WordPress Planet

October 08, 2015

Matt: Lists of Lists

The app that changed my life is Simplenote, linked to Notational Velocity. I have Simplenote on my phone and Notational Velocity on my computer, and I’m obsessed with to-do lists and lists about my to-do lists. It allows me to have my lists on my phone and my lists on my computer, and they sync… if you are a list freak, with lists of lists, it will change your life.

— Lena Dunham

From a talk with Kara Swisher on Re/code. Listen to the whole podcast, Simplenote comes up at the 48-minute mark. Hat tip: Toni Schneider.

by Matt at October 08, 2015 08:13 PM under Asides

WPTavern: The First Half of the REST API Is Officially Added to WordPress Core

A few hours ago, Ryan McCue, one of the lead developers of the WordPress REST API project who recently received guest commit access for WordPress 4.4, committed a patch that adds the REST API infrastructure to WordPress core.

In his commit message, McCue referred to the infrastructure as a baby API:

REST API: Introduce baby API to the world.

Baby API was born at 2.8KLOC on October 8th at 2:30 UTC. API has lots
of growing to do, so wish it the best of luck.

Thanks to everyone who helped along the way:

Props rmccue, rachelbaker, danielbachhuber, joehoyle, drewapicture, adamsilverstein, netweb, tlovett1, shelob9, kadamwhite, pento, westonruter, nikv, tobych, redsweater, alecuf, pollyplummer, hurtige, bpetty, oso96_2000, ericlewis, wonderboymusic, joshkadis, mordauk, jdgrimes, johnbillion, jeremyfelt, thiago-negri, jdolan, pkevan, iseulde, thenbrent, maxcutler, kwight, markoheijnen, phh, natewr, jjeaton, shprink, mattheu, quasel, jmusal, codebykat, hubdotcom, tapsboy, QWp6t, pushred, jaredcobb, justinsainton, japh, matrixik, jorbin, frozzare, codfish, michael-arestad, kellbot, ironpaperweight, simonlampen, alisspers, eliorivero, davidbhayes, JohnDittmar, dimadin, traversal, cmmarslender, Toddses, kokarn, welcher, and ericpedia.

If you’re not familiar with the REST API and its potential impacts on WordPress’ future, I highly recommend reading the following articles.

In the lifespan of an open source project, there are milestone moments. Even though only half of the REST API is in WordPress 4.4, I consider this to be one of those moments.

If all goes well, developers will have access to the complete REST API in WordPress 4.5. I hope you’ll join me in congratulating all of the contributors that have and continue to work on the REST API.

by Jeff Chandler at October 08, 2015 08:38 AM under wordpress rest API

WPTavern: WPWeekly Episode 209 – Where Is the Word Press?

In this episode of WordPress Weekly, Marcus Couch and I are joined by Drew Jaynes, WordPress core contributor. We discuss a wide range of topics, from Jaynes’ opinions on Scott Taylor’s work on WordPress 4.4 thus far to his trip to WordCamp Capetown Africa, 2015.

We go in-depth on 10up’s investments in WordPress and discuss what’s happened to the Word Press. Last but not least, we discuss why developers are so excited for Taxonomy Term Meta to be part of WordPress 4.4.

Stories Discussed:

WP101 Founded by Shawn Hesketh Turns 7 Years Old
The Top 100 Active WordPress Themes and Plugins on GoDaddy’s Hosting Network
6 WordPress Plugins That Take Native Comments to the Next Level

Plugins Picked By Marcus:

WP Like/Dislike allows visitors to like or dislike a post on your website.

Slack Notifications is a plugin that notifies you in your Slack channel via the Slack API on the following: New WordPress Version, New Plugins Updates, Post Published, New User Registration, Admin Login.

Postmatic for Gravity Forms is a simple plugin that allows individuals to subscribe to Postmatic feeds using Gravity Forms.

WPWeekly Meta:

Next Episode: Wednesday, October 21st 9:30 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #209:

by Jeff Chandler at October 08, 2015 08:32 AM under wp101

WPTavern: How to Favorite Themes on the WordPress Theme Directory

When the WordPress theme directory was redesigned earlier this year, a common request from readers was the ability to favorite themes as you can with plugins. This feature was also suggested by Mario Pesehv two years ago.

On July 22nd, Dion Hulse committed a change with little fanfare to the WordPress theme directory that allows registered users to mark themes as favorites.

Theme Favorite IconTheme Favorite Icon

Registered users who are logged into WordPress.org will see a heart icon above the download button on a theme’s detailed information page. When clicked, the heart icon turns red and the theme is added to your favorites list. To see your favorites list, visit the theme directory home page and click the Favorites tab.

Themes Marked as FavoritesThemes Marked as Favorites

To remove a theme from your favorites list, visit the theme’s detailed information page and click the heart icon.

Unfortunately, you can’t install themes marked as favorite from the backend of WordPress since the Favorites tab doesn’t exist on the Add Themes page. However, I’ve created a ticket on Trac to see if it can be added in time for WordPress 4.4. Keep in mind that like plugins, themes marked as favorites will show up on your WordPress.org user profile.

by Jeff Chandler at October 08, 2015 06:21 AM under theme directory

October 07, 2015

WPTavern: Measure Jetpack: An Independent Project Aimed at Measuring Jetpack’s Performance

Project Jetpack BenchmarkJust about every time we publish an article about Jetpack, one or more readers leaves a comment similar to the following, I don’t use Jetpack because it slows down my site. Many of the comments don’t link to or provide data that backs up their claim.

Outside of the benchmarks produced by the BruteProtect team late last year, there’s little evidence to support the claim that Jetpack negatively impacts a site’s performance. Arūnas Liuiza, a WordPress plugin developer, is working on a new project that hopes to solve the mystery of whether or not Jetpack causes sites to load more slowly.

Preparing the Testing Environment

In the next few weeks, Liuiza and his students will scour the WordPress plugin directory to find plugins with comparable features to Jetpack’s modules. The team is going to set up three identical WordPress sites with default Lorem Ipsum content.

