WordPress 7.0 Drops Old PHP, Plugin Sales Struggles & WordPress Security (Foundations to Hardening) | WP More - Issue 34
PHP 7.2/7.3 support ends in April, plugin sales down 80%, security deep-dive, and Make WordPress team updates.
Hello WordPressers!
Welcome to this week’s WPMore roundup — WPMore newsletter issue 34, where you get curated news about WordPress and the WordPress community all in one place.
We're covering some major moves in the WordPress ecosystem: a long-awaited PHP version bump, the sobering reality of plugin sales in 2025, and practical security insights you can use today. Plus, updates from the Plugins and Test teams on how AI is reshaping workflows. Let's dive in.
In this Issue:
WordPress 7.0 Waves Goodbye to PHP 7.2 and 7.3
Plugin Sales Took a Hit in 2025, Here's What the Data Shows
The Plugins Team Doubled Its Workload And Leveled Up With AI
The Test Team Is Rebuilding With Training and Clearer Expectations
A Deep Dive Into WordPress Security: From Foundations to Hardening
WordPress 7.0 Waves Goodbye to PHP 7.2 and 7.3
WordPress 7.0, scheduled for April 2026, will drop support for PHP 7.2 and 7.3. The new minimum supported version will be PHP 7.4.0, while the recommended version remains PHP 8.3. Usage of PHP 7.2 and 7.3 has fallen below 4% of monitored WordPress installs, well under the project’s 5% threshold for retirement.
This shift aims to keep WordPress maintainable for the long haul. Over time, raising the minimum PHP version benefits the plugin and theme ecosystem, improves tooling and libraries (including AI integrations), and strengthens the project’s developer relations. WordPress core is already fully compatible with PHP 8.0–8.3 and beta compatible with PHP 8.4 and 8.5.
Sites still running PHP 7.2 or 7.3 will stay on the WordPress 6.9 branch once 7.0 launches. Security fixes will be backported to WordPress 4.7 when possible, even though only one branch officially receives updates. The Gutenberg plugin will also bump its minimum PHP version to 7.4.
Key takeaway: If you’re still on PHP 7.2 or 7.3, now’s the time to upgrade. Contact your host if you need help.
What’s next: No set schedule for future PHP bumps, usage and the 5% threshold will guide decisions going forward.
Read from the Official Make WordPress Blog here.
This move keeps WordPress modern and sustainable, but it also means plugin developers and site owners need to stay current.
Plugin Sales Took a Hit in 2025, Here’s What the Data Shows
Plugin sales were tough in 2025. Katie Keith at Barn2 saw new plugin sales drop 17.8%, with revenue up only 0.65% thanks to renewals. A poll of plugin companies revealed that 80% experienced flat or declining sales compared to 2024. A follow-up survey dug deeper, and the patterns were striking.
Replaceability mattered most. Plugins that are hard to replace saw two-thirds reporting growth, regardless of how “essential” they were. Partially replaceable plugins struggled, with many down 15–29% or worse. Easy-to-replace plugins were hit hardest; competition, AI-generated alternatives, and theme features are pulling customers away.
Organic search took a beating. Companies relying heavily on SEO saw the biggest declines. AI tools are changing how people discover plugins, and fewer clicks are converting into sales. Freemium and marketplace listings showed mixed results, but partnerships and affiliates held steadier; being embedded in someone else’s workflow provided a buffer.
What founders can do in 2026:
Make your plugin irreplaceable, own a clear outcome and solve a problem no one else does quite as well.
Reduce dependence on SEO by diversifying into YouTube, partnerships, email, and direct outreach.
Be explicit about why paying is worth it; support alone isn’t enough; emphasize reliability, updates, and peace of mind.
Market consistently, not occasionally. Growth stories came from deliberate visibility, not passive discovery.
Read the full report on WP Product Talk Here.
The WordPress plugin market is shifting fast, and adapting now will separate the winners from the rest.
The Plugins Team Doubled Its Workload And Leveled Up With AI
The WordPress Plugins Team reviewed 12,713 plugins in 2025, a 40.6% increase over 2024. Weekly submissions surged from 150 to over 330, and the team kept the queue under one week despite the volume. How? By heavily upgrading their tools with AI-assisted checks and automation.
The Internal Scanner now tackles repetitive tasks like verifying plugin names, checking branding compliance, and confirming ownership, adding over 80 new features and 100 improvements in 2025. The Plugin Check Plugin (PCP) evolved into a security-focused tool, with five major releases adding nonce verification, forbidden function checks, localhost detection, and enhanced PHP 8.1+ compatibility. In October, PCP started running automatic security scans on every plugin update, reports are internal for now, but authors will soon receive feedback to improve their plugins proactively.
Despite the progress, challenges remain. Nearly 39% of reviewed plugins received no reply from authors, a drop from 2024 but still a drain on volunteer time. Approvals rose to 69.5% (up from 63.4% in 2024), and the average number of issues per plugin declined, showing submissions are better prepared. AI is lowering barriers to entry without compromising quality, the approval bar hasn’t dropped, but more people are building plugins than ever before.
