April 2026 was one of the busiest months in recent WordPress history. A landmark community event in Mumbai, a delayed major release, a significant supply chain attack, and a wave of critical plugin vulnerabilities kept developers, agencies, and site owners on high alert throughout the month.
Through it all, WordPress continued to move forward. AI integration deepened, block editor tooling expanded, and the community showed up in force at WordCamp Asia. The foundation for what comes next is being laid, and May 2026 is set to deliver on it.
Mergers, Acquisitions, and Investments
In April 2026, no major mergers, acquisitions, or investment announcements were recorded in the WordPress ecosystem. The month remained quiet on the deal-making front, with industry attention centered on the WordPress 7.0 release and WordCamp Asia in Mumbai.
WordPress Core Updates
April 2026 marked a historic milestone with the release of WordPress 7.0. The launch took place live at WordCamp Asia in Mumbai on April 9, making it the first major WordPress release tied directly to a community event.
- WordPress 7.0: Released on April 9 during Contributor Day at WordCamp Asia in Mumbai. The release introduced a Connectors UI dashboard under Settings → Connectors, enabling users to centrally manage external AI connections. It also enforced the iframed editor for classic themes, added viewport-based block visibility controls, and introduced per-block instance custom CSS support via the Advanced → Additional CSS sidebar control.
- WordPress 7.0.1: Released shortly after as a follow-up maintenance update to address early reported issues and improve overall stability following the major version launch.
Other WordPress News
April was one of the most active months of 2026, driven by a major community event, a significant security incident, and key platform updates.
- WordCamp Asia 2026: The event ran April 9–11 at the Jio World Convention Center in Mumbai with 2,627 attendees from over 50 countries. Contributor Day saw 1,500+ participants across 20+ contribution tables. WordCamp Asia 2027 will be held in Penang, Malaysia.
- WordPress 7.0 Release Delayed: Originally planned to launch live at WordCamp Asia on April 9, the release has been moved to May 20, 2026. The Core team cited architectural improvements needed for the real-time collaboration feature as the reason for the delay.
- Essential Plugin Supply Chain Attack: On April 7, WordPress.org permanently closed 31 plugins after a backdoor was discovered across the Essential Plugin portfolio. An attacker bought the portfolio on Flippa in 2025, planted dormant malicious code, and activated it on April 5. The malware served hidden spam only to Googlebot, making it invisible to site owners.
- Smart Slider 3 Pro Compromised: In the same week, Smart Slider 3 Pro, with over 800,000 active installations, was separately compromised through its own update infrastructure. A weaponized version was pushed through the official update channel.
- No Twenty Twenty-Six Theme: A dedicated default theme for 2026 will not be released. Efforts remain focused on the Twenty Twenty-Five theme and block editor improvements.
- Block Visibility Expanded: The Block Visibility feature now includes viewport-based controls for mobile, tablet, and desktop via CSS. Developers can control how blocks display across different screen sizes without removing them from the DOM.
- WordCamp India Announced: WordPress Executive Director Mary Hubbard formally announced a dedicated WordCamp India during the WordCamp Asia closing keynote. It marks a significant milestone for the South Asian WordPress community.
Security Alerts and Plugin Vulnerabilities
April was a rough month for WordPress security. Two supply chain attacks occurred in the same week, and critical patches were released for some of the most widely used plugins in the ecosystem.
- Essential Plugin Supply Chain Attack: 31 plugins were permanently closed on April 7 after a hidden backdoor was found across the entire portfolio. The attacker activated it on April 5, injecting spam code into wp-config.php, which was visible only to Googlebot. Updating the plugin alone did not fix it; sites needed manual server cleanup.
- Smart Slider 3 Pro: A separate attack pushed a weaponized update through the plugin’s own official update channel, hitting over 800,000 active installations in the same week as the Essential Plugin incident.
- Elementor Website Builder: A cross-site scripting vulnerability was patched in version 3.35.6. Given Elementor’s install base, sites running older versions were at high risk.
- Advanced Custom Fields (ACF): A broken access control issue was fixed in version 6.7.1. The plugin is one of the most widely used developer tools in WordPress.
- W3 Total Cache: A high-risk sensitive data exposure flaw was resolved in version 2.9.4, affecting millions of sites on shared and managed hosting.
- ManageWP Worker: A cross-site scripting issue was patched in version 4.9.32, which poses a notable risk given that the plugin is used by agencies managing large numbers of client sites.
