The Road to WordPress 7.0 Update: Security Alerts and The “PHP Cliff” (January 2026)

The start of 2026 has brought a massive shift to the CMS landscape. Following the release of WordPress 6.9 in late 2025, the community is now laser-focused on the revolutionary WordPress 7.0 update, scheduled for release on April 9, 2026.

However, this transition is not just about new features; it is about security and infrastructure.

January has already seen active exploits targeting outdated plugins and a clear warning for site owners clinging to old PHP versions. Here is your essential briefing on what is happening right now in the WordPress ecosystem.

1. Critical Security Alert: The “Modular DS” Flaw

Before looking ahead to the WordPress 7.0 update, site owners must address an immediate threat.

On January 15, 2026, security researchers confirmed a maximum-severity flaw (CVSS score: 10.0) in the Modular DS plugin, which is actively being exploited in the wild.

• The Threat: Unauthenticated attackers can gain administrator access by exploiting a loophole in the “direct request” mode.

• The Fix: If you use this plugin, you must update to version 2.5.2 immediately.

• The Lesson: This zero-day exploit highlights why “auto-updates” on managed hosting are a non-negotiable safety feature in 2026. For more on protecting your site, read our guide on [Internal Link: Cybersecurity Threats 2026].

2. The “PHP Cliff” and the WordPress 7.0 Update

The most significant infrastructure news for January is the official sunsetting of legacy PHP support.

The upcoming release will officially raise the minimum required PHP version. Sites still running on PHP 7.2 or 7.3 may be technically unable to update to the 7.0 branch.

Why the WordPress 7.0 Update Demands Newer PHP

If your server is not running at least PHP 7.4 (with PHP 8.2+ strongly recommended), your site will be left behind. This “End of Support” is a critical wake-up call. Running outdated PHP prevents you from accessing the new WordPress 7.0 update and exposes your site to unpatched vulnerabilities that hackers are now using AI to discover.

3. New Features: The Abilities API and AI

The WordPress 7.0 update is laying the groundwork for a deeply integrated AI future.

Developers are currently testing the new Abilities API, introduced in the 6.9 cycle. This system is designed to centralize permission management, specifically to prevent “AI prompt injection” attacks as more plugins add generative AI features to their dashboards.

Additionally, the “What’s New” log for January highlights standardized tools for how users crop and rotate images directly within the editor.

Conclusion: Prepare Your Infrastructure

The gap between “modern” and “legacy” websites is widening. The WordPress 7.0 update represents a hard break from the past.

To survive this shift, you cannot be passive. You must audit your plugins for flaws like the Modular DS bug and ensure your hosting environment is running modern PHP.

[Is your server ready for WordPress 7.0? Switch to SternHost’s Managed WordPress plans for automatic PHP updates and pro-active security patching.]

Also Read: The Road to WordPress 7.0 Update: Security Alerts and The “PHP Cliff” (January 2026)