WordPress in 2026: Big Plans, Big Tensions, Big Risks | WP More - Issue 35

AI features, meetup priorities, security gaps, and ongoing drama—here's what's shaping WordPress this week.

Hello WordPress enthusiasts!

Welcome to this week’s WPMore roundup — WPMore newsletter issue 35, where you get curated news about WordPress and the WordPress community all in one place.

WordPress is stepping into 2026 with ambitious plans and unresolved tensions. This week brought clarity on where the project is headed: real-time collaboration, AI integration, and revitalized meetups, but also reminders of the challenges it still faces. From security gaps that should worry every site owner to community friction that won’t seem to fade, here’s what you need to know.

---

In this Issue:

• WordPress 7.0 Aims for Google Docs-Style Collaboration

• AI Experiments Plugin Adds Excerpt Generation and Developer Tools

• Official WordPress.org X Account Mocks FAIR Project, Draws Backlash

• Most Hosts Can’t Block WordPress Vulnerabilities—74% of Attacks Succeed

• WP Engine Customers Refile Class Action After Court Dismissal

---

WordPress 7.0 Aims for Google Docs-Style Collaboration

WordPress Executive Director Mary Hubbard outlined the project’s 2026 roadmap, and WordPress 7.0 is the centerpiece. Set to coincide with WordCamp Asia, the release will focus on Phase 3: Collaboration, bringing real-time co-editing directly into the block editor; think Google Docs, but for WordPress.

Beyond collaboration, 7.0 will introduce a Command Palette powered by the Abilities API, client-side media processing to reduce server load and speed up uploads, and responsive editing controls that let you customize mobile menus and hide blocks by viewport. New blocks like Tabs and Icon round out the creative toolkit.

The update also continues WordPress’s intentional push into AI. Hubbard emphasized AI will remain opt-in and plugin-based, with no automatic features injected into sites. The Core AI team is developing project-wide guidelines focused on transparency, user control, and data responsibility; guardrails designed to keep AI helpful without overstepping.

• Key takeaway: WordPress 7.0 aims to make the editor more collaborative, faster, and smarter, without forcing AI on anyone.

• For site owners: Expect smoother uploads and better mobile customization tools once 7.0 drops.

Hubbard also stressed the importance of revitalizing meetups as the “primary front door” to the WordPress community, encouraging hands-on learning and clearer onboarding for new contributors, especially students arriving through programs like Campus Connect and WordPress Credits.

Read the full blog on Make WordPress Here.

---

AI Experiments Plugin Adds Excerpt Generation and Developer Tools

The AI Experiments plugin hit version 0.2.0, bringing AI-powered excerpt generation to WordPress editors. Instead of leaving excerpts blank or writing them last, authors can now generate a first draft directly from post content, then review and edit as needed.

The release also introduces the Abilities Explorer, a new admin screen that surfaces all registered AI capabilities within the plugin. It’s designed to help developers understand what AI-powered actions are available and how they’re exposed in the system, a foundation for making the Abilities framework more extensible as new features roll out.

Looking ahead, version 0.3.0 is already in progress with content summarization, featured image generation, alt text generation, and a refactored Abilities Explorer built on TypeScript and DataViews. These experiments are meant to inform future core AI discussions, not replace editorial judgment.

• Key takeaway: AI in WordPress is evolving carefully, with tools that assist rather than automate away editorial control.

• For editors: Excerpt generation could save time on archives and feeds, but you’re still in charge of what gets published.

The plugin remains experimental, but the direction is clear: practical, optional, and transparent AI features that fit into existing workflows.

Read the full blog on Make WordPress here.

---

Official WordPress.org X Account Mocks FAIR Project, Draws Backlash

The official WordPress.org X account sparked backlash last week after posting a mocking reply about the FAIR project, a federated, independent repository initiative launched by developers who were previously banned from WordPress.org.

The controversy started when Nicholas Garofalo, Director of Marketing for WordPress.org at Automattic, mentioned his personal site got stuck in maintenance mode after updating a FAIR Connect plugin. The WordPress.org account replied: “Looks like the Federated and Independent Repository project is going great… Maybe they need some REST.” The “REST” reference was widely interpreted as a jab at Ryan McCue, creator of the WordPress REST API and a FAIR co-chair who was among those banned in 2024.