One site will act as the benchmark, another will run Jetpack, and the third will run plugins similar to Jetpack’s modules. Liuiza explains how his students will perform the benchmark process:

We’ll start the measuring, with different plugins/modules activated and deactivated. We’ll be doing 1-to-1 comparisons, as well as some combos. We are going to measure load times, as well as some stats reported by Query Monitor such as memory usage, database query count etc.

Liuiza says benchmark results will be published in a series of posts on his blog and on the Advanced WordPress Facbook group. Liuiza is asking for the community’s help to locate plugins that are feature-comparable to the modules in Jetpack.

He’s also asking for advice on the testing methodology he and his students should use. There’s no timetable on when the results will be published as it’s considered a side project.

Benchmark Frontend Modules Only

Jetpack currently has 36 modules but some of them simply connect to services such as VaultPress or VideoPress. I think Liuiza and his team should concentrate on modules that potentially impact a site’s frontend performance as it doesn’t make sense to benchmark modules that are only for the backend.

I’m doubtful that an independent study of Jetpack’s performance will solve the issue once and for all, especially if the results show that it doesn’t have much of an impact on sites as people think. However, it will be nice to have another set of data to point people to when it comes up in discussions.

by Jeff Chandler at October 07, 2015 06:41 PM under study

Matt: Accelerated Mobile Pages & WordPress

As was just announced on the VIP blog and Google, there’s a new open standard that competes with (or complements) Facebook’s Instant Articles. It’s easy for WordPress sites to support both, you can check out this Github project to see the plugin code so far.

by Matt at October 07, 2015 02:33 PM under Asides

October 06, 2015

WPTavern: 10up Continues to Make Major Investments in WordPress

In the last two years, 10up, a web design and development agency has contributed to WordPress in significant ways. From sponsoring Helen Hou-Sandi to work full-time on WordPress core, to sponsoring Drew Jaynes to lead the WordPress 4.2 development cycle. In a post published on the company’s blog, 10up announced it will continue to invest in WordPress and other open source projects it works with on a daily basis.

According to the announcement, 10up is sponsoring Jaynes to work on WordPress full-time. The company has also created a Platform Engineer position and although it’s not hiring to fill the role, the company has left the title open-ended as it continues to support and build web platforms such as santize.css and Varying Vagrant Vagrants.

Sponsoring Scott Kingsley Clark to Work on the Fields API Project

In a major show of support, 10up is sponsoring 100 hours of Scott Kingsley Clark’s company time to work on the Fields API Project. Announced in May, the Fields API Project is an offshoot of the Metadata API project. The Fields API would allow developers to register fields and sections for WordPress objects. According to Clark, the goal is to initially cover the following WordPress objects:

  • Customizer (retrofitting it beneath the existing Customizer API)
  • User profile screen
  • Post editor
  • Settings screens (retrofitting it beneath the existing Settings API)
  • And other areas in the future (Comment editor, Network Settings screens [see #15691], Media modals, etc)

10up believes that supporting the Fields API Project will help move it into a viable state to potentially be added to WordPress in the near-future, “As a company with a central mission of creating great publishing experiences, the user and developer experiences a fields API can improve are something we are particularly well-versed in,” Hou-Sandi said.

Hou-Sandi goes on to explain that the web is built on open technologies that are usually maintained by small groups of people who rely on donations.

The balance between use and support of open source software leans heavily toward use, and that imbalance has become even more apparent. Even with increased awareness around the plight of projects integral to a safe web, initiatives like OpenSSL continue to operate on small donations and the volunteer efforts of a few. It takes time to convert pledges into action, and we’ve yet to see very many pledges at all, much less action.

The following quote written by Jake Goldman, Founder and President of 10up, explains why reinvesting in open source projects is so important not only for his company’s customers, but the WordPress userbase in general.

I’ve said repeatedly that nothing is more critical to the success of agencies that rely on community, open source software platforms than the continued success of those platforms. It is incumbent upon those who have leveraged free, open platforms with success to share that success back.

By economically enabling world-class engineers to improve open platforms, we not only ensure that our customers continue to have a first class solution, we enable the next generation of builders, who can’t yet afford such resources, to further grow our ecosystem and the platform’s demand. I believe this is the social contract of open source, and as 10up grows, so to will our contributions to open source. It’s not just responsible citizenship, it’s good business.

It makes sense for companies whose businesses rely on open source software to find ways to reinvest time, energy, and money back into those projects less they disappear. That’s precisely what 10up is doing along with a few other companies. Let me know in the comments if and how your company is contributing back to open source software.

by Jeff Chandler at October 06, 2015 09:09 PM under opensource

Matt: Scratch & Sniff Whiskey

Whether you’re curious for yourself or looking for a great gift for a scotch-loving friend, The Essential Scratch & Sniff Guide to Becoming a Whiskey Know-It-All from my friends Richard Betts, Crystal English Sacca, and Wendy MacNaughton is a must-buy. I have read this book myself and it smelled great.

by Matt at October 06, 2015 08:04 PM under Asides

WPTavern: You Can Now Search for and Install Plugins From Within Jetpack Manage

At the end of 2014, Jetpack 3.3 introduced a centralized dashboard that enables users to manage Jetpack powered sites. At the time, you could only do the following:

  • Plugin management: Turn plugins on or off with one click — per site or in bulk.
  • Initiate plugin updates: Update plugins for a single site or all sites in bulk.
  • Automatic updates: Turn on auto-updates for any plugin on a per-site basis or in bulk.

Now you can browse and install plugins from the WordPress plugin directory on sites you own that use Jetpack with the Manage module activated. Visit https://wordpress.com/plugins/browse and choose the site you want to manage. Look for the Configure area on the sidebar and click the Add button to open the plugin browser.

Plugin Browser in WordPress 4.3 Jetpack Plugin Browser

When the plugin directory launched a redesign earlier this year, a common complaint from readers is that the ability to see new plugins added to the directory was removed. Unlike the plugin browser in WordPress, the browser on WordPress.com displays new plugins.