- Ultimate Member: A privilege escalation vulnerability was disclosed, affecting over 200,000 active installations and allowing attackers to gain elevated access to affected sites.
Industry Trends and Insights
April made it clear that WordPress faces two pressing realities at once. Security governance in the plugin ecosystem has a structural problem, and AI is moving from optional to foundational across the platform.
- Plugin Governance Under Pressure: The Essential Plugin attack exposed a longstanding gap. WordPress.org has no process for reviewing ownership transfers or requiring code signing for updates. A buyer with enough money can inherit user trust overnight.
- Vulnerability Numbers Keep Rising: Plugin vulnerabilities hit record levels in 2026. Over half of the notified developers did not patch before public disclosure, putting millions of sites at risk even after issues were reported.
- WordPress Still Dominates: WordPress powers 43.4% of all websites globally and holds 60.8% of the CMS market as of April 2026. The nearest competitor, Shopify, sits at just 5.1%.
- WooCommerce and Elementor Remain Deeply Embedded: WooCommerce runs on 20% of all WordPress sites, and Elementor on 31.1%. Commerce and visual building remain the two biggest use cases driving adoption.
- Headless WordPress Growing: More teams are using WordPress as a backend content layer with React or Next.js on the frontend. Enterprise and agency projects are leading this shift.
- AI Moving from Experimental to Standard: The Abilities API from WordPress 6.9 and the Connectors UI in 7.0 are building the infrastructure for AI agents to work directly with WordPress sites. WordCamp Asia sessions confirmed that this is now a core part of the platform’s evolution.
Theme of the Month: Templately
Templately is an AI-powered template cloud for WordPress that works with both Elementor and Gutenberg. It gives users access to 6,500+ ready-made templates across a wide range of niches, with one-click full site import and a built-in AI content generator.
Teams can save designs to the cloud and collaborate through shared workspaces, making it a practical tool for agencies managing multiple client builds. With 400,000+ active installations and a freemium model, it fits both solo users and larger teams looking to speed up site delivery.
Plugin of the Month: Weglot
Weglot makes it easy to translate a WordPress site into 110+ languages without any coding. It automatically detects all site content, runs it through DeepL, Google Translate, and its own AI language model, and delivers multilingual SEO out of the box, including hreflang tags, translated URLs, and metadata.
Trusted by 110,000+ websites globally, Weglot is fully compatible with WooCommerce, Elementor, and Yoast SEO. A free plan is available for smaller sites, with paid plans that scale up based on word count and the number of languages needed.
Agency of the Month: Seahawk Media
Seahawk Media is a full-service WordPress agency offering development, design, maintenance, security, and white-label services for businesses and agencies worldwide. Their team handles everything from custom builds and WooCommerce development to hacked site repair and ongoing site care.
For agencies looking to scale without growing their internal team, Seahawk’s white-label program lets partners resell WordPress services under their own brand. Their broad service range and deep WordPress focus make them a dependable partner for high-volume client work.
Host of the Month: HostWP
HostWP is a managed WordPress hosting provider built on LiteSpeed Enterprise servers with NVMe SSD storage, Redis Object Cache, and a global CDN covering 83+ locations. Every plan includes business email, domain registration, and premium plugins at a flat monthly price with no traffic overage charges.
Free site migration is included, and the team is available 24/7 for support. In February 2026, HostWP also rolled out PHP 8.5 support across all plans, keeping sites on the latest stack with no manual configuration required.
Founder of the Month: Mark Zahra
Mark Zahra is the CEO of RebelCode, the team behind WP Mayor, WP RSS Aggregator, and Spotlight Instagram Feeds. He joined WP Mayor in 2014 as a content writer after teaching himself web development, working his way up through support and project management before taking the CEO role.
In 2026, Mark and the team launched a new chapter for WP Mayor, narrowing its focus to what matters most in WordPress and AI, and raising the editorial bar for a community navigating the fast-moving ecosystem.
Looking Ahead to May 2026
The biggest moment in May is the WordPress 7.0 release, officially scheduled for May 20. All eyes will be on how the real-time collaboration feature performs after months of architectural rework to stabilize it before launch.
Security governance will stay in focus following April’s supply chain attacks, with growing pressure on WordPress.org to address how plugin ownership transfers are handled. WordCamp Europe is also approaching, giving the community a major gathering point as the 7.0 era begins.
For more such WordPress-related news, visit WPEdition.