This newsletter is part of the WordPress Weekly called WPStack.

Attackers backdoored 1.2 million sites the same week WordPress published the full 7.1 feature list, and neither story lets you ignore the other. One is the future you get to build for. The other is the present you have to clean up tonight. That tension ran through everything this week.

The roadmap is genuinely good news: native Tabs and Table of Contents blocks, no-code responsive styling in the Site Editor, AI tooling baked into Core. Stuff I’ve been faking with GenerateBlocks for years. The attack is the other side of that same coin. Nobody breached a single site. Attackers poisoned a vendor’s CDN, and the malicious JavaScript then ran in every logged-in admin’s browser, which means no plugin you trusted was safe just because you installed it correctly.

So this issue is split-brain on purpose. Plan for August. Audit for rogue admins tonight. Here’s the week.

Top Stories

Roadmap to WordPress 7.1 sets an August 19, 2026 ship date and a long feature list: Notes suggestion mode plus emoji reactions, a Guidelines feature to encode editorial rules for AI collaboration, responsive and pseudo-state block styling in the Site Editor without writing CSS, AI Client streaming and embeddings, three new Core blocks (Playlist, Table of Contents, Tabs), a free-form image cropper with client-side HEIC and Ultra HDR processing, a reorganized command palette, a persistent admin bar across editors, and an “On This Day” dashboard widget. It’s the definitive list, so plan client work around it now. Native Tabs and TOC blocks plus no-code responsive and pseudo-state styling cut into the page-builder workarounds I lean on, and I’d test them against an existing block-theme stack before August, not after.

Supply-chain attack on OptinMonster, TrustPulse, and PushEngage hit roughly 1.2 million sites. Sansec caught the first malicious injection on June 12, 2026 at 22:17 UTC and published its advisory June 13. Attackers exploited a known UpdraftPlus flaw on Awesome Motive’s marketing server, stole a CDN API key, and tampered with the SDK and JavaScript served over the CDN for OptinMonster (1M+ installs), TrustPulse, and PushEngage. The injected script runs in any logged-in admin’s browser, creates hidden admin accounts (a fixed “developer_api1” tied to customer1usx@gmail.com, plus randomized “dev_xxxxxx” accounts), exfiltrates credentials to the lookalike domain tidio.cc, and installs a self-hiding backdoor plugin (rotating disguises as “Content Delivery Helper” v2.7.1 and “Database Optimizer” v2.9.4) exposing a web shell branded “WPM File Manager and Shell.” OptinMonster and TrustPulse were cleaned June 13; PushEngage served injected code until June 14. Awesome Motive confirmed the breach in its own advisory, pinned the root cause on the UpdraftPlus flaw, and says it has rotated the stolen CDN key and migrated the marketing site to a new server. If any of the three run on a site you manage, audit for rogue admins and hidden plugins now, because nothing on the site itself had to be breached.

WordPress 7.0.1 maintenance release lands as the first bugfix of the 7.0 cycle, authored by Aaron Jorbin: RC1 on Wednesday, July 1, 2026, then general release on Thursday, July 9, 2026. I treat the RC1 date, not the release date, as the real deadline. If a 7.0 regression is going to bite a client site, July 1 is when I want it surfacing on staging, with eight days of runway before auto-updates push 7.0.1 live.

rtCamp goes AI-everywhere and freezes engineering hiring in a WP Tavern Jukebox interview with founder Rahul Bansal. The enterprise agency (founded 2009, 200+ staff, clients including Google) now mandates that “if something in rtCamp can be done by AI it will be,” claiming 50 to 90% build-time cuts (one migration in 5 days instead of 10), 70 to 80% of operations streamlined through a unified Frappe and ERPNext system, and a 70% cost-reduction target within two years. Engineering headcount is effectively paused with no open roles, while the next ~50 hires sit in sales and marketing. Read the hiring split, not the percentages: moving the next 50 seats from engineering to sales is a bet that delivery is now a solved cost and growth is the constraint. If that bet holds, the shops billing by the build hour get squeezed first, and that is what I would price against this year.

