Tips Tuesday – WP 7.0 is Out, WP Security, Radical Google Search Change

Tips this week include:
- WP 7.0 out – don’t update yet
- WP AI Team changes
- WP leaks API keys
- State of WP security in 2026
- Frequent host software updates
- Microsoft dumps SMS 2FA
- Google’s radical change to search – why, backlash, and what it means for us
- Update on DIY SEO Workshops
This post contains affiliate links. Thank you for using them to support the free and helpful info you get from BlogAid.
WordPress Tips
WP 7.0 Out – Don’t Update Yet
Even though the Real-Time Collaboration feature was removed from WP 7.0 because they couldn’t get it to work, that doesn’t mean WP 7.0 is without issues.
There are 2 bugs, one of them is more serious than the other.
I’m only going to disclose one of them here, and only because others have already posted about it.
Bottom line – don’t update yet.
WP AI Team Changes
One of the biggest new features in WP 7.0 is the inclusion of an API key and interface to connect 3rd-party AI platforms like ChatGPT, Claude, and more.
And now, with that project complete, two members of the internal AI team at WP are stepping away.
James LePage, who was the Head of AI at Automatic, is leaving to “deeply focus on something new.” My bet is that it will be his own, for-profit AI-related company.
And then Co-Rep, Felix Arntz is stepping away to join Vercel. His volunteer position was sponsored by Google until April of 2025, and I believe it was sponsored by Automattic since then.
Both of these are a blow to the WP AI Team, as qualified AI folks are super hard to hire for the kind of pay Automattic can afford.
Security Tips
WP Leaks API Keys
One of the grand new features in WP is a way to connect any 3rd-party AI via a secure API key.
That’s great, but they forgot to treat it like a password as far as how it is displayed.
You know how passwords show dots when you enter them? That’s so the browser can’t see them, as browser windows can be compromised, but that doesn’t necessarily mean hacked. In fact, I’ve heard that Microsoft is now taking screenshots every few seconds of any window you have open. And Chrome is doing something similar.
Here’s the WP 7.0 issue, as reported by Search Engine Journal:
“This specific security issue surfaced in the AI integration setup form, which enables a browser to autofill the AI API key, visually exposing it in the browser window. The report explains that the issue could expose credentials during screen sharing, on shared computers, or to anyone with access to an active browser session.”
So, unless you’re doing that activity, your site is okay.
The other issue is a bigger problem, and I’m not going to disclose it.
Just hold off on updating for now.
State of WP Security in 2026
The GuardingWP folks publish an annual report on how sites using WordPress are faring, as far as security.
This year they scanned 1,981 across 40+ verticals to compile the data for their latest report.
Here are the highlights:
- 52.8% of WordPress sites are running at least one plugin with a known CVE at scan time. Not a hypothetical risk — a documented vulnerability with a patch already published, sitting unpatched on the live site.
- 55.9% leak their WordPress version through the generator meta tag. That single string is what version-targeted attack campaigns search for.
- 93.2% are missing one or more modern security headers (HSTS, CSP, X-Frame-Options). Defaults from a 2015 web are still the default in 2026.
- 35.8% have XML-RPC still enabled. The classic brute-force surface that most sites no longer need.
- 15.9% of version-disclosing sites are on an outdated, unsupported WordPress branch (pre-6.5). They aren’t getting security backports anymore.
I’m happy to report that my site audit clients do not have any of these issues. In fact, their sites are hardened far beyond this list, including other things that are cited in this report.
On top of that, we’re not on hosting servers where there are sites with critical security issues either, which protects every other site on that server better too.
Frequent Host Software Updates
Where you host matters.
As I reported a few weeks ago on Anthropic’s Mythos, that found zero-day vulnerabilities in every major software they fed it, similar AI tests are being run on the softwares that power hosting.
cPanel alone has been sending updates with patches every few days. There are about 5 softwares on every server and all of them are patching old coding holes as fast as they can.
