WordPress 7.0 Beta 1 is here, and it is not an incremental update. The two big moves are real-time collaboration and native AI integration via the Abilities API. Whether that makes WordPress "an intelligent workspace" or just a more complicated CMS depends entirely on the execution.
I dug into the developer-facing features. Some are genuinely good. Some need caveats.
DDEV is one of the few local dev tools I actually trust for PHP work. Stas Zhuk joined as a core maintainer, and since then the project has been moving faster on the things that matter: broader platform compatibility, newer runtime support, and less friction in day-to-day workflows.
I have been tracking Stas's contributions. The direction is solid.
Agentic AI moves fast. A few lines of code, a powerful LLM, and suddenly an agent is doing something that looks impressive. The rapid iteration is addictive, but it leads to a development style I call "vibe coding" -- tweak a prompt, rerun, and if the output feels right, ship it.
This works for a demo. It is a recipe for disaster in production.
DDEV v1.25.0 fundamentally improves how we share work in progress. The new modular share provider system with Cloudflare Tunnel as the default is the best developer experience improvement in DDEV in years. Zero config, zero accounts, zero friction.
I have been using it daily since the release, and the old ngrok workflow feels ancient.
You're paying $20-200/month for an LLM subscription. You have access to Claude, GPT, or Gemini. You have Playwright. You have Python. So why are you also paying for Crawl4AI, Moltbot, Firecrawl, or whatever the "AI-powered web scraping" flavor of the month is?
Because marketing works. That's why.
Dries Buytaert has introduced "Drupal Digests," a new initiative that uses AI to summarize development activity across Drupal Core, Drupal CMS, Canvas, and the AI Initiative. This is one of the most practical uses of AI in open-source project management I have seen.
Instead of building AI into Drupal, this is using AI to make the Drupal project more navigable. Smart move.
WordPress offers two distinct preview systems: the Customizer's device preview and the Block Editor's "Preview in new tab" dropdown. Both are extensible, but they require completely different approaches. I dug into both.
Drupal 11 ships with jQuery 4. jQuery 4 removes $.type(). Slick Carousel uses $.type(). The result is a fatal JavaScript error that kills every carousel on the page. I tracked down the exact failure chain and the fix.
PHP 8.4 introduces stricter type and error handling, converting many E_WARNING messages into hard-throwing TypeError and ArgumentCountError exceptions. I built this playbook for identifying potential issues and mitigating them before upgrading.
A recent report from Security Boulevard, based on a Gravitee study, puts a number on the AI agent security gap: approximately 1.5 million AI agents operating in large US and UK organizations with zero active oversight. That is not a theoretical risk. That is a ticking time bomb with a billing address.
I read the full report. The findings are worse than the headline.
I built a WordPress 7.0 compatibility scanner CLI that detects deprecated editor integrations and iframe-unsafe code patterns in plugins/themes. It gives rule IDs, migration replacements, and CI exit codes so teams can block risky code before release windows.
I built a WordPress plugin that adds wp wordfence-audit plugins and flags installed plugins that match vulnerability signals from the current Wordfence blog RSS feed. The goal is quick triage from existing RSS workflows, not replacing full vulnerability databases.
I shipped an OpenAI o3-mini planner for my Drupal CMS 2 AI agent and kept a local rule-based fallback, because Drupal's 2026 AI direction is clear: intelligent automation is coming fast, but production teams still need predictable behavior when external AI calls fail.
If you want your WordPress content to appear in AI-generated answers, prioritize this sequence: answer-first writing, schema accuracy, clean crawl controls, maintained plugins, and weekly validation in Search Console/Bing Webmaster Tools. As of February 17, 2026, this is practical on WordPress 6.9.1 and should be treated as an operational SEO workflow, not a one-time checklist.
Drupal 11.1 does not break public APIs, but custom entity code can still break during upgrades because entity type definitions moved to attributes, some entity-related routes are deprecated for Drupal 12, and entity reference formatter output changed in access-sensitive contexts. If you maintain custom entities, treat Drupal 11.1 as a migration checkpoint, not just a patch-level bump.
If your team is still on Drupal 10.4.x, treat Drupal 11 migration as active incident prevention, not roadmap hygiene: Drupal.org now flags 10.4.x security support as ended, and current supported lines are newer. The fastest safe path is to clear the high-impact change records first, then move to supported 10.5/10.6 and 11.x targets in one controlled sequence.
WowRevenue versions up to 2.1.3 can expose a high-risk path when authenticated low-privilege users can reach plugin installation or activation logic through AJAX handlers without strict capability checks. The practical fix is to enforce current_user_can('install_plugins') or current_user_can('activate_plugins') at handler entry and keep nonce checks as anti-CSRF only.
Pantheon reporting "All Systems Operational" is a good signal, but it is not a deploy approval by itself. I treat platform status as one input in a release gate that also checks app health, migration safety, and rollback readiness.
I shipped a release-audit tool for security_advisories_nl because release news, vulnerability records, and platform status pages are noisy unless you convert them into a clear adopt-or-wait decision.
I shipped a Drupal 10/11-safe Pathauto delete action because alias cleanup is exactly the kind of workflow that quietly breaks during major-version transitions.