Core, Gutenberg and WooCommerce

Gutenberg 23.4.0 shipped June 17, 2026 as the plugin release feeding 7.1. Highlights: a media upload progress snackbar with retry and network resilience, Ultra HDR (ISO 21496-1) gain map support, a reverted client-side media processing gate, Combobox primitives, theme element size design tokens, @base-ui/react at 1.5.0, a Playlist block visualization selector, the Login/out block usable inside Navigation Submenu, and a separate doc persistence endpoint for real-time collaboration. The reverted client-side media processing gate is the line I would read twice: a gate that shipped and then got pulled is exactly the churn that breaks a custom upload pipeline between 23.3 and 23.4.

Dynamically loading template parts in block themes shows how to use the render_block_data filter to swap a template part’s slug on the fly, like serving a different sidebar based on post category. It’s the pattern I’d reach for instead of cloning a template per context, since duplicated templates are where multi-context block themes rot.

Recap: restoring removed version history is the post-mortem on how a build-script change added PHP files to .gitignore, severed their history, and how Core recovered it by merging a reconstructed branch back to trunk. If you lean on git blame for Core files, this explains why your tooling broke and confirms the history is back.

Plugins, Themes and Products

WP Rocket 3.22 introduced RocketCDN Free Tier on June 11, then 3.22.0.1 (June 16) cleaned up the RocketCDN UI, fixed the “Learn more” upgrade link, and fixed an incorrect billing-date display for the free tier. The free tier accelerates up to 3 pages with unlimited bandwidth across 10 Points of Presence, with a one-click upgrade to RocketCDN Pro (all pages, 100+ PoPs). The most popular premium caching plugin now bundles a free CDN tier, so agencies can hand clients basic edge delivery without bolting on a separate CDN. But a 3-page, 10-PoP tier is a hook, not a replacement for FlyingPress plus Cloudflare APO on real client sites, and I’d write that side-by-side note before anyone mistakes one for the other.

SureForms 2.11.1 (June 16) patches a security flaw, fixes phone-field auto country-detection, and corrects the Cloudflare Turnstile “Get Keys” link. It follows 2.11.0 (June 10), which shipped a one-click Form Migrator for Contact Form 7, WPForms, Gravity Forms, and Ninja Forms, plus native WPML support via String Packages. Update now for the security fix. The migrator is the real story, though, and having built Core Forms I’d want to see how cleanly conditional logic and validation survive the import before treating it as a drop-in switch off CF7 or WPForms.

AI and WordPress

Using AI to perform website security audits recaps a WP Minute member meetup where Austin Ginder demonstrated using Claude Code to discover and patch WordPress plugin vulnerabilities, covering local audits to control cost, token-management techniques, and coordinating remediation with plugin authors (tools referenced include Claude Code and WP Beacon). It’s the workflow to copy in a week where the threat was a poisoned plugin, not a weak password.

Security and Performance

Patchstack confirms active exploitation of the OptinMonster attack in a June 15 analysis. Between June 14 and 15 its mitigation rule blocked 271 requests across 13 sites from 81 unique IPs: 267 used the randomized dev_xxxxxx pattern, 4 the fixed developer_api1 account. The backdoor plugin hides from both the dashboard and the REST API security tools rely on, so scan for the account names and the hiding behavior, not a plugin list.

Gravity SMTP API-key leak (CVE-2026-4020, CVSS 7.5) hits the plugin’s 100,000+ installs through an unauthenticated REST endpoint whose permission callback always returns true, handing back a ~365 KB system report that can expose API keys and OAuth tokens for Amazon SES, Mailjet, Zoho, Google, and Resend. It affects all versions up to 2.1.4, fixed in 2.1.5. Exploitation began May 27, 2026; Wordfence reports a peak of 4M+ blocked attempts on June 7 and 17M+ since disclosure. Any site on 2.1.4 or earlier leaked live email credentials, so rotate keys and update to 2.1.5 now.