Community reaction was swift. Several developers and leaders criticized the post as unprofessional and out of step with WordPress leadership’s stated goal of rebuilding trust after last year’s moderation controversies. Some critical replies were later hidden by the account, raising further concerns about how dissent is handled on official channels.

• Key takeaway: The post felt like a return to last year’s drama, at a time when the community wants to move forward.

• For the community: It’s unclear who authored the post, but it highlighted ongoing tensions around governance, moderation, and tone.

WordPress Executive Director Mary Hubbard outlined moderation reforms in May, but this episode suggests the reset is still a work in progress.

Read the full report on The Repository Here.

---

Most Hosts Can’t Block WordPress Vulnerabilities—74% of Attacks Succeed

A new security study from Patchstack tested 30 known WordPress vulnerabilities across multiple hosting companies and the results are alarming. Even after expanding the experiment to include more hosts and more generic attack types, 74% of exploit attempts still succeeded.

The study found that hosts performed better against non-WordPress-specific vulnerabilities like SQL injection or directory traversal, but struggled badly with WordPress-specific attacks like privilege escalation (blocked only 12% of the time). Once an attacker gains admin privileges, they can access customer data, edit content, or upload malicious files, often bypassing other protections entirely.

Even hosts advertising commercial web application firewalls showed inconsistent results. The best performers were hosts with in-house firewall solutions, suggesting that investing in custom security infrastructure matters more than relying on third-party tools. Notably, the study also retested 10 vulnerabilities from an earlier experiment and many hosts still hadn’t addressed them months later.

• Key takeaway: “Secure hosting” marketing doesn’t guarantee protection against WordPress vulnerabilities.

• For site owners: Don’t assume your host has you covered. Layer your security with a dedicated plugin like Patchstack, Wordfence, or Sucuri.

• For hosts: If you’re serious about WordPress security, generic WAFs won’t cut it.

The study confirms what many security researchers already knew: WordPress vulnerability mitigation remains largely unsolved, and vibe-coding practices are only making it worse.

Read the full report on Patchstack here.

---

WP Engine Customers Refile Class Action After Court Dismissal

WP Engine customers Ryan Keller and Sharon Schanzer have filed an amended class action lawsuit against Automattic and CEO Matt Mullenweg, seeking to revive claims a judge dismissed last month for insufficient detail.

The original lawsuit alleged Automattic intentionally interfered with their WP Engine contracts during the late-2024 standoff, when WordPress.org access was cut off and the Advanced Custom Fields plugin was taken over. Judge Araceli Martínez-Olguín ruled they hadn’t shown Automattic knew about their specific contracts or pointed to concrete lost business opportunities.

The amended complaint adds fresh evidence, including the WordPress Engine Tracker website, which publicly listed over 842,000 WP Engine-hosted sites alongside promotional links to competing hosts like Automattic-owned Pressable. A 6,584-page CSV of those sites is filed with the complaint as proof Automattic could identify specific customers. The filing also details technical impacts, arguing that WordPress.org access is hard-coded into the software and couldn’t simply be rerouted.

• Key takeaway: The legal battle over last year’s WP Engine conflict is far from over.

• For WP Engine users: This case could have implications for how disputes between platform owners and third-party hosts are handled in the future.

A hearing date hasn’t been set, but the case continues to unfold as a central piece of fallout from 2024’s most contentious WordPress dispute.

Read the full report on The Repository here.

Other reports from The Repository you might like to read:

• Matías Ventura Named WordPress 7.0 Release Lead as Contributors Close In on Real-Time Collaboration Approach

• Inside WordCamp Europe 2026: Lead Organizers on Getting More People to Kraków and This Year’s Education Focus

• WordPress.org Launches New Education Hub Highlighting Campus Connect, Credits, and Student Clubs

• WordPress 7.0 Planning Continues With Call for Release Squad Volunteers

• WordPress Plugins Team Reviewed Record 12,713 Plugins in 2025 as Submissions Doubled

• Misunderstandings Over AI Use Fuel Confusion Around WordPress.org Plugin Reviews

• WordPress to Drop PHP 7.2 and 7.3 Support With WordPress 7.0

Don’t forget to subscribe & support them, they do some amazing hard-hitting WordPress journalism.

