ActivityPub API moves closer to the W3C standard, and your blog can now be featured in Starter Kits, if you allow it.

Starter Kits, With Your Consent

Starter Kits are curated lists of accounts, bundled so that others can discover and follow them in one go. You may know the idea as Starter Packs from Bluesky, and Mastodon is rolling out its own version called Collections with version 4.6. The name varies, the idea is the same: someone who knows a topic well puts together a list of accounts worth following, and shares it.

For blogs, discovery is the hard part of the Fediverse. A blog doesn’t post twenty times a day, so it rarely surfaces in busy timelines on its own. Being part of a Starter Kit changes that: when someone shares a “great photography blogs” kit, every person who opens it sees your blog, and following is one tap away.

Screenshot of a Featured-Collection, showing two WordPress blogs, on Mastodon.

One piece was missing, though: other people couldn’t add your WordPress blog to their lists, because your site never told their server who is allowed to do that. ActivityPub 9.0.0 fixes this with the new Default Starter Kit policy setting: Anyone, Followers only, or Just me. The default is “Just me”, so nothing changes unless you say so. If you want the reach, set it to “Anyone” under Settings → ActivityPub → Activities. Under the hood, this announces a canFeature policy on your profile, based on a new Fediverse Enhancement Proposal (FEP-7aa9) that is not published yet; we’ll link it here once it is.

The Mastodon team explains the thinking behind Collections in their design post, and Fedi.Tips has a guide to Mastodon’s Lists feature, the private cousin of Collections. And since ActivityPub 8.1.0 you can import Starter Kits into WordPress under Tools → Import, so it works in both directions.

Blurred Previews for Your Photos

Photos are heavy. While they load, most Fediverse apps show an empty gray box.

The plugin now generates a BlurHash for every image: a tiny, blurred color preview that other Fediverse apps can show while the real photo loads. Your followers see a soft impression of the picture instead of an empty rectangle. The BlurHash website has a nice interactive demo.

The plugin uses the same blurhash property that Mastodon documents as part of its ActivityPub extensions, so your previews work wherever Mastodon’s do. Everything happens automatically in the background; there’s nothing to configure.

From Placeholder to Delete

Until now, when you moved a federated post back to draft or made it private, the plugin sent an Update with a placeholder text: “(This post is being modified)”. Your followers kept a copy that claimed the post was being edited, even if it never came back. That was a workaround, and a bad one: it misrepresented your content and left stale placeholders sitting in timelines across the Fediverse.

ActivityPub 9.0.0 replaces the workaround with the behavior the Fediverse expects. When a federated post moves to draft, pending, private, trash, or gets a password, the plugin now sends a Delete to your followers, so their servers remove their copies. Your site keeps a Tombstone in place of the post, as described in FEP-4f05, so it can announce the post again if you re-publish it.

Be aware: even unpublishing a post only temporarily might delete it forever on other servers. When you take a post down on purpose, that’s what you want. But if you plan to come back, know that whether the post comes back with you depends on the receiving server, and the boosts, favorites, and replies on the old copies are gone either way. Discourse and NodeBB restore posts like this; Mastodon currently does not, though there’s an open issue we hope to see land soon. For now, treat unpublishing as deleting, even if you plan to publish again.

Screenshot of the Soft-Delete warning in the Block-Editor.

That’s why the editor now warns you before you make a federated post a draft, private, or password-protected. The dialog tells you that followers’ copies will be removed, so you know what will happen before you save.

Federation That Doesn’t Overwhelm Your Server

Federation is real work. When you publish a post, the plugin sends it to every follower’s server, and each delivery is a signed HTTP request processed in the background. On a well-provisioned server, no problem. On shared hosting with a few thousand followers, that burst of background work can slow your whole site down, right at the moment your new post brings visitors in.

The new Distribution Mode setting exists so the plugin stays a good guest on the server it runs on. It comes with three presets:

Default: the current behavior, as fast as possible (100 deliveries per batch, 15 seconds pause).
Balanced: a moderate pace (50 per batch, 30 seconds pause).
Eco Mode: gentle on server resources, made for shared hosting (20 per batch, 30 seconds pause).

Nothing changes unless you need it to: Default behaves exactly like before. But if your site gets sluggish after publishing, switch to Balanced or Eco Mode under the Advanced tab of the ActivityPub settings. Your followers get the post a few minutes later, and your server keeps breathing. A Custom mode with your own batch size and pause is there for fine-tuning.

The Advanced tab is hidden by default. To enable it, open the ActivityPub settings page, click Screen Options in the top right corner, check Advanced Settings, and save.

Hosting providers can pin a preset across all their sites with the ACTIVITYPUB_DISTRIBUTION_MODE constant, so a whole fleet of sites stays well-behaved without anyone touching a setting.