Both browsers display similar information in the detailed view with the exception that the WordPress.com browser doesn’t show a list of contributors. Enej Bajgorić, a member of the Jetpack development team, explains how to quickly install a plugin to a Jetpack site when browsing the WordPress plugin directory:

If you find yourself browsing the WordPress.org plugin repository and want to install the plugin on your Jetpack site, you can just replace the .org in the URL with .com and be taken to the new Plugin Browser where you can install the plugin with a single click. You will need to be logged into your WordPress.com account for this to work.

A plugin browser to search for and install plugins is another feature that makes Jetpack Manage a free, decent alternative to commercial services for managing multiple sites. If you manage multiple sites with Jetpack Manage, let us know what you think and what key features you’d like to see added.

by Jeff Chandler at October 06, 2015 06:29 PM under Plugins

October 05, 2015

Matt: Interview in French

Si vous parlez français, vous pourriez profiter de cette interview avec moi sur Journal Du Net.

by Matt at October 05, 2015 11:07 PM under Asides

WPTavern: Tom Nowell on How Automattic Keeps Workers Healthy and Happy

Tom NowellThis post was contributed by Tom J Nowell. Tom is a VIP Wrangler at WordPress.com VIP, lead of the WP The Right Way project, blogger, and community moderator at WordPress Stack Exchange. Tom will be speaking at WordCamp New York later this month on escaping and security.

This is a story about my job as a VIP Wrangler, what Automattic does to keep Automatticians happy, and my battles with anxiety, depression, and fear.

Joining the VIP Team

Almost a year ago, I worked for Code For The People, a six person development agency that was in acquisition talks with Automattic. I remember at the beginning of the week, we thought an acquisition could happen before Christmas and by the following Friday, we were signing new employment contracts, and booking tickets to Lisbon for the VIP team meet up!

I remember being the first to arrive, surrounded by people from the VIP team I’ve never met in person. We went out for dinner, learned how to do deploys, visited aquariums, gardens, and then went home.

The Happiness Rotation

After the meet up, I spent two months finishing contracts and started my Happiness Rotation. A happiness rotation is three weeks of working on the WordPress.com support team to get in touch with the problems end users are facing. Every Automattician has to go through a happiness rotation as part of their trial.

Working the happiness rotation was hard. When I say this, I don’t mean it was an insurmountable task. I had a full-time Happiness Engineer available 24/7 to ask any question I wanted, a week of walkthroughs, supervised working, mountains of documentation, pre-written examples, and slack channels with friendly supportive people. I knew what to do, how to do it, and I’ve done it before.

VIP Training

Despite this, I struggled, and VIP training began. Work at VIP fits into several sub roles that developers cycle through and training consists of a week in each role mentored by an experienced VIP Wrangler. Afterwards, we continue the cycle as full VIP Wranglers. Throughout the entire process, I had a general mentor for any and all things Automattic, be it mystery acronyms, or how to book a holiday.

At this point, I realized my job had grown in scope and felt insurmountable. I didn’t know what was going on and there was still much to learn. Combined with a torrent of new notifications, p2s, and emails, I felt lost. GitHub scaled from two to three emails per day to hundreds, P2 posts filled my other inbox, people asked difficult questions, and the sheer amount of activity at Automattic was overwhelming.

Dealing With Adversity

In the last few years, I viewed Automattic as my career end goal and suddenly I was there, years ahead of schedule. Not just that, I was struggling. I couldn’t grasp what was going on and I felt paralyzed in the face of work. I grappled with the thought that I was bad at my job, didn’t belong there, and that I wouldn’t last the next six months. I had this feeling that at any time, they were going to pull me into a call and say it isn’t working out.

A number of questions ran through my head. What would people think if they saw I left after the acquisition? Everyone’s treating it as a promotion and congratulating me. Maybe I’m not ready? I was handed a theme to review and struggling to read basic lines of code, mulling it over in my mind, why can’t I do this?

Sometimes I had the wrong window open and was reviewing my code but was so preoccupied, I didn’t realize it. Today, it takes me four days to review 6,000 lines of code in a theme but at the time, it took me two weeks to move through 1,000 lines.

The Catch Up Calls

It’s at this point that I was introduced to the bi-weekly catch up call. The team leads would chat with each person individually every two weeks to find out how they were, what they were doing, and what they’d like to do the following week. It was a chance to flag any problems and plan ahead.

I experienced nothing like this at CFTP or at any of my previous jobs and combined with the stalling work on the review, I panicked. My first catch up call was awkward and didn’t last long. My second catch up call didn’t go so well. I was at WordCamp Norway preparing to give a talk on WP The Right Way. I sat in a quiet room and received a call on a Skype from my team lead.

I felt as though I was put on the spot having to justify what I’d been doing the last two weeks, and trying to figure out how to spin weeks of panicking in front of a computer into a tale of bountiful code reviewing, pleasant Norwegian winters, and a smile.

Recovering From the Breakdown

Instead, I closed my machine and burst into tears. A few minutes later I opened my machine, apologized, and tried to explain what had happened. I was told they didn’t care how much work I was doing as long as I was learning and happy. A colleague picked up the review I was working on and noted that I was  thorough with the parts I reviewed.

My team lead, Steph, checked up on me every two to three days for the next two weeks to make sure I was okay and tried to find what kind of work I took to best. I spent time on deploys, then moved on to a long rotation doing code review so that I could focus on particular tasks and build my confidence.

While this was happening, another colleague asked if I was okay as he thought I was down. He introduced me to an internal slack channel called Bluehackers where other Automatticians who struggled could share their experiences. Seeing other people talk candidly about their problems made me recognize a lot of things I hadn’t considered, the most important being that I wasn’t alone.

I’m Not Alone

I wasn’t the only one who struggled some days and failed to get anything done. I wasn’t the only one who panicked when faced with new or even familiar tasks. Everyone at VIP was friendly and supportive, not because they knew of my situation, but because they are nice people. One time, my technical lead sent me three family sized pies because we had a slack discussion on pudding.

