Issue 01: Safer 7.0, urgent plugin patches

WordPress 7.0 now looks like a safer release than many expected. The team cut real-time collaboration before launch, which lowers risk for site owners. Meanwhile, two widely used plugins shipped serious security problems, so updates cannot wait.

Core: WordPress 7.0 heads for a calm launch

RC4 sets the tone for next week. WordPress 7.0 reached Release Candidate 4 this week and still targets May 20 for the final release. That tells you the release team wants stability, not last-minute experiments.

Most sites should update soon after the final release lands. First, confirm your backups work and test the plugins that run payments, memberships, bookings, or forms. Those tools create the most pain when an update goes wrong.

WordPress cut real-time collaboration from 7.0. The team removed the code instead of hiding the feature behind a switch. That was the right move.

Live shared editing sounds great on stage. On a business site, it needs to work every time. WordPress chose a boring release over a risky one, and site owners should welcome that.

The 7.0 Field Guide points to a cleanup release. WordPress published the field guide with hundreds of fixes and developer notes. The big takeaway is simple. Expect polish, compatibility work, and smaller changes more than flashy new tools.

That may frustrate people who wanted a marquee feature. It should reassure everyone else. Quiet releases break fewer editor workflows and create fewer support headaches.

Security: Patch these plugins now

Burst Statistics needs immediate attention. Wordfence found a critical authentication bypass flaw in Burst Statistics, which runs on more than 200,000 sites. Authentication bypass means an attacker can sidestep normal login checks and get access they should not have.

Update the plugin now. If you do not truly need it, remove it. Analytics plugins do not deserve special trust just because they sit in the background.

Avada Builder also landed on the urgent list. Wordfence disclosed an arbitrary file read bug and an SQL injection bug in Avada Builder, which has about 1,000,000 active installs. Arbitrary file read means an attacker may pull sensitive files from your server. SQL injection means an attacker may tamper with the database queries that power your site.

Patch it immediately. Then review admin accounts, recent changes, and anything else that looks odd if your site ran an older version for long. High-install plugins draw fast attention from attackers.

This week delivered the same lesson again. Popular plugins can still become serious risks. Big install numbers do not protect your site. They make the target bigger.

Stop treating plugin updates like optional housekeeping. Keep fewer plugins, turn on auto-updates where you trust the vendor, and check anything tied to login, forms, payments, analytics, or page building every week.

End of article