But, it takes a knowledgeable host to sort through those updates and ensure that things are properly tested and that they didn’t try to slip in a new “feature” that we may or may not want, and to ensure that any new thing is configured properly.
That’s why I rest easy knowing that me, my clients, my webmasters, and their clients are all on Iridium Hosting.
Not only are we well looked after, but me and the head server admin are in lock step with the security I add at the hosting level and on the site as well so that everything is coordinated. And we touch base frequently to share findings, especially what I see during audits, to help us prepare for new attack vectors.
Microsoft Dumps SMS 2FA
I am not a fan of the way most entities do 2FA (2-Factor Authentication).
And now at least one major entity has seen the light too.
Microsoft will no longer be sending login tokens/code via SMS.
You can still get it via email, or some other way that requires a login.
SEO Tips
Google’s Radical Change to Search
Google dropped a huge bombshell at their recent I/O conference.
This summer they will be removing the regular Search box, that we’ve used for the past 25 years, and replacing it with an AI chatbot.
What was the AI Overview Summary will now become all you see.
The “10 Blue Links” to other posts will be gone.
Why Are They Doing This?
In a word – money.
Google, and every other major player, has sunk billions each into AI.
And they have yet to see a positive return.
The only way to justify what they’ve already spent, plus next year’s enormous spending plan is to prove that everyone is using AI.
And the only way to do that is to force them to use it.
Nobody Wants It
The CEOs of these companies have been drinking their own Kool-Aid for so long that they are completely out of touch with end users.
In fact, when these CEOs gave recent commencement addresses at prestigious universities over the past week, they were booed off the stage when they mentioned AI. Here’s the former Google CEO who couldn’t understand the reaction. Here’s another. There are several more.
Plus, videos of town halls are popping up all over where residents are turning out in droves to keep new AI data centers from being built in their towns.
Proof That AI is Eating It’s Tail
And it worked.
Wired did something similar a couple of years ago with a bogus review on a non-existent laser printer.
AI info is not getting better – it’s getting far worse.
A new Gallup Poll shows that most Americans don’t trust AI – and with good reason.
What This Means for Us
I think Google Search has been over for a few years.
Remember the Helpful Content Update (HCU)? I think that was the coffin closing on ranking blog posts they way they have been for at least 15 years.
I think this AI chatbot search thing are the nails going in that coffin.
We have to face the fact that Google has not cared about creators in a long time.
All they care about is money.
And until folks stop using Google Search, and the ad money dries up, they are not going to get the message.
How to Help Ourselves
I think the backlash from AI will continue to intensify.
And I think we have to wait out that process as far as keeping our sites going.
We also have to start promoting our content where ex-Googlers are looking now.
That includes:
- Video on every platform that supports it
- Forums, like Reddit – this is a HUGE supplier of info for LLMs
DIY SEO Workshops Update
I have several new workshops coming for the course.
But I’ve had to reorder and rework a few of them in light of this Google Search news and my own testing.
I’ve already trashed the workshop for using Claude to scan our post and give us SEO advice. It was a total disaster because when I started asking it what data it was basing its suggestions on, everything started unraveling.
Plus, pro SEOs that I follow, who have implemented those suggestions, have seen their organic traffic tank.
Bottom line, don’t use AI to tell you how to do SEO.
However, there are ways to use AI successfully to make IG posts and even videos for you to promote.
Plus, llms.txt and WebMCP seem to be getting looked into as a way for LLM crawl bots to make better sense of your content. And we’ll be covering those too.
So, it’s not over for us. And there are things we can do to help ride these waves until AI Search implodes on itself.

WP 7.0 dropping feels like a surprise party where the cake is security patches. And Google’s radical search change? That’s like rearranging the furniture while you’re still sitting on the couch. Thanks for keeping us updated—your tips save me from tech whiplash every Tuesday
Those are both such apt descriptions of what’s happening with WP and Google!!! I’m so glad you benefit from TT every week!