Sometimes I don’t get anything done. Sometimes I struggle to do things I normally do effortlessly. Sometimes I turn off the video in calls because I’m still in bed. It’s 3PM and I can’t bring myself to get up, changed, and eat. There are so many projects I want to do. I have the knowledge, I have the resources, the support, the time, but they don’t get done, and it’s a struggle to explain why. Sometimes it’s things I know that need doing, like buying food or paying bills.

Confirmation Things are Working Out

A few months later I was in Seville at WordCamp Europe. Initially, I wasn’t going to go but decided I would regret it if I didn’t. I threw some clothes in a suitcase and purchased a flight. Large groups of people are scary, but I’ve found WordCamps tend to have familiar friendly faces mixed in. I can’t stress how big a boost it is to be able to see and make friends from event to event, yet still meet new people.

Before I left, I found myself with my former boss and now colleague. He asked how I was getting along at Automattic. He asked me this before, and I said, “It was rough at the start but I think I’m there now.” He told me that everyone else at the company thought good of me and that I was fitting in well. It might have been simple statement but it meant a lot to me.

A Bout of Impostor Syndrome

I had real moments when I went to sleep thinking I was going to lose my job, that I might not be cut out to be a developer, and that I didn’t deserve the things I had. But throughout the entire process, my team leads and my colleagues tried to support me. They placed my well-being first and they proactively asked if I was ok when they suspected something was wrong, and sought to put real solutions in place where they could.

They found other people with similar problems and tried to give me the ability to express what was happening, sharing their own problems coping, and what they were doing to keep on top of them. They gave praise and listened to good ideas, asked for help when they needed it, and they understood. Right now, I’m ok, but things have a habit of creeping up unnoticed, triggered by unexpected things.

I get anxious about food at WordCamps if I don’t know what’s being served, I’m uncomfortable in social situations, and at times I have problems gathering the energy to do day-to-day things, but I’m lucky. I have a good job, a nice family, a comfortable apartment, and interesting work. My problems are mild and I know others have it worse. Most people are going to pretend everything’s ok but everyone needs a little help.

Suggestions for Employers and Struggling Employees

Automattic has things in place to make sure Automatticians lead healthy mental lives. We have an unlimited holiday allowance, a small expense budget to make traveling easier (e.g. a pot of tea at an airport or a massage), team meet ups, sabbaticals, and many others. Matt Mullenweg doesn’t want Automatticians to struggle, we work hard and it takes its toll. Often, we forget that we have to take care of our emotional and mental needs and give ourselves time.

Consider creating your own internal Bluehackers group and give people avenues to express themselves when they need to. Make sure they’re happy, and that you care about their well-being more than their quality of work and output as reassurance goes a long way. Some companies have gone as far as setting minimum holiday allowances to force employees to spend time on themselves.

If you’re dealing with problems like these, talk about it. Talk to a GP/Doctor, a friend, family, whatever works for you. Talking is hard, but it’s necessary. If someone opens up to you, listen. Don’t try to offer solutions, don’t compare and contrast, don’t try to offer sympathy, don’t expect it to be sorted out in a month’s time. Simply listen as that person chose to tell you, so give them space and respect.

If you suspect someone is down, ask them if they’re ok and if you notice they bounce back, tell them, and tell them you’re glad! Highlight interesting things that happen, help them when they make a mistake, ask them when you make one yourself. But remember, sometimes all someone needs is a hug and a cup of tea to know that things are ok. Give them space, don’t ask for explanations, and let them know you’re there if you need them.

by Jeff Chandler at October 05, 2015 05:11 PM under vip

October 04, 2015

Post Status: How WordPress core development happens — Draft podcast

Welcome to the Post Status Draft podcast, which you can find on iTunes and via RSS for your favorite podcatcher. Brian and his guest co-host, Brad Williams discuss some of today’s hottest, current WordPress news.

This week Brian and Brad talk about how to get involved in WordPress core, what to expect when you do, how to navigate the waters of core development. They also discuss term meta, its use cases, how it works, and why it’s a great feature for WordPress 4.4.

Brad is guest hosting this week, as Joe is out. He’s the co-founder of WebDevStudios, a co-organizer for WordCamp US, and wrote Professional WordPress Design & Development  (my go-to book on WordPress development). You can follow Brad on Twitter @williamsba.


Direct Download


WordPress core development process:

Term meta:

by Katie Richards at October 04, 2015 12:55 AM under Everyone

October 03, 2015

WPTavern: WP101 Founded by Shawn Hesketh Turns 7 Years Old

Earlier this week, WordPress video training site WP101, founded by Shawn Hesketh, turned seven years old. Since launching in 2008, Hesketh’s videos have been viewed more than a million times by over 500k people. He’s also re-recorded the videos that make up the WP101 series 17 times. With seven years of experience under his belt, I asked Hesketh what he would have done differently in the beginning.

“From a technical standpoint, I wish I’d picked a solid membership plugin that would have enabled us to grow. We’re planning a costly migration in the coming months, and a better membership plugin might have saved us the considerable hassle and cost,” Hesketh told the Tavern.

Technical issues aside, Hesketh believes his business’ success is largely due to his focus on serving people, “It’s one thing to create an online course and hope people discover it. But it takes much more dedication to actually engage people on a daily basis, take the time to understand their goals, and then help them get clear on how to accomplish those goals,” he said.

Hesketh doesn’t have any regrets but wishes he launched the question and answer forum on the first day, “Its given me the opportunity to answer questions that may not be covered in our videos. That’s the real value that WP101 brings to the table, real people helping others,” he said.

WP101 launched around the same time as a lot of commercial theme shops such as iThemes, StudioPress, and WooThemes. Although WP101 doesn’t sell commercial themes or plugins, Hesketh has carved out a space in the WordPress ecosystem that enables him to make a living. If you use WP101 or have in the past, I’d love to hear what you think of his videos in the comments.

by Jeff Chandler at October 03, 2015 01:33 AM under wp101

October 02, 2015

WPTavern: The Top 100 Active WordPress Themes and Plugins on GoDaddy’s Hosting Network

It was a warm, sunny afternoon in Tempe, AZ as I walked with a group of GoDaddy employees on our way to lunch during Pressnomics 3 earlier this year. It’s the first time I met Mendel Kurland, Christopher Carfi, and Kurt Payne in person. During lunch, we discussed a number of topics from the efforts made to change the company’s image, to ideas that help the WordPress community.