---

WordPress Must Read

→ PHP can AI: WordPress.com Agentic Infrastructure (piszek.com)

→ Why WordPress Needs to Plug Into the Agentic Web (wpengine.com)

→ I Dug Through 6,162 WordPress Plugins From 2025. Let’s Talk About What’s Missing—And Why 2026 Could Be Different (regionallyfamous.com)

→ Market analysis: WordPress in 2026 (humanmade.com)

→ Matt Mullenweg on WooCommerce’s Existential Threat, AI Hype, and Why Breaking Sites Makes Him Furious (therepository.email)

→ Happy Birthday Drupal! (jonathandesrosiers.com)

---

On other WordPress News

→ WordPress Community Team Encourages Women-Centric Events for International Women’s Day 2026 (therepository.email)

→ New: Request a video message from Matt for your WordCamp (make.wordpress.org)

→ What’s new in Gutenberg 22.4? (20 January) (make.wordpress.org)

→ WordPress 6.9.1 Release Schedule (make.wordpress.org)

→ Three New UI Updates to WordPress Playground from December 2025 (make.wordpress.org)

→ Nominations for Core Team Reps: 2026 Edition (make.wordpress.org)

→ WordPress Studio 1.7.0: Meet the New Studio CLI (wordpress.com)

→ Product Permalink Changes Coming in WooCommerce 10.5 (developer.woocommerce.com)

→ What’s new for developers? (January 2026) (developer.wordpress.org)

→ Introducing WP-Bench: A WordPress AI Benchmark (make.wordpress.org)

→ WC REST API fixes for product variation attributes with special characters in WooCommerce 10.5 (developer.woocommerce.com)

→ A New Home for WordPress Education Programs (wordpress.org)

→ Sample text Five (domain.com)

---

From WordPress Community

→ Exploring work in progress for WordPress 7.0 (nomad.blog)

→ Ohia ᚛ᚈᚐᚂᚐᚋᚆ᚜ receives the Yoast Care fund for her contribution to the WordPress community (yoast.com)

→ $3 Millions in Sales Later – 2025 Review (seopress.org)

→ Funding Open Source for Digital Sovereignty (dri.es)

→ Overall adoption HTTP Archive measurements show that CMS-driven sites account for over 54% of observed websites in 2025, reinforcing CMSs as the default infrastructure for the web. (almanac.httparchive.org)

→ WordPress is moving fast on AI, and plugin builders need to keep up. WP Product Talk sits down with Jason Adams, Core AI Team Lead at Automattic, to unpack how plugins WordPress AI efforts are shaping what’s possible right now. (youtube.com)

→ Is There a WordPress Replacement in 2026? I Went Looking (jeangalea.com)

→ BuddyPress Is Fading: Why We Must Act Now to Save It (vapvarun.com)

→ The Future of The Web, What does the Open Web look like in an AI future? How will websites change? (j.cv)

→ Closing the door (for now) on Content Creators slack channel (nomad.blog)

→ The silence is deafening: Google’s “agentic” future leaves the WordPress economy behind (joost.blog)

→ Aditya Kane reflects on his 11 years of WordPress contribution journey (bombaypirate.com)

→ Matt Mullenweg on WooCommerce’s Future and Competitive Strengths in Online Commerce (openchannels.fm)

→ Product Thinking in Practice: The Choices Behind Synced Pattern Popups (mattcromwell.com)

→ Checkout Summit: A Conference for WooCommerce Devs ft. Rodolfo Melogli (webmasters.fm)

→ Growing Agency Success with People-Centric Values and Open Source Education (openchannels.fm)

---

Conclusion

That's the week in WordPress: big plans, real risks, and unresolved tensions. Whether you're excited about 7.0's collaboration features or concerned about security gaps and governance drama, one thing is clear: 2026 is shaping up to be a pivotal year.

Got thoughts? Hit reply, I’d love to hear from you. And if you found this useful, share it with a fellow WordPress user who could use the update.

Nishat, WPMore

Follow → X.com | LinkedIn | BlueSky | Facebook

Join Our Community → Sub-Reddit | X Community