WordPress Security: The 7.0 Elephant in the Room

Let’s be honest — WordPress has had a security image problem forever. And WordPress itself is fine. It’s the plugins and themes causing trouble.

You can ignore that, sure. Or you can actually care about it — especially if you’re leading the WordPress world, and especially when the community’s top security voice is literally saying “be careful”.

You forget how many perfectly secure WordPress sites there are, it's the vast majority. I've run some of them for 20+ years, never hacked.

— Matt Mullenweg (@photomatt) May 22, 2026

Yes, the majority of WordPress sites never get hacked. Matt is right here.

But “not hacked” doesn’t mean “secure.” It might just mean the bots haven’t found you yet. The majority of my sites have never been hacked either. But I stay vigilant. Every single day. But I’m not exactly your average WordPress user either. I’m a pro, mate! 🫡

I take over DIY websites for a living, and let me tell you — the camels I encounter. The worst one? A fake checkout page sitting right on top of the WooCommerce checkout. For a whole month, every single credit card number went straight to a hacker. OMG! 🤦

The writing’s on the wall.

And I’m definitely seeing the writing on the wall — especially when it comes to bots. Since November/December 2025, bot and scraper traffic has gone through the roof. Some Belgian-only shops suddenly had 30% of their visitors coming from China according to GA4. Bit suspicious for a shop that sells, I don’t know, local flowers. 💐

Also: my hosting provider just quietly cut the number of subsites per package from 25 down to 10. Reason? Bots and CPU usage. There you go.

Sure, not all bots are evil. I get it. But something is clearly going on. 👀

There is definitely a lot more sites that are not secure than those that are “perfectly secure”. All I’m saying is that hackers will be trying harder. We need to be prepared.

— Oliver Sild (@OliverSild) May 22, 2026

When a specialist flags something, maybe don’t minimize it.

Hackers want one thing: juicy data. Personal info, payment details, and yes — AI API keys. Loose API keys were already a hacker’s treat — think mail providers, Google keys. But now: AI API keys? I guess that’s a very nice jackpot too these days.

I’m very curious whether WordPress 7.0 will bring even more bots along for the ride. My gut says yes — though I suspect it’ll still take another year before AI-editing really goes mainstream.

If I were leading WordPress, I’d handle it differently. Show interest. Listen. Ask what can be improved. But sure, we can also keep ignoring it. WordPress core has a known permissions problem…

As the blind man said: we’ll see.