Weekend Within roundup · June 12, 2026 · 4 min read

Issue 5: Security got stricter

WordPress slowed plugin auto-updates, UpdraftPlus fixed a serious bug, and 7.1 looks more stable.

Reading

Issue 05

Security mattered most this week. WordPress added a new delay before plugin and theme auto-updates, and UpdraftPlus patched a serious bug that could expose some sites to takeover. WordPress 7.1 also looks steadier now, with one risky editor change rolled back and a useful account update under test.

Security: Auto-updates get a pause

WordPress.org launched Protect The Shire. The name does not matter. The policy does. New plugin and theme releases now wait 24 hours before auto-updates can send them to sites.

That is the right call. A bad plugin update can hurt thousands of sites fast. This new pause gives WordPress.org more time to review releases before they spread. The tradeoff is simple. Auto-updates will not deliver urgent fixes on the same day anymore.

Take that as a prompt, not a problem. Keep auto-updates on. They still reduce routine risk. But when a critical bug hits a plugin you rely on, check for the fix yourself instead of waiting for tomorrow.

One plugin already needs that treatment. UpdraftPlus fixed a critical bug that could let an attacker take over some sites without logging in, if the site had previously connected to UpdraftCentral. We broke down the risk and the next steps in UpdraftPlus fixed a critical site takeover bug.

Update UpdraftPlus now if you use it. If you ever connected it to UpdraftCentral, review your admin users and installed plugins right after the update.

WordPress 7.1: Stability first

WordPress also reverted the React 19 upgrade in Gutenberg. React is the software layer that powers much of the block editor. Some plugins started crashing after the upgrade, so WordPress pulled it back.

That is good news for site owners. WordPress chose stability over speed. Expect fewer nasty surprises from editor updates in the short term. You should still test major updates on a staging site, especially if your team depends on custom blocks or editor-heavy plugins.

Core also started testing Unicode email addresses. That means WordPress accounts can move closer to supporting email addresses with non-English characters, not just standard English-only formats.

This change matters if your staff, members, or customers use international email addresses. Ask your host or support provider to test signups, password resets, and contact or checkout forms before WordPress 7.1 ships. A small account change can break real business flows if nobody checks it first.

End of article

Weekend Within · Free

If you found this useful, subscribe free.

The Weekend Within roundup ships every weekend. Six minutes. The WordPress news that matters, translated out of developer-speak. Unsubscribe any time.

↓ Read next

Issue 1: 7.0 Gets Real

Weekend Within roundup · 6 min