I suggested to the team that GoDaddy create a billboard chart that shows the most popular themes and plugins used across its network. Not only would the information be beneficial to the company, it would also give the WordPress community valuable insight into what plugins and themes are used on a webhosting network with millions of customers.

Nine months after our discussion, GoDaddy turned the idea into reality with the Hot 100.

Top 100 Plugins and Themes of The WeekTop 100 Plugins and Themes of The Week

GoDaddy tracks which themes and plugins are activated across the millions of sites it hosts and puts the 100 most popular of each into a list. The list is generated each week and places the previous week of results into an archive allowing you to monitor trends.

Similar to the Billboard Hot 100, you can see the current rank of a plugin or theme, whether it’s moved up or down, and what its rank was the previous week. With an influential list like the Hot 100, it would be easy to accept paid listings. Carfi, confirms it’s not possible to purchase placement.

How the Lists Are Generated

The Hot 100 is determined by ranking the net change in the number of active installs of WordPress plugins and themes in aggregate across GoDaddy’s hosting network. It looks at plugins and themes that are active at the time of the analysis and does not include plugins or themes that are deactivated.

Instead of using the total number of active installs, the Hot 100 looks at the week-over-week change in active installs. This enables the list to determine which plugins and themes are hot or part of a rising trend. It also prevents bias towards plugins that already have a large install base such as Jetpack.

Interestingly, themes on the list that are non-GPL are specifically noted and link to the Hot 100 instead of their corresponding theme page. In a post published to the Advanced WordPress Facebook group, Jeff King, Senior Vice President of Hosting at GoDaddy explains why.

One great recommendation and valuable bit of feedback we received is that, since the community embraces GPL, we should reflect that ethos in the Hot 100 list. While some non-GPL themes or plugins may occasionally show up in the list due to the fact that some non-GPL items still exist in the ecosystem, we don’t necessarily need to link to them. As of next week, we’ll be removing links to non-GPL themes and plugins.

The Hot 100 Is a Valuable Resource

Although WordPress.org provides stats for plugin and theme authors, you can’t determine where they’re being used. The GoDaddy Hot 100 gives the public and developers of popular plugins and themes an opportunity to see how well they’re doing on one of the largest webhosts in the industry. While Jetpack and Akismet are the two most active plugins and seven default themes make up the top 10 themes, it’s the 25th-100th rankings that I find interesting.

For example, Hello Dolly which ships with WordPress and is activated by default after installation is ranked 27th this week. Last week, it ranked 38th meaning a lot of new installs of WordPress have taken place. This indicates that even though a lot of customers disable the plugin at some point after installation, it remains active on many sites hosted by GoDaddy.

One of the largest jumps I’ve seen so far is the Image Widget plugin by Modern Tribe. It was ranked 95th last week and 31st this week. It would be interesting to know why a lot of new WordPress installs are activating this plugin on GoDaddy hosted sites this week versus last week.

The Hot 100 is a valuable resource and I encourage you to see if your favorite plugins and themes made the list. Although it’s specific to GoDaddy, do you think the data is valuable? Would you like to see other large webhosting companies provide a glimpse into the most active WordPress themes and plugins used across their network?

by Jeff Chandler at October 02, 2015 06:51 PM under trends

WPTavern: Jetpack 3.7.2 Patches Two Security Vulnerabilities

Jetpack 3.7.2 is available for download and patches two security vulnerabilities. The first is a cross-site scripting vulnerability in the contact form due to improper input sanitation that affects Jetpack 3.7.0 and below. Marc-Alexandre Montpas of Sucuri is credited with responsibly disclosing the vulnerability.

The second is an information disclosure vulnerability present in certain hosting configurations responsibly disclosed by Jaime Delgado Horna of Listae. In addition to patching the vulnerabilities, 3.7.2 also fixes an error with the REST API that creates multiple drafts and published posts. Other notable fixes includes:

  • Updating the Google+ logo in our sharing buttons.
  • Adding custom capabilities for module management for multisite installs.
  • Fixing a bug that was sending the contact form response fields in the wrong order.

Montpas has additional information on the cross-site scripting vulnerability discovered in Jetpack on the Sucuri blog, including a timeline of events. Please update to Jetpack 3.7.2 as soon as possible to protect your sites.

by Jeff Chandler at October 02, 2015 04:12 PM under xss

October 01, 2015

WPTavern: WPWeekly Episode 208 – A Nod to the King

In this episode of WordPress Weekly, Marcus Couch and I discuss the death of Alex King who was a pillar of the WordPress project. King passed away a few days ago from colon cancer. We share stories of meeting and discussing WordPress topics with King and describe his many contributions to WordPress. King will be dearly missed by the WordPress community.

During the second half of the show, we discuss upcoming changes in WordPress 4.4, the lessons I learned moderating comments on WP Tavern, and WordCampus renaming to WPCampus.

Stories Discussed:

Alex King, Founder of Crowd Favorite Passes Away
Alex King’s Final Request
WP Super Cache 1.4.5 Patches XSS Vulnerability
Lessons I Learned Moderating Comments in WordPress
WordCampus Renames Event to WPCampus
WordPress 4.4 to Possibly Rearrange Fields to the Comment Form
WordPress 4.4 Removes the View Post and Get Shortlink Buttons From the Post Editor

Plugins Picked By Marcus:

Contact Form 7 Customizer allows you to alter items like spacing and button size of the contact form using the customizer.

View Admin As lets you simulate what a site looks like from a user with a specific role or capability.

Grayscale Images converts images to gray-scale and displays the colored image hovered over.

