SiteGround force-installed an AI plugin across 1 million sites without consent and walked away with a 1.1-star rating. Hackers are actively exploiting a Gravity SMTP flaw with 17 million attempts blocked so far, while a critical Avada Builder vulnerability (CVSS 9.1) puts another million sites at risk of full takeover. React 19 got pulled from Gutenberg days after shipping due to third-party plugin crashes, WordPress 7.0.1 is scheduled for July 9, and the 7.1 roadmap is out with a new wp knowledge post type, AI streaming, responsive styling, and a target date of August 19. On the tools side, Automattic shipped Desktop Mode to turn WP admin into a full windowed workspace, GTmetrix launched an MCP server for AI-powered performance testing, and Pressship brings WordPress.org plugin publishing straight to your terminal.

Kinsta – The AI & Bot Traffic Reality Check
Smart WordPress pros are already blocking this. Are you still letting it in?

AI bot traffic grew 300% in a single year. By late 2025, one in every 31 web requests came from an AI crawler. Scrapers, broken automation loops, and aggressive crawlers are quietly draining your server resources, skewing your analytics, and slowing your site.

Kinsta analysed more than 10 billion requests to expose exactly what’s happening  and what site owners who act now can do about it.

Get Up to Speed Now

Peak Performance WordPress Hosting, No Compromises

Leave single-server hosting in 2015. Choose autoscaling Managed WordPress Hosting built for traffic surges, complex sites & demanding PHP workloads, all without missing a beat.

20i Managed WordPress Hosting

↑ Brought to you with support from these partners

💡 WordPress Spotlight

WordPress 7.1 Is Getting a Brain  Literally: The upcoming 7.1 release proposes a new wp_knowledge post type that gives sites a built-in place to store editorial guidelines, AI memories, and notes  all accessible via REST. It’s the foundation for the new Guidelines feature, letting both humans and AI tools pull from the same source of truth. Beta 1 drops July 15. (Source)

Gutenberg’s 7.1 Wishlist Is Ambitious: The 7.1 roadmap reads like a feature explosion of AI streaming, a revamped command palette, responsive styling, pseudo-state controls, a new Identity screen, and a full Omnibar replacing the admin bar. Real-time collaboration is still the big open question with storage and scope TBD. August 19 is the target. (Source)

June Dev Roundup: AVIF, New Crop UI, and a Deprecation: The June developer update covers the new media editor modal now default in Gutenberg 23.3, client-side AVIF/WebP/HEIC processing open for testing in Chromium, and wp-now officially deprecated in favor of Playground CLI. Lots of quiet infrastructure shifts that will matter by 7.1. (Source)

17 Million Exploit Attempts Gravity SMTP Is Under Active Attack: A flaw in the Gravity SMTP plugin (CVE-2026-4020) exposes a REST endpoint that hands over API keys for Amazon SES, Mailjet, Resend, and more  no auth required. Wordfence blocked over 17M attempts since May. Update to 2.1.5 now and rotate any email credentials. (Source)

1 Million Avada Sites Could Be Wiped Clean by Unauthenticated Attackers: CVE-2026-8713 (CVSS 9.1) in Avada Builder lets attackers delete arbitrary files  including wp-config.php  without logging in, pushing sites into setup mode and opening the door to full takeover. Patched in version 3.15.4 released June 2. If you haven’t updated, stop reading and do it now. (Source)

WordPress 7.0.1 Drops July 9 Here’s the Schedule: The first maintenance release post-7.0 is coming July 9 with RC1 on July 1. Bug scrubs are running through late June in #core Slack. If you’ve hit regressions since upgrading to 7.0, now’s the time to report them. (Source)

WP VIP’s Platform Release Schedule Is Live: Enterprise teams can now plan their upgrade windows against WP VIP’s published release schedule, with 7.0 freshly out and 7.1 beta starting July 15. Bookmark it if you’re coordinating plugin compatibility or infrastructure changes at scale. (Source)

React 19 Is Out of Gutenberg  For Now: Just days after shipping React 19 in Gutenberg 23.3.0, the team pulled it back in 23.3.2 after third-party plugins started crashing. The culprit: plugins bundling their own JSX helpers that React 19 flat-out rejects. A compat layer is in the works; the upgrade is still targeting 7.1. If you ship compiled JSX, audit your bundler setup today. (Source)

WP VIP’s Future of the Web Report Is Out: WP VIP’s 2026 report examines how enterprise publishers are navigating AI content, audience trust erosion, and CMS strategy at scale. If you advise enterprise clients or think about where the platform is heading for big publishers, it’s worth the read. (Source)

