WordPress 7.0 enters the final stretch with RC4 out, the Field Guide live, and real-time collaboration cut before launch. The AI team keeps shipping, security researchers flagged two serious plugin flaws, and vendor shakeups could change where you get support.

WordPress 7.0: Final stretch

WordPress 7.0 now looks locked. The release team shipped RC4 this week and kept May 20 as the target date. That tells site owners to move from watching to planning.

The biggest change actually arrived in RC3. WordPress cut real-time collaboration from 7.0 after testing showed too much risk that late in the cycle. That was the right move. Core should ship stable improvements first, then bring back big features when they are ready.

The new Field Guide shows where 7.0 still matters. WordPress tightened the admin area, fixed hundreds of bugs, expanded editor tools, and documented new AI building blocks. If you want a safe preview, use WordPress Playground, a browser-based test site. If you run a live business site, wait for the final release, back up first, then update after you confirm your critical plugins support 7.0.

AI: From experiment to product

WordPress AI moved closer to a real release cycle. The AI plugin shipped version 0.9.0 with comment moderation, content resizing, a bulk alt text tool that creates image descriptions for screen readers, and cleaner settings. For site owners, the useful part is simple. You can test AI to flag abusive comments and rewrite draft copy inside WordPress.

The team also aims to ship AI plugin 1.0.0 on May 19, one day before WordPress 7.0. That timing looks intentional. WordPress wants AI to arrive as a companion plugin you can choose, not as a forced feature in core.

Control got as much attention as features. Contributors spent time on connector approvals and request logging. In plain English, admins should decide which outside AI services a site can use, and they should see a record of what the site sends to them. That is the right foundation.

Security: Update now

Security stayed noisy. Wordfence logged 75 new vulnerabilities last week across 59 plugins and 2 themes. That number keeps proving the same point. Fewer plugins and faster updates beat any fancy security slogan.

The most urgent alert hit Burst Statistics, active on more than 200,000 sites. A critical flaw let an attacker who knew an administrator username act as that admin during REST API requests, which are the web addresses WordPress uses for background app actions. In the worst case, the attacker could create a new administrator account. The Burst team shipped a patch, so update now if you use it.

Avada Builder also faced serious flaws on about 1 million sites. One bug could expose files on the server. Another could let an attacker pull data from the database. Check your version today and install the patched release if you still run Avada Builder.

GravityKit offered a better kind of security news. It rolled out cryptographic signing across its plugins, which lets your site confirm that an update package came from GravityKit and did not change in transit. More plugin vendors should copy that.

Business: Vendor shakeups

Liquid Web shut down the StellarWP brand and folded products under Kadence, LearnDash, The Events Calendar, and Give. The rollout created real confusion. Customers ran into missing pages, login issues, and license questions. If you use a former StellarWP product, save your license details and confirm where support, docs, and renewals now live.

Envato also ended its exclusive author model and moved marketplace sellers to a flat 50% revenue share from July 1. That hits some established WordPress sellers hard. Expect some vendors to raise prices, trim support, or leave the marketplace. If your site depends on a niche ThemeForest or CodeCanyon product, check that the developer still maintains it.


End of article