WPWeekly Meta:

Next Episode: Wednesday, October 7th 9:30 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #208:

by Jeff Chandler at October 01, 2015 09:25 AM under wpcampus

WPTavern: 6 WordPress Plugins That Take Native Comments to the Next Level

Last week, I shared the lessons I learned and the drawbacks to moderating comments in WordPress. In this post, I highlight six plugins that solve a problem I encountered or enhance comments for both readers and site administrators. All of the plugins are free of charge and available from the WordPress plugin directory.

Problem Solvers

Crowd Control

Crowd Control Plugin BannerI discovered that not all comments need to be moderated. Crowd Control, by Postmatic, gives readers the ability to report comments they feel don’t adhere to a site’s commenting policy.

When enabled, a new option is displayed on the General – Discussion settings page. You can configure how many reports a comment needs before it’s sent to the moderation queue and whether administrators should be notified when it happens.

Crowd Control SettingsCrowd Control Settings

If an administrator approves a comment that’s in moderation due to hitting the threshold, it won’t end up back in the moderation queue. This gives administrators the last word on whether a comment is acceptable or not.

Crowd Control in ActionCrowd Control in Action

If you think a comment needs an administrator’s attention or does not adhere to the WP Tavern commenting policy, hover over the comment and click the report button. A new column is added to edit-comments.php that displays how many reports a comment has. It’s important to note that detailed information of who reported the comment is not saved to the database.

Reported Comments ColumnReported Comments Column

The system is open for abuse but I trust that the Tavern readership will use it responsibly.

Show Parent Comment

Comments that are pending moderation in the WordPress backend that are in response to another comment are hard to moderate. Show Parent Comment, developed by Stephen Cronin, adds a Show More dropdown to the edit-comments.php screen that allows administrators to see the text of the comment that a person is responding too.

Click to view slideshow.
I’ve used this plugin for more than two weeks and I enjoy the user interface. It looks and acts as if it’s a natural part of WordPress. Chris Christoff created a ticket in Trac with the suggestion that a user interface element like the one in Cronin’s plugin be added to core. If you have feedback on the best way to accomplish this, please add it to the ticket.

Enhancements to Native Comments


Epoch Plugin BannerEpoch is a plugin developed by Postmatic and a few other contributors that enhances WordPress’ comment system. Unlike services such as Disqus or Livefyre that replace the comment system, Epoch adds features to WordPress’ native comments. This allows you to keep comments within your database at all times without relying on a third-party.

Epoch applies a series of visual enhancements to the comment form. Replies from the post author are a different color from regular responses and the date and time the comment is written is displayed at the top. Epoch also uses Ajax to send and receive comments which eliminates the need to refresh the page.

Click to view slideshow.

Epoch has a front end moderation capability that allows site administrators to approve, trash, or spam comments. Unlike the native comment form, Epoch doesn’t load the comments unless the browser reaches a certain point on a post or is accessed via a direct link.

In most instances, the comment form loads quickly but on certain mobile devices, the lack of speed is noticeable. The team is aware of the performance issues and is attacking the problem with a three stage approach.

Epoch relies on JavaScript to function so if a visitor browsing your site has JavaScript disabled, the comments don’t load. Again, the team is aware of this issue and is creating a fallback to WordPress’ native comment system if the files can’t be retrieved from its CDN or JavaScript is disabled.

Basic Comment Quicktags

Basic Comment Quicktag Plugin BannerIn WordPress 4.3, the allowed HTML tags text displayed near the comment form was removed. The tags were removed because they’re note relevant and confusing to most users. While I agree that the text is not relevant, I think the comment form should have basic text formatting buttons so readers don’t have to remember and manually type HTML tags.

Basic Comment Quicktags in ActionBasic Comment Quicktags in Action

Once Basic Comment Quicktags is installed, navigate to Settings – Discussion and check the box to enable them for comments. When enabled, the comment text area will have Bold, Italic, Link and Quote buttons. The best part of this plugin is that it exposes a built-in core feature using the Quicktags API added to WordPress 3.3. Text formatting buttons in the comment area is a courtesy I’d like more site owners to give to readers.

Simple Comment Editing

Simple Comment Editing Plugin BannerSimple Comment Editing, developed by Ronald Huereca, adds the ability for readers to edit their comments in a limited time frame. By default, readers have five minutes to edit their comment once it’s submitted. Although no configuration is necessary, you can alter the time and behavior of the plugin by using actions and filters. I’ve changed the time limit to 15 minutes on the Tavern to make sure readers have plenty of time to make edits.

Simple Comment Editing Countdown TimerSimple Comment Editing Countdown Timer

With Simple Comment Editing installed, the amount of contact form submissions and requests to edit a comment have gone down considerably.


Postmatic Plugin BannerPostmatic is a plugin that ties into a service and has a number of features. Readers can subscribe to posts or to comments and receive updates via email. Postmatic has a beautiful email template that shows the most recent reply, the commenter’s Gravatar, and a recap of the post and conversation.

Postmatic Comment Email TemplatePostmatic Comment Email Template

Readers can respond to comments via email without having to visit the comment form. Site administrators can reply, trash, or submit comments to Akismet via email. It’s important to note that Postmatic is not a third-party commenting service. Instead, it uses the native comment system in WordPress allowing you to keep and own your data at all times.

While I moderate comments from the WordPress mobile app or the WordPress backend, Postmatic is a great fallback. I also think the email template looks great and offers a better user experience than the comment notification emails provided by WordPress. Postmatic does a lot more than what I describe above but for the purpose of this article, I focused on the comment portion of the service.

Postmatic is a new addition to the Tavern that I encourage you to try. After trying it out, please tell me about your experience. I especially wany to know if it’s easier to keep track of and take part in conversations.

Notifications That a Comment in Moderation is Approved

One of the problems I’ve yet to solve is being addressed by a number of WordPress contributors in ticket 33717. If all goes well, it’s possible this feature will be added to WordPress 4.4. Once added, readers whose comments end up in the moderation queue will automatically be notified by WordPress when it’s approved.