Key takeaway: The team is scaling through smarter tools, not just more people. Plugin authors should use PCP in their workflows to catch issues early.
What’s ahead: Scaling the team and processes in 2026 to handle record-breaking submissions while maintaining standards.
The Plugins Team is proving that AI can amplify human effort without sacrificing quality.
Read from the Official Make WordPress Blog here.
The Test Team Is Rebuilding With Training and Clearer Expectations
The WordPress Test Team is restructuring in 2026 to address resource bottlenecks and clarify what it means to be a team member. Historically, joining was either easy (as a yearly representative, often without real contribution) or extremely hard (through exceptional effort like triaging hundreds of tickets). Moving forward, earning “emeritus” status will require sustained, consistent contribution over time, not short-term or symbolic involvement.
The new approach lowers the barrier to join “the hard way” while phasing out representatives as the sole entry path. Representatives were meant to support the team for a year, but the role often attracted badge-seekers rather than committed contributors. The new system emphasizes duty over accomplishment, and non-emeritus members who don’t meet consistent expectations will be removed.
To support this shift, the Test Team is launching a four-week Training Program starting in January 2026. It covers handbook development, collaboration, testing fundamentals, and meeting management. Participants need to invest at least 20 hours (two-hour live sessions plus three hours of weekly practice). Graduating doesn’t guarantee a team spot, but it provides clear guidance on how to get there. The program is capped at five participants, selected by technical skill level if demand exceeds capacity.
Key takeaway: The Test Team is prioritizing active, long-term contributors over short-term participation.
Sign up: Live sessions start January 8 or 15, held around 3–4 PM GMT on Tuesdays and Thursdays.
This restructuring aims to build a more sustainable, engaged team that can handle WordPress testing at scale.
Read from the Official Make WordPress Blog here.
A Deep Dive Into WordPress Security: From Foundations to Hardening
Tài Hoàng published a comprehensive handbook on WordPress security, covering everything from the platform’s layered security model to actionable hardening techniques. The guide emphasizes that WordPress itself isn’t insecure, 96% of vulnerabilities in 2025 were found in plugins and themes, not core. The real problem is mismanagement: outdated plugins, weak server configs, poor passwords, and neglected maintenance.
The security model visualizes WordPress as four layers: server/infrastructure (foundation), WordPress core (application), plugins/themes (extension), and edge/network (CDN/WAF like Cloudflare). Each layer reinforces the others, but a failure in one—like a vulnerable plugin—weakens the whole system.
Best practices include choosing a reliable VPS host, reducing your attack surface by keeping your plugin stack lean, controlling access with proper file permissions and 2FA, disabling unnecessary features (XML-RPC, file editor, WP-Cron), and building a long-term security culture with regular audits and documentation. The handbook also covers practical steps like hiding PHP and Nginx versions, blocking direct IP access to bypass Cloudflare, securing wp-config.php, changing the default login URL, limiting login attempts, and using Nginx rules to block malicious requests.
Key tools mentioned:
Admin and Site Enhancements (ASE) plugin for login URL changes and login attempt limits
Two-Factor plugin for 2FA
UpdraftPlus for backups following the 3-2-1 rule (three copies, two media types, one offsite)
Key takeaway: Security isn’t a plugin you install, it’s a discipline. Harden every layer, from server to edge, and maintain it consistently.
This guide is a must-read for anyone serious about keeping their WordPress sites secure in 2026 and beyond.
WordPress Must Read
→ From installation to integration: Making plugins “agent-ready” (joost.blog)
→ When a WordPress Site Needs a Rehab Instead of a Full Redesign (speckyboy.com)
→ Automattic AI, 2025 (j.cv)
On other WordPress News
→ WordPress 7.0 Call for Volunteers (make.wordpress.org)
→ Plugin teams’ eviews are not AI generated (reddit.com)
→ Introducing new Themes Team representatives for the 2026 (make.wordpress.org)
→ WordPress Vulnerability Report — December 31, 2025 (solidwp.com)
→ WP Engine Acquires Big Bite (wp-content.co)
→ Seahawk Media Partners with Patchstack to Strengthen WordPress Security (patchstack.com)
From WordPress Community
→ Support Inclusion in Tech (SiNC) Opens Applications for 2026 WordPress Contributor Funding Program (wp-content.co)
→ Matt 4.2 (ma.tt)
→ My 2025 recap (by the Numbers) (pootlepress.com)
→ On Being Vegetarian (sunitarai.com.np)
→ 2025 year in review & transparency report (barn2.com)
→ 2025: My Year in Review (elliotsowersby.com)
→ Wombat Plugins 2025 Year in Review (studiowombat.com)
Conclusion
That's a wrap for this edition of WPMore. Whether you're upgrading PHP, rethinking your plugin strategy, or tightening security, there's no shortage of work ahead, but the tools and knowledge are there to help you succeed.
Have thoughts on any of these stories? Hit reply and let me know. And if you found this useful, share it with a fellow WordPress user who could benefit. See you next time!
Nishat, WPMore
Follow → X.com | LinkedIn | BlueSky | Facebook
Join Our Community → Sub-Reddit | X Community