Skip to content
Business Efficiency

WordPress 7.0 Was Supposed to Be the AI Upgrade. Six Months Later, Most Sites Haven't Installed It.

WebPulse extracted WordPress version numbers from 244 sites in the Tranco top 10K. Only 44% run WordPress 7.0. The majority are still on 6.x. Some are on 4.x.

· 5 min read
Share on X LinkedIn
WordPress 7.0 Was Supposed to Be the AI Upgrade. Six Months Later, Most Sites Haven't Installed It.

The Version Gap

WordPress 7.0 launched in late 2025 as the platform's most ambitious release — integrated AI content assistance, block-level collaboration, and a rewritten editor experience. Automattic positioned it as the upgrade that would keep WordPress competitive against modern frameworks. Six months into 2026, WebPulse scanned the Tranco top 10,000 and extracted WordPress version numbers from every site that exposed them. The result: WordPress 7.0 adoption has stalled at 44%.

44%
WordPress 7.x adoption
Source: WebPulse Census — 107 of 244 version-detected WP sites
52%
WordPress 6.x (still running)
Source: WebPulse Census — 126 of 244 version-detected WP sites
4%
WordPress 4.x or 5.x
Source: WebPulse Census — 11 of 244 version-detected WP sites

Of 739 WordPress sites detected in the top 10K, 244 exposed version information through meta generator tags or HTTP headers. Among those, 107 run WordPress 7.x. 126 are still on 6.x — the majority running 6.9.4, the last 6.x maintenance release. Eleven sites run WordPress 4.x or 5.x, versions that no longer receive security patches.

Who Is Not Upgrading

The sites running older WordPress versions are not abandoned blogs. NASA runs WordPress 6.9.4. CPanel — the server management platform used by millions of hosting accounts — runs 6.9.4. AppsFlyer, a mobile attribution platform processing billions of events, runs 6.9.4. These are organizations with engineering resources and security obligations. They are choosing to stay on 6.x.

The reasons are predictable. WordPress 7.0's AI features introduced new dependencies. The rewritten editor broke plugin compatibility. Organizations with custom themes and extensive plugin stacks face a testing burden that has no clear payoff — the AI features that motivated the release are not features that enterprise sites need. The upgrade path is effort without obvious return.

The Security Arithmetic

WordPress has accumulated 18,253 CVEs in the NVD. Each major version inherits the full vulnerability surface of its predecessors plus whatever new attack surface the release introduces. WordPress 7.0's AI integration added a new class of potential exposure — prompt injection through content pipelines, AI-generated content that bypasses editorial controls, and API surface for AI service connections.

For the 52% of sites still on 6.x, the calculus is straightforward: they get security patches for known vulnerabilities without absorbing the risk of a major version's new features. For the 4% on versions 4.x and 5.x, there is no calculus — those versions are end-of-life and receiving no patches at all.

What This Pattern Tells Us

The WordPress ecosystem has always had a version adoption lag, but 56% non-adoption six months after a major release is unusually high. WordPress 6.0 reached 60% adoption within four months of release. The difference is that 7.0 asks organizations to accept AI-related complexity — and the organizations running WordPress on high-traffic domains are exactly the ones with the strictest change management processes.

Meanwhile, the framework that overtook WordPress in this same census — Next.js — deploys updates continuously. There is no major version upgrade ceremony, no plugin compatibility matrix, no theme regression testing. The architectural difference is not just technical. It is operational. WordPress 7.0 may eventually reach majority adoption. But the delay itself is the data point: the upgrade model that WordPress depends on is breaking down precisely when it matters most.

Share this insight