It’s Not Perfect but It’s an Improvement

Even with all the features these plugins provide, I don’t think the comment system in WordPress or the form on WP Tavern is perfect. I’m not sure if perfection of either can be achieved. However, I think both are improvements over the previous iterations. If there’s a plugin you use to improve WordPress’ native comments or its moderation system, let me know about it in the comments.

by Jeff Chandler at October 01, 2015 08:28 AM under simple comment editing

September 29, 2015

Donncha: The Web Won’t Forget Alex King

If you use a WordPress site, either as a visitor or owner, you’re using code that Alex King, one of the original developers of WordPress, worked on.

He passed away after fighting cancer for 2 years but his online presence lives on in the form of his blog with it’s deep archive of posts going back years, and in so much code that it’s humbling to look at his projects page. Looking through the svn log of WordPress trunk shows he still had a hand in helping the WordPress project until relatively recently:

trunk$ svn log|grep alexkingorg
props alexkingorg for the initial, long-suffering patch.
props alexkingorg. fixes #24162.
Props alexkingorg
`wp.media` instead of just `media`. props alexkingorg, see #22676.
Add $post_ID context to the pre_ping filter. props alexkingorg, devesine. fixes #18506.
Add filter so the users can select custom image sizes added by themes and plugins, props alexkingorg, fixes #18520
esc_textarea() and application for obvious textarea escaping. props alexkingorg. fixes #15454
Escape links by default. Props alexkingorg. see #13051
Safely include class-json.php, class-simplepie.php and class-snoopy.php, props alexkingorg, fixes #11827
Fix user creation from admin after changes for #10751. Fixes #10811 props alexkingorg.
Hooks needed to allow alternate category admin inteface. Props alexkingorg. fixes #3408
Wrap cat name in CDATA. props alexkingorg. fixes #3252

I’m sorry I never met Alex, however I remember working virtually with him and Adam Tow on AllThingsD which seems like a lifetime away now. Adam has a great article on Alex on his blog, as does Matt who went into detail about Alex’s involvement with WordPress going back to the days of b2. I had completely forgotten the CSS competition he mentioned!

Alex, your legacy lives on.

Related Posts

by Donncha at September 29, 2015 08:44 PM under Alex King

WPTavern: WordPress 4.4 Removes the View Post and Get Shortlink Buttons From the Post Editor

In WordPress 4.4, the View Post button in the post editor is disappearing in favor of a clickable permalink. Four years ago, Scribu, who is a former WordPress contributor, created ticket #18306. In the ticket, Scribu explains that the View Post button is redundant functionality and suggests that it be removed in favor of a clickable permalink.

Here are two screenshots of the post editor. The first is WordPress 4.3 and the second is WordPress 4.4. Clicking the permalink allows you to preview the post in its current state. Notice the slug part of the URL is in bold. You need to click the Edit button to edit the permalink.

WordPress 4.3 Post EditorWordPress 4.3 Post Editor WordPress 4.4 Post EditorWordPress 4.4 Post Editor

Not only does this change remove redundant functionality, it removes a UI element from the page. Enhancements like these are a huge win for WordPress because it makes the interface simpler without permanently removing the button’s purpose.

In addition to the View Post button, the Get Shortlink button is also removed. The button shows up if you’re using a custom shortlink and can be re-enabled using code or a plugin. For most users, the Edit button is the only one they’ll see between the post title and content box.

I expect some users will be frustrated as they go through the process of changing their workflow but overall, I think it’s a great improvement. What do you think?

If you’re using the WordPress beta testing plugin by Peter Westwood, I encourage you to set it to bleeding edge nightlies and update your site. You’ll be able to test this change and others during the WordPress 4.4 development cycle.

by Jeff Chandler at September 29, 2015 07:22 PM under wordpress 4.4

Matt: Remembering Alex King

Alex speaking at WordCamp SF 2009One of the original WordPress developers, Alex King, has passed from cancer at far too young an age. Alex actually got involved with b2 in 2002 and was active in the forums and the “hacks” community there.

Alex had a background as a designer before he learned development, and I think that really came through as he was one of those rare people who thought about the design and usability of his code, the opposite of most development that drifts toward entropy and complexity. One of my favorite things about Alex was how darn tasteful he was. He would think about every aspect of something he built, every place someone could click, every path they could go down, and gave a thoughtfulness to these paths that I still admire and envy today.

As an example look at his project page (essentially a category archive) for the Post Formats Admin UI, isn’t that clever and intuitive how the posts connect together, and when more time passes in the thread it’s shown as a break. It’s classic Alex: something simple and thoughtful that in hindsight is so gobsmackingly obvious you wonder why everything doesn’t work that way, but you never would have imagined it beforehand. And Alex wouldn’t just imagine it and do it for himself, he released his best work as open source, as a gift to the community and the world, over and over and over again.

Back when WordPress was getting started Alex was a celebrity of the b2 world, his hacks (plugins before plugins) were some of the coolest ones around. We had a ton of overlapping interests in web standards, photography, development, and gadgets so we frequently read and commented on each other’s blogs. I would never miss a post on his site, and that’s back when we were both doing one or more posts a day. To get a sense of Alex it’s worth exploring his blog — he was a clear thinker and therefore a clear writer. The straightforward nature Alex wrote with was something I always admired about him.

We discussed WordPress early on, Alex signed up to help with what later became the plugin directory, and his CSS competition (look at those prizes! and notice it’s all GPL) was hugely influential on the path to themes, and he officially became a contributing developer in August of 2003.

The list of what Alex was one of the first to do in the WordPress community is long, and in hindsight seems gobsmackingly obvious, which is the sign of innovation. I smile when I think of how he moved from the Bay area to Denver before it was cool, or his love of scare quotes. Once there was something going on in WordPress and he called me to talk about it, I was so surprised, he said the number was right on my contact page (and it was) but even though it had been there for years no one had ever called it before, but that was just the type of person Alex was, always reaching out and connecting.

Adam Tow, myself, Barry Abrahamson, Alex King; Photo from Adam Tow’s post.