SiteGround Force-Installed an AI Plugin on a Million Sites and Got 1.1 Stars for It: SiteGround silently activated its new AI Agent plugin across 1M+ customer sites without opt-in consent. The plugin landed a 1.1-star rating  59 of 64 reviews at a single star. The plugin itself works fine, but the trust damage from a forced install without permission is a much harder fix. (Source)

✨ Fresh Features Rollout

WordPress Admin Just Became a Desktop OS: Automattic’s new Desktop Mode plugin turns your WP admin into a full windowed workspace, resizable panels, a dock, virtual desktops (Spaces), and a Cmd+K command palette. There’s even an optional AI copilot and team review via a shared folder. Free, open source, and already running on hundreds of sites. (Source)

Edit Images Without Leaving the Editor: WordPress.com’s June 19 update adds in-editor image cropping, resizing, and adjustments alongside multitasking so uploads and background tasks finish while you keep writing. Small UX wins, but they add up fast in day-to-day editorial work. (Source)

Gutenberg’s Latest Release Is Stacked: The newest Gutenberg build ships pseudo-state styling per block (hover, focus, active  no site-wide bleed), responsive global styles, the first Guidelines experiment integration in the admin, and more customizable dashboard widgets. Busy release. (Source)

WordPress.com Gets Smarter Menu Management: The June 10 changelog brings new tools for managing restaurant and service menus, part of a push to make WordPress.com genuinely useful for local businesses without requiring extra plugins or a developer. (Source)

SureRank Premium 1.8.0 Is Out: SureRank’s latest premium update (1.8.0) drops new functionality across the board. If you’re evaluating lean SEO plugin alternatives to the usual suspects, this release is worth checking out. (Source)

🆕 Fresh Releases

Pressship  Publish to WordPress.org from Your Terminal: Pressship is Automattic’s new CLI tool for the full WordPress.org plugin publish workflow  readme validation, Plugin Check, SVN packaging, and a preview workspace all in one command. Also ships as an AI agent skill for automated, reviewable releases. A must-try for anyone shipping plugins regularly. (Source)

CortexWP  AI-Native WordPress Management: CortexWP positions itself as an AI-first layer for managing WordPress content ops, admin tasks, and workflow automation through a conversational interface. Early but worth watching as the AI-in-WordPress space heats up. (Source)

GTmetrix Now Has an MCP Server: GTmetrix’s new MCP integration lets AI tools like Claude and Cursor run performance tests, pull reports, analyze Core Web Vitals, and apply fixes all in a closed loop without leaving your dev environment. Performance testing just got a lot less manual. (Source)

RankBix SEO New Plugin, Worth Watching: RankBix SEO is a freshly listed WordPress.org plugin targeting on-page optimization. Early days, but the SEO plugin market always has room for a sharp new entrant. (Source)

Auto Release Posts for GitHub  No More Copy-Pasting Changelogs: This new plugin pulls your GitHub release data and auto-publishes it as WordPress posts, keeping your site’s changelog in sync without any manual work. Simple idea, real time savings for dev-heavy teams. (Source)

Content Lifecycle Manager by WP Vibes  Fight Content Decay Automatically: WP Vibes’ new plugin tracks expiry dates, flags posts for review, and monitors content freshness across your entire library. If you manage a large site where outdated posts quietly hurt rankings, this one’s built for you. (Source)

🗓️ Mark Your Calendar 

If you’re looking for opportunities to network and learn, check out these upcoming WordPress events and meetups:

Flagship WordCamps

August 16 – 19, 2026: WordCamp US 2026, Phoenix, Arizona.

April 09 – 11, 2027: WordCamp Asia 2027, Penang, Malaysia.

Offline Events for WordPress

September 23, 2026: LoopConf 2026, event for WP developers & engineers.

October 16, 2026: WP Suomi 2026, for Nordic WP enthusiasts, Oulu, Finland.

Upcoming WordCamps

July 03, 2026: WordCamp Mannheim 2026, Mannheim, Germany.

July 04, 2026: WordCamp Masaka 2026, Masaka, Uganda.

September 11, 2026: WordCamp Switzerland 2026, Fribourg, Switzerland.

September 18, 2026: WordCamp Bretagne 2026, Rennes, Brittany, France.

October 03, 2026: WordCamp Rajasthan 2026, Jaipur, Rajasthan, India.

November 05, 2026: WordCamp Canada 2026, Vancouver, Canada.

November 12, 2026: WordCamp Netherlands 2026, Netherlands.

November 13, 2026: WordCamp Pisa 2026, Pisa, Italy. 

Wrap-Up

That’s a wrap for this week’s WPDigest! Stay tuned for more exciting WordPress updates next week.

Want to feature your WordPress product, service, or update news? Submit it for free using our form, helping spread the goodness of WordPress!

📩 Enjoyed this digest? Share it with your network!