February 2026 was defined by rapid AI integration, a milestone beta release in the WordPress 7.0 cycle, and a critical plugin vulnerability that put over 900,000 sites at risk.
The month also welcomed the WordPress community at WordCamp Pune, introduced AI-native editing on WordPress.com, and closed with a sobering security whitepaper from Patchstack that reframed how the ecosystem must approach plugin safety.
Developers saw meaningful progress on block enhancements, UI primitives, and Playground tooling, signaling a productive lead-up to WordPress 7.0’s scheduled April release.
Mergers, Acquisitions, and Investments
In February 2026, there were no major mergers, acquisitions, or investment announcements in the WordPress ecosystem. The month was largely quiet on the deal-making front, with industry attention focused instead on the accelerating pace of AI integration and the lead-up to the WordPress 7.0 release.
On the product side, WP Engine launched Newsroom on February 3, a platform purpose-built for editorial teams that need structured content workflows at scale.
The launch reinforces WP Engine’s strategy to expand beyond managed hosting into full digital experience solutions, following its earlier acquisition of BigBite.
WordPress Core Updates: Refinement and Evolution in February 2026
February 2026 kept the Core team busy on two fronts: closing out the 6.x maintenance cycle with a stability release and advancing the 7.0 beta cycle with meaningful new features.
WordPress 6.9.1 Maintenance Release
February opened with the release of WordPress 6.9.1 on February 3, 2026. The maintenance update addressed 49 bug fixes across Core and the Block Editor, delivering stability improvements expected by the community ahead of the 7.0 cycle.
WordPress 7.0 Beta 2
WordPress 7.0 Beta 2 was released on February 26, 2026, containing more than 70 updates and fixes across the Editor and Core since the Beta 1 release. The scheduled final release date for WordPress 7.0 remains April 9, 2026.
A notable addition in Beta 2 is a new Connectors UI dashboard page that makes AI provider management more intuitive. WordPress users can now manage external AI connections in a central place in wp-admin, under Settings → Connectors, enabling them to add, delete, and update external connections through an extensible, route-based architecture.
Block authors should also be aware that WordPress 7.0 enforces the iframed editor for classic themes when all blocks use Block API version 3. Gutenberg 22.6, released on February 25, will also be enforced in WordPress 7.0.
Developer Highlights
The developer roundup for February 2026 covered several key features landing in WordPress 7.0: an always-iframed post editor regardless of Block API version, viewport-based block visibility controls, and per-block instance custom CSS support via the Advanced → Additional CSS sidebar control.
The WordPress UI package also received significant updates, including new dropdown and tooltip components, standardized button elements, and form-field building blocks, all aimed at helping developers build more consistent and accessible interfaces.
Other WordPress News
Beyond core development, February delivered a standout product launch, a thriving community event in India, and a policy update that opens new doors for theme authors.
WordPress AI Assistant Launches on WordPress.com
On February 17, 2026, WordPress.com introduced the WordPress AI Assistant, available at no extra cost to sites on Business or Commerce plans. Unlike standalone AI tools, it works inside the editor and Media Library, understanding content and layout to take action directly where users are already building.
The assistant supports site-wide design and layout changes, content editing and refinement, and AI-powered image generation and editing in the Media Library using the latest Nano Banana models.
WordCamp Pune 2026
WordCamp Pune 2026 took place on February 8, 2026, at MCCIA Trade Tower, SB Road, Pune, drawing over 300 attendees. The event followed its signature “Only Workshops” conference format, featuring six two-hour hands-on workshops led by multiple facilitators throughout the day.
AI-Generated Images Now Allowed in Theme Directory
The WordPress Themes Team confirmed during its January 27 meeting that AI-generated images may be bundled with themes in the directory, provided they are explicitly disclosed and licensed in a GPL-compatible way. This signals a maturation in how the community is approaching AI-assisted development.
Security Alerts and Plugin Vulnerabilities
Stay informed about potential risks so you can quickly address vulnerabilities and keep your WordPress site protected from emerging threats.
Critical RCE in WPvivid Backup and Migration Plugin (CVE-2026-1357)
A critical vulnerability in the WPvivid Backup & Migration plugin, installed on more than 900,000 websites, was publicly disclosed in February 2026. Tracked as CVE-2026-1357 with a CVSS score of 9.8, it can be exploited to achieve remote code execution by uploading arbitrary files without authentication.
Researchers at Defiant noted that only sites with the non-default “receive backup from another site” option enabled are critically impacted, and that attackers have a 24-hour window to exploit it using a generated key.
A security update addressing the flaw was released in version 0.9.124 on January 28, 2026, adding RSA decryption checks, filename sanitization, and restricted file type uploads. All WPvivid users should immediately upgrade to v0.9.124 or later.
