Originally published at https://monstermegs.com/blog/wordpress-major-release/
WordPress 7.0 landed on May 20, 2026, and it marks the most significant WordPress major release the platform has produced since version 5.0 introduced the block editor in 2018. Site owners woke up to a redesigned admin dashboard, a new built-in AI layer, and a block system that no longer requires JavaScript. But the story behind this WordPress major release is more complicated than the headline features suggest. One of the most-anticipated functions was pulled from the build days before launch, and a separate critical plugin vulnerability was being actively exploited in the wild during the same week. Here is what actually happened and what it means for anyone running a WordPress site today.
WordPress Takes Its Biggest Leap in Years
The 7.0 milestone is the first major version shift since WordPress moved through the 6.x series, and the scale of what shipped reflects years of accumulated roadmap work. This WordPress major release was originally targeted for April 9, 2026, but the core team delayed it by six weeks to address architectural stability concerns that emerged during final testing. That delay turned out to be the right call – the additional time was used to harden memory management and backward compatibility across hundreds of plugin APIs.
According to the official WordPress make/core blog, the 7.0 development cycle involved contributions from hundreds of community members across multiple release squads. The result is a release that is meaningfully different from its predecessors at both the developer and end-user level – and one that places new demands on the hosting infrastructure beneath it.
What the WordPress Major Release Actually Delivered
Four headline changes define this WordPress major release: a redesigned admin dashboard, PHP-only blocks, a new Web Client AI API, and a set of core performance improvements targeting server-side rendering speed. Each of these changes has downstream implications for developers, site owners, and the hosting infrastructure running beneath them.
PHP-Only Blocks Change How Developers Build
For years, extending the WordPress block editor meant writing JavaScript and managing React dependencies. This WordPress major release changes that by introducing PHP-only blocks – a way to register and render blocks entirely in server-side PHP, with no front-end framework required. It does not replace React-based blocks, which continue to work as before, but it opens block development to a much wider pool of back-end developers who had previously been locked out by the JavaScript requirement.
The practical effect is significant. Agencies and freelance developers who specialise in PHP now have a direct path into custom block creation without needing a separate front-end skillset. This has the potential to accelerate the pace at which the ecosystem produces high-quality custom blocks, which is ultimately good for site owners who rely on the plugin marketplace for functionality.
The New AI Layer Built Into Core
The Web Client AI API is the other major technical addition in this WordPress major release. It provides a standardised interface for integrating external AI models directly into WordPress admin features, without relying on third-party plugins to bridge the connection. The API is deliberately model-agnostic – it is not tied to any single vendor – which means plugin developers can build on a shared layer rather than each constructing their own bespoke integration from scratch.
This is less a finished product feature than a foundation. The near-term visible changes are modest. Over the coming 7.x point releases, the AI API is expected to surface in smarter content suggestions, automated accessibility checks, and SEO tooling built directly into the editor experience – without requiring a separate paid plugin for each capability.
Real-Time Collaboration Was Pulled From the WordPress Major Release at the Last Minute
The most-discussed development surrounding this WordPress major release was not what shipped – it was what did not. Real-time co-editing, which would have allowed multiple users to work on the same post simultaneously, was removed from the 7.0 build just before the final version was tagged for release. The feature had been one of the most-anticipated additions on the roadmap.
The core team identified race conditions in the implementation, along with concerns about server load and memory efficiency at scale. These are not minor edge cases. They are the kind of issues that surface immediately on shared hosting environments where hundreds or thousands of sites share the same server pool. Shipping with those problems unresolved would have created real-world performance degradation for a wide segment of the user base, particularly on lower-tier hosting plans.
The announcement on make.wordpress.org framed the removal as a deferral rather than a cancellation, citing the need for a more rigorous architecture review before releasing to millions of production sites. This WordPress major release is not the first to ship a headline feature in reduced form – version 6.6 saw the Interactivity API constrained for similar reasons. Real-time collaboration is expected to return in a 7.x point release later in 2026 if testing holds.
A Critical Plugin Vulnerability Hit Just Before Launch
The week of the WordPress major release also brought a separate and serious security event. On May 8, 2026, security firm Wordfence documented active exploitation of a critical authentication bypass vulnerability in the Burst Statistics plugin – a widely-used analytics tool installed across tens of thousands of WordPress sites. The flaw is tracked as CVE-2026-8181 with a CVSS score of 9.8, placing it at near-maximum severity.