Kirki page builder flaw is the worse one this week. CVE-2026-8206 carries a CVSS 9.8 and hits a plugin with 500,000+ installs, roughly 40% of them on vulnerable versions, through a broken password-reset flow (handle_forgot_password) that sends the admin reset link to an attacker-supplied email, enabling full account takeover. It affects 6.0.0 through 6.0.6, fixed in 6.0.7 (Themeum, May 18, 2026), with exploitation active at disclosure (Wordfence blocked 200+ attempts in 24 hours). Treat any unpatched Kirki site below 6.0.7 as a live takeover risk.

Wordfence weekly vulnerability report, June 8 to 14, 2026 flags a critical CVSS 9.8 unauthenticated privilege-escalation flaw in Doctreat Core up to 1.6.8 (CVE-2025-6254, fixed 1.7.0), a still-unpatched arbitrary-file-upload flaw in WordPress and WooCommerce Scraper up to 1.0.7 (CVE-2025-69129), a separate LoginPress Pro priv-esc issue, and a CVSS 7.3 Listdom flaw. Run it against your client plugin inventory; the unpatched file-upload bug is the one I’d remove or virtual-patch today, not after the next backup.

Tutorials Worth Reading

What’s new for developers (June 2026) is Fatih Kadir Akin’s monthly roundup of what to test in the 7.1 cycle: the client-side VIPS and WASM media pipeline, React 19 compatibility (with a temporary Gutenberg revert), collaborative editing (slipped past 7.0, outreach begun for 7.1), theme style states, and Playground workflows, now that 7.0 “Armstrong” shipped May 20, 2026. The React 19 upgrade is the one I’d test first; that’s where third-party block scripts break quietly before August 19.

WordPress security workflows on Kinsta pairs platform protections (isolated containers, Cloudflare WAF, MyKinsta 2FA) with application-level measures (two-factor auth, WP Activity Log with webhook notifications, custom user access controls) into one repeatable workflow, updated June 15. It’s the hardening checklist to standardize across client sites instead of the ad-hoc plugin pile most agencies run.

Business of WordPress

Global Partners across the first half of the 2026 event season reports H1 sponsorship by the five 2026 Global Partners (Jetpack, WordPress.com, WooCommerce, Bluehost, and Hostinger) backing WordCamps and developer events across 12 countries from Nepal to Uganda. WordPress Campus Connect reached 6,200 students across 25 events in 2026 (45 all-time), attendance ranged from 109 in Leipzig to 280 in Madrid and 277 in Vienna, and a WordPress Developers Day format debuted in Novi Sad with nearly 30 sessions. It names the sponsors underwriting the pipeline that feeds your next contributors and hires.

Events and Community

WordCamp Rajshahi 2026 runs July 2 to 3, 2026 at the RUET Auditorium in Rajshahi, Bangladesh: Contributor Day on July 2, conference day on July 3. It’s the one confirmed WordCamp inside the next 30 days for South Asia, and Contributor Day is the cheaper way in if you’ve never shipped a Core patch.

Deals

Some links below are affiliate links.

Rank Math Summer Sale is live: PRO at $5.99/mo (was $8.99, 33% off), Business at $19.99/mo (was $27.99, 29% off), Agency at $44.99/mo (was $64.99, 31% off), all billed annually ex-VAT, plus a Rank Math and WP Rocket bundle at $10.99/mo (was $13.99, 21% off). The page reads “Summer Sale Ending Soon” with no fixed end date, so verify before quoting urgency to a client. I run Rank Math PRO on gauravtiwari.org, and for multi-site setups the Agency tier plus the WP Rocket bundle is the real value, not a single PRO seat.

Final Take

This week reads as one sentence: WordPress is getting easier to build with and harder to trust. The 7.1 roadmap pulls more capability into Core, and the OptinMonster attack proves the perimeter moved to your vendors’ infrastructure while you were watching your own login page. Two dates decide the next two weeks. July 1 is RC1 for 7.0.1, the first honest read on 7.0 regressions. The other is open: Awesome Motive rotated its own CDN key, but it hasn’t pushed affected site owners to force-rotate admin credentials, and the injected code ran in admin browsers through June 14, so cleaning the CDN without rotating stolen sessions leaves attacker access live. Build for August. But, audit tonight.

Gaurav

Reply with any tips or links you want me to chase for next issue. I read every one.