The latest WordPress updates, plugin releases, security patches, and industry news — curated for site owners and developers.
newsCloudflare shipped EmDash on April 1, 2026 as an AI-native WordPress alternative. I spent two weeks testing both. Here is what is actually true, where EmDash wins, and why WordPress is not going anywhere.
newsCVE-2026-4664 lets unauthenticated attackers post reviews on any WooCommerce product through the Customer Reviews plugin. Update to 5.104.0 today.
newsWordPress 6.9.4 shipped on March 11, 2026 to finish the security patches that 6.9.2 and 6.9.3 failed to fully apply. Here is what it fixes, why it matters, and how to update safely.
newsA poisoned Smart Slider 3 Pro update (v3.5.1.35) shipped a full remote access toolkit on April 7, 2026. Here is exactly how to check if your site was compromised and what to do next.
newsIn April 2026 attackers activated a dormant backdoor buried inside 31 Essential Plugin WordPress plugins. Here is the full plugin list, timeline, how the PHP deserialization backdoor worked, and exactly what to do if your site is affected.
newsWordPress 7.0 RC1 releases March 24 at 15:00 UTC with two major last-minute changes: client-side media processing has been pulled entirely, and Real-Time Collaboration ships disabled by default.
newsA high-severity path traversal vulnerability (CVE-2026-3585, CVSS 7.5) in The Events Calendar plugin lets authenticated attackers read any file on your server, including wp-config.php.
newsWordPress’s share of all websites has slipped from a 43.2% peak in 2022 to 42.5% in March 2026. But with 9x the market share of its nearest competitor, the numbers tell a stabilization story, not a collapse.
newsState and local governments with populations over 50,000 must make their websites WCAG 2.1 AA compliant by April 24, 2026 — including all WordPress sites, third-party content, PDFs, and web apps.
newsMultiple EU countries changed VAT rates on January 1, and a new €3 customs duty on low-value parcels from outside the EU takes effect July 1. Here’s what WooCommerce store owners need to update.
newsWith WordPress 7.0 less than three weeks away, here’s the complete rundown of what’s shipping: Real-Time Collaboration, AI Connectors, Command Palette, visual revisions, new blocks, and a refreshed admin.
newsWordPress 6.9.4, released March 11, patches security vulnerabilities that 6.9.2 failed to fully fix — including an XML external entity injection, arbitrary note creation, and stored XSS.
newsHuman Made's WP:26 event and enterprise report frame WordPress as evolving from a publishing platform into a programmable "agentic platform" where AI agents interact with content alongside humans.
newsWordPress plans three major releases in 2026 — 7.0 at WordCamp Asia (April 9), 7.1 at WordCamp US (August 19), and 7.2 at State of the Word (December) — returning to a faster cadence after a slow 2024-2025.
newsIn an amended complaint with newly unredacted evidence, WP Engine alleges that Mullenweg planned to target 10 hosting companies with WordPress trademark royalty demands and pressured Stripe to cancel WP Engine’s payment processing.
newsStarting September 2026, the EU Cyber Resilience Act requires WordPress plugin developers to implement formal vulnerability reporting, documented security processes, and 24-72 hour response times — or face fines up to €15 million.
newsThe WordPress AI Team lays out a four-project roadmap — PHP AI Client SDK, Abilities API, MCP Adapter, and Experiments Plugin — to standardize how AI integrates with WordPress.
newsWordPress.org launches my.WordPress.net — a private, persistent WordPress environment that runs entirely in your browser with zero signup, no hosting, and no domain required. Powered by WordPress Playground.
newsGutenberg 22.7 ships two experimental AI-infrastructure features — Content Guidelines for storing brand voice rules and the Connectors credential manager — plus 14 Real-Time Collaboration bug fixes.
newsWooCommerce 10.6 ships with enhanced product collection blocks, cart and checkout design polish, and meaningful database performance improvements across the board.
newsWordPress 7.0 introduces the Connectors API with official provider plugins for Anthropic Claude, Google Gemini, and OpenAI — standardizing AI integration directly in WordPress core.
newsPatchstack’s annual State of WordPress Security report reveals a 42% spike in vulnerabilities, a 5-hour median time-to-exploit, and traditional defenses blocking just 12% of attacks.
newsA new @wp-playground/mcp package lets AI coding agents like Claude and Cursor interact with WordPress Playground directly — reading files, executing PHP, and building sites through conversation.
newsA critical CSRF vulnerability affecting 52 WooCommerce versions (5.4–10.5.2) could let attackers create admin accounts and access customer data. Auto-patches rolled out March 2.
newsWordPress 7.0 Release Candidate 1 delayed to March 24. Client-side media processing pulled from the release entirely, real-time collaboration switched off by default.
newsWordPress released versions 6.9.2, 6.9.3, and 6.9.4 within 24 hours after the initial security patch caused white-screen crashes and left vulnerabilities incompletely fixed.
newsWordPress.com announced that AI agents like Claude, ChatGPT, and Cursor can now create, edit, and publish content on WordPress.com sites through natural conversation via the Model Context Protocol (MCP).