The vulnerability allows unauthenticated attackers to impersonate administrator accounts with no credentials required. Wordfence reported blocking more than 7,400 individual attacks against this flaw within a single 24-hour window, according to reporting by Bleeping Computer. A successful exploit can result in full site takeover, content injection, or the silent installation of additional malware – all without any visible warning to the site owner.
Patches were issued by the Burst Statistics developer and distributed through the WordPress plugin repository. However, plugin auto-updates are not enabled by default on most WordPress installations, meaning a significant number of affected sites remained vulnerable in the days following disclosure. Sites that had not yet applied the patch were actively being scanned during the same period that administrators were evaluating the 7.0 upgrade – a collision of demands that left security gaps open longer than they should have been.
Why the Timing of This WordPress Major Release Made Security Harder
The near-simultaneous arrival of a version milestone and an actively exploited plugin vulnerability created a difficult week for site administrators. Those focused on testing compatibility with the new 7.0 codebase – verifying that themes, plugins, and custom code all functioned correctly – had less bandwidth to monitor security advisories. This is not a coincidence. High-profile WordPress major release events historically coincide with increased scanning activity from malicious actors who anticipate that site owners will be distracted by upgrade tasks.
Security researchers consistently recommend maintaining separation between upgrade workflows and security monitoring, particularly in the days surrounding a significant WordPress major release. Splitting these responsibilities across team members, or configuring automated alert systems tied to Wordfence or the WPScan vulnerability database, reduces the risk that a critical advisory goes unnoticed during a busy upgrade cycle. For sites without dedicated admin resources, this is where managed hosting with proactive security monitoring earns its value. Explore our WordPress hosting plans to see how a managed environment handles this kind of operational pressure.
How Hosting Infrastructure Handles Each WordPress Major Release
A version milestone of this scope puts real demands on hosting infrastructure. PHP-only blocks shift more processing to the server side, and the new AI API adds network I/O for any site that makes active use of it in production. For hosting environments running traditional storage under heavy concurrent loads, this translates directly into response time regressions during traffic spikes – the kind that are invisible in staging but visible in production.
NVMe-based infrastructure handles this more cleanly. The sustained random read and write performance of NVMe storage – typically several times faster than SATA under concurrent workloads – absorbs the additional server-side block rendering without visible latency increases. Benchmarks from previous WordPress major release cycles consistently show NVMe environments maintaining stable time-to-first-byte figures where SATA-backed hosts show measurable degradation under load.
Hosts running LiteSpeed with full-page and object caching absorb much of the additional load automatically, because fewer PHP executions reach the database on each request. For high-traffic sites on shared plans, this caching layer is what keeps load times stable after a WordPress major release ships new server-side rendering paths. If your current plan does not include LiteSpeed or NVMe storage, this release is a practical reason to revisit that choice. For background on how PHP version selection affects WordPress performance, see our coverage of WordPress hosting PHP requirements.
What Site Owners Should Do Right Now
The most urgent action following this WordPress major release is not the upgrade itself – it is auditing your plugin list for the Burst Statistics vulnerability and confirming that all installed plugins are running their latest versions. Check whether auto-updates are enabled. If not, subscribe to the WPScan vulnerability database or configure Wordfence email alerts so that critical advisories reach you within hours of publication, not days later when active exploitation is already underway.
On the upgrade side, testing 7.0 compatibility on a staging environment before pushing to production is the right approach – particularly if your site uses custom blocks or relies on JavaScript-heavy page builders. PHP-only blocks introduced in this WordPress major release are new infrastructure, and early releases often carry edge cases that subsequent point updates resolve. Give it two to four weeks, monitor the 7.x release cadence, and review recent security context in our coverage of WordPress supply chain attack patterns shaping 2026 before committing production sites to the new version.
The Bottom Line
The WordPress major release that arrived on May 20 is a genuine step forward. AI integration at the core level, PHP-only blocks that open development to back-end engineers, and a cleaner admin experience are all changes that will compound in value over the coming 7.x release cycle. The dropped real-time collaboration feature is not a failure – it is the core team making the right call under pressure rather than shipping unstable code to millions of production sites.
The Burst Statistics vulnerability is a reminder that plugin hygiene matters at least as much as core upgrades. Both developments point to the same conclusion: running WordPress well requires infrastructure and operational practices that can handle version milestones and active exploit campaigns at the same time – not one at the expense of the other.
If your hosting environment is not set up to absorb what each WordPress major release demands at the server level, MonsterMegs' WordPress hosting is built on LiteSpeed and NVMe to keep performance stable through every update cycle.
Top comments (0)