Speaking Standard ActivityPub

The ActivityPub API (the plugin’s Client-to-Server implementation) keeps converging on what the W3C SWICG is standardizing. Clients can now request the canonical SWICG scope names like activitypub:read:all and activitypub:write:all, and the OAuth discovery metadata advertises them. Token responses include activitypub_actor_id, following the SWICG ActivityPub API Basic Profile, and rate-limit responses now carry a Retry-After header so clients know how long to wait.

None of this changes anything for existing apps. It just means new apps can connect to your site by following the standard, not our documentation.

Since this is a major version, there’s one heads-up for developers: we removed functions, methods, and the Follower class that were deprecated in versions 7.0 through 7.4. Everything removed has had a documented replacement for over a year, but if your plugin or theme builds on ActivityPub internals, check the changelog before updating.

A Good Reason to Update Soon

Beyond the features, 9.0.0 includes a series of security hardening fixes that keep private data private and tighten how the plugin verifies who is allowed to change what. None of them need anything from you beyond updating, which is exactly why you should update soon. The details are in the changelog below.

Changelog

Added

Add a Distribution Mode setting to control how quickly posts are delivered to followers.
Add an opt-in setting to consent to inclusion in Starter Kits (also called Starter Packs or Featured Collections). Off by default. Find it under Settings, ActivityPub, Activities.
C2S clients can now request canonical SWICG ActivityPub API scope names such as activitypub:read:all and activitypub:write:all, and the OAuth discovery metadata advertises them.
C2S token responses now include activitypub_actor_id so clients following the SWICG ActivityPub API Basic Profile can discover the authenticated actor.
Generate a blurred color preview (blurhash) for images so other fediverse apps can show a placeholder while your photos load.
Quote notification emails now include a link to the post that quoted you, so you can review and respond more quickly.
Warn in the editor before making a post that’s already shared on the Fediverse a draft, private, or password-protected, since followers’ copies will be removed.

Changed

Add the blurhash term to the outbound JSON-LD @context so attachments that include a blurhash property are strictly correct JSON-LD, matching Mastodon’s own context shape.
Federated posts moved to draft, pending, private, trash, or password-protected now send a Delete to followers (previously sent a placeholder “editing” Update or were silent).
OAuth rate-limit responses now include a Retry-After header so clients know how long to wait before retrying.
Updated a build dependency to a clean release now that a fixed version is available.

Removed

Removed functions, methods, and the Follower class that were deprecated in versions 7.0 through 7.4.

Fixed

Fix a fatal error when receiving a new follower while the Stream plugin is active.
Fix a follow request being marked as accepted when the confirmation came from a different account than the one being followed.
Fix the Fediverse settings appearing twice and visibility changes not saving in the block editor when the Classic Editor plugin is also active.
Fix the introduction video failing to load on the Getting Started help screen.
Follower synchronization with Mastodon no longer fails, signed requests with query strings now verify correctly.
Harden the Blurhash encoder: skip decompression-bomb images before decoding, flatten transparency onto white so transparent logos no longer produce near-black placeholders, and defer the cron encode until attachment metadata is saved.
Images and videos placed in a Media & Text block are now included when a post is shared to the Fediverse.
Requests from other platforms to feature your posts are now handled correctly instead of being ignored.
RSS and Atom feeds now show a simple @username mention in place of the reply block’s full embed card, which only renders properly when the plugin’s frontend CSS is loaded.
Stop a deprecation notice from appearing in the error log when the NodeInfo plugin is also active.

Security

Enforce the signing-key host check on incoming federated activities regardless of how the key identifier is formatted.
Fix the real-time activity stream so it only returns the requesting user’s own activities.
Harden the Site Health connectivity check so it cannot be used to reach unsafe network addresses.
Only share comment replies in the Fediverse when the post they belong to is itself federated, so replies on private or non-federated posts stay private.
Prevent a remote server from discovering which of your followers belong to a third-party server it does not control.
Prevent logged-in users from viewing another user’s private outbox activities.
Prevent remote servers from modifying or deleting federated profiles, posts, and interactions they do not own.
Rate-limit the remote-follow lookup to prevent it from being abused to trigger outbound requests.
Stop the OAuth token introspection endpoint from revealing another user’s token details to logged-in users.
Stop the quote-authorization stamp from exposing a post’s other metadata.

Get It

Download from WordPress.org or grab it on GitHub.

A huge thank you to everyone who contributed code, testing, bug reports, and ideas to this release. Special thanks to .

Update, and let us know what you think: will you open your blog up for Starter Kits? And does the new delete behavior match what you expected your site to do all along?