Patchstack State of WordPress Security 2026 Whitepaper
Patchstack released its State of WordPress Security in 2026 whitepaper on February 25, revealing that 11,334 new vulnerabilities were found in the WordPress ecosystem in 2025, a 42% increase compared to 2024. Of these, 91% were found in plugins, and the weighted median time to mass exploitation for heavily targeted vulnerabilities was just 5 hours.
The whitepaper also found that traditional host defenses blocked only 26% of total vulnerability attacks in large-scale pentesting studies, and that 46% of vulnerabilities did not receive a patch by the time of public disclosure. Site owners should prioritize automated virtual patching solutions and regular plugin audits.
Industry Trends and Insights
In February 2026, it was confirmed that AI is no longer a peripheral feature in WordPress; it is becoming core infrastructure.
The WordPress AI Assistant, the new Connectors UI in WordPress 7.0 Beta 2, and the expanded AI Experiments plugin collectively signal that AI-native workflows are now expected at every layer of the stack.
Patchstack’s 2026 whitepaper further highlighted that vibe coding is rapidly merging with WordPress, with agencies generating plugins on demand and using AI to build React-powered frontends, expanding the attack surface far beyond core, plugins, and themes.
Security strategies must evolve accordingly, moving from periodic patching toward continuous, automated mitigation.
Theme of the Month: aThemes
aThemes, makers of the popular Sydney and Airi block themes, exemplify the direction WordPress theme development is heading in 2026.
The February confirmation that AI-generated imagery is now permitted in the WordPress theme directory opens new creative possibilities for theme authors, reducing reliance on stock photography while maintaining GPL-compliant licensing.
Their focus on clean, modern block-based designs positions aThemes well as WordPress 7.0 introduces viewport-based block visibility and per-block CSS, features that give theme authors more granular, declarative control over responsive layouts without bespoke custom code.
Plugin of the Month: Rank Math
Rank Math continues to be a standout in the WordPress SEO plugin space as AI integration becomes central to content workflows.
With the WordPress AI Assistant now capable of content generation and rewriting directly in the editor, Rank Math’s in-editor SEO analysis is a natural companion, enabling users to optimize AI-generated content for search without leaving the WordPress environment.
Rank Math’s consistent update cadence and depth of schema markup make it particularly relevant in February 2026, as publishers scale AI-assisted content operations and need structured data accuracy to maintain search visibility.
Agency of the Month: Seahawk Media
Seahawk Media remains one of the most versatile WordPress agencies in the ecosystem, offering end-to-end services spanning custom development, redesigns, hacked-site repair, speed optimization, and white-label programs that enable agencies to scale without expanding headcount.
In a month when AI tools and security vulnerabilities demanded rapid site-level responses, Seahawk’s broad managed maintenance offering, covering security checks, updates, monitoring, and performance optimization, proved particularly relevant for clients navigating the heightened disclosure and the WordPress AI Assistant rollout.
Their transparent pricing and partnerships with leading WordPress platforms continue to earn consistent recognition across industry guides.
Host of the Month: Bluehost
Bluehost remains a reliable and widely trusted choice for WordPress hosting in 2026, particularly for small businesses, bloggers, and growing online ventures.
As WordPress.com’s AI Assistant began reaching Business and Commerce plan users in February, Bluehost’s own investment in AI-assisted site-building tools reflects the broader hosting industry’s move toward intelligent, automated workflows.
Their combination of affordable entry-level pricing, one-click WordPress installation, and performance-focused infrastructure continues to make Bluehost a competitive option for users looking for dependable, scalable hosting in a consolidating market.
Founder of the Month: Matt Heaton, Founder of Bluehost
Matt Heaton founded Bluehost in 2003, building it into one of the most recognized WordPress hosting brands in the world before it was acquired by Endurance International Group (now Newfold Digital). His founding vision, affordable, accessible, reliable web hosting, established the blueprint that continues to guide Bluehost’s product strategy today.
Heaton’s legacy is particularly notable in a February defined by the role of hosting infrastructure in vulnerability defense, a recurring theme from the Patchstack whitepaper.
His emphasis on accessible hosting democratized WordPress for millions of users, and the platform he built remains a foundational layer in how those sites are protected and served today.
Looking Ahead to March 2026
WordPress 7.0 Beta 3 is expected in March, with the community focused on bug triage and final compatibility testing ahead of the April 9 release. Developers should validate blocks against Block API version 3 requirements and test against the latest Gutenberg builds to surface any iframed editor regressions early.
Security teams should expect continued high-volume vulnerability disclosures, with Patchstack’s data suggesting that even heavily patched plugins still carry risk windows measured in hours, not days. Virtual patching and proactive plugin audits remain non-negotiable best practices.
WordCamp season in India continues to build momentum following Pune’s success, and the broader community will be watching how the WordPress 7.0 Connectors UI shapes third-party AI integrations as the release cycle enters its final stretch.