I’m not sure how to include this next part: I couldn’t write last night — I was too tired. After falling asleep I had one of those super vivid dreams that you can’t tell are dreams. There had been some sort of mix-up on Twitter and Alex was still alive, I visited Colorado with my sister and saw him surrounded by family at a picnic table, all the rooms were taken so they put me on a floor mattress where I slept. Tons of his friends were around and we took pictures together, he was excited about the better front camera on the 6s+. (Alex understood mobile all the way back to the Treo days.) It was all very ordinary and in a group setting, until we decided to walk alongside a small highway, past some grain silos, to meet the group at a bar. The walk was just the two of us and we talked and laughed about the big mix-up and he asked about this post, what was going to be in it. He got most excited and emphatic with the part about him being a developer with great taste, and a clear writer William Zinsser would be proud of, so I like to think that those were two things he was proud of. The overwhelming emotion I remember was joy. Waking up was disconcerting, part of me wants to believe part of Alex’s spirit was there, where another more logical part thinks my mind was just going through the denial stage of grief. Regardless I know that Alex will stay in the minds of people who knew him for many years to come.

Code that Alex wrote still runs billions of times a day across millions of websites, and long after that code evolves or gets refactored the ideas and philosophy he embedded in WordPress will continue to be part of who we are. Alex believed so deeply in open source, and was one of the few people from a design background who did. (Every time you see the share icon on the web or in Android you should think of him.) I like the idea that part of his work will continue in software for decades to come, but I’d rather have him here, thinking outside the box and challenging us to do better, to be more obvious, and work harder for our users. He never gave up.

by Matt at September 29, 2015 05:57 PM under Asides

WPTavern: Alex King, Founder of Crowd Favorite Passes Away

Alex King with his daughter HeatherAlex King with his daughter Caitlin

Alex King, who founded web development agency Crowd Favorite, and author of several WordPress themes and plugins passed away last night at his home. In January 2013, King was diagnosed with stage four colon cancer. He used his blog to tell the story of his fight to stay alive.

On August 24th, King finished the first cycle of a new clinical trial that he says went well.

I’m nearly through my first cycle of the new clinical trial and overall I think it’s gone pretty well. I was able to get the 6 pills/day (3 in the morning, 3 in the evening) without too much concern. That said, by the end of the 5 days taking the pills I would basically sleep for the day.

On the same day, he published what would be his final request to the WordPress community. King requested that anyone with memories of him and his career to submit them to his wife.

One of the things my wife and I are trying to do is put together some information about my career that will hopefully give my 6 year-old daughter a better sense of who I was as an adult. She knows me as “dad”, but when she gets older she’ll be curious about who I was to my peers and colleagues.

If you have any memories of King, please honor his request and submit them to his wife.

Outpouring of Support

As the news of King’s death spread throughout the community, many shared grief on Twitter while others reflected on his accomplishments in WordPress.

In addition to Twitter, many published their thoughts and memories of King on their site.

King’s Impact on WordPress Early On

King is one of a handful of people who witnessed the transition from b2 to WordPress. He’s one of the earliest WordPress developers and is largely credited with motivating developers to build themes using the template engine in WordPress 1.5.

Alex King wrote a CSS Style Switcher hack, which came with three CSS stylesheets. Not everyone who had a WordPress blog wanted to create their own stylesheet, and many didn’t know how. Users needed a pool of stylesheets to choose from. To grow the number of stylesheets available, Alex ran a WordPress CSS Style competition. Prizes, donated by members of the community, were offered for the top three stylesheets; $70, $35, and $10 respectively. – WordPress History Book

In the first contest, King received 38 submissions with Pink Lillies by Naoko Takano winning first place.

Pink Lillies Wins First Design ContestPink Lillies Wins First Design Contest

Each sylesheet submitted to the contest was available to the public. In essence, King’s website was an early version of the WordPress theme directory. In the second contest, he received over 100 submissions. In total, King hosted 138 themes on his site. He decided not to host the competition again in 2006 due to the sheer amount of work required.


King appeared on several different WordPress podcasts and spoke at a number of WordCamps. Here are links to a few of them.

My Memorable Experience With Alex King

The last time I spoke to King in person was at WordCamp San Francisco 2013. A group of us rode together in a party limo complete with blinking lights inside. I sat across from him and asked a few questions related to his health. I also asked him about the early days of WordPress. King was a soft-spoken man who at times is hard to hear but it turned out to be a great and memorable conversation.

The WordPress community has lost an inspirational person and a pillar of the WordPress project. My deepest condolences go out to his friends and family. King is survived by his wife Heather and his daughter Caitlin.

by Jeff Chandler at September 29, 2015 02:42 AM under crowd favorite

September 28, 2015

Post Status: Rest in peace, Alex King

The prototypical WordPress developer and blogger, Alex King was a tremendously influential member of the WordPress ecosystem.

He was one of a very small group of people involved during the transition of b2 to WordPress. He helped to create the website that would become the first WordPress.com VIP client. He started the first WordPress-centric consulting agency. He was fundamental to the development and direction of dozens of WordPress features. He even created a small icon that would go on to become the ubiquitous “share icon”.

Alex was a selfless contributor, a driven entrepreneur, and a friend to many. He was also a husband to Heather and a father to Caitlin.

In addition to web work, Alex loved golf and photography. His blog is an outstanding example of the art, where he logged his story, his passions, and his challenges. I could not possibly tell his story better than he himself can.

Following are more valuable links to help remember Alex:

Today is a sad day for the WordPress community, and Alex King will be missed. May he rest in peace.

by Brian Krogsgard at September 28, 2015 08:29 PM under Everyone

September 27, 2015

WPTavern: WordPress 4.4 to Possibly Rearrange Fields to the Comment Form

WordPress plugin and theme developers need to take note of an important change in WordPress 4.4 that rearranges the comment form. In WordPress 4.4, the comment form is arranged so that the text area is displayed first followed by the name, email, and website fields.

Comment Text Area is FirstComment Text Area is First

According to Aaron Jorbin, WordPress core developer, the change improves navigation when using the keyboard to toggle through fields. It also makes it easier for users to leave comments.

Since the change requires filters and actions to run in a different order, the HTML output by comment_form will be different. Jorbin explains that if developers use any of the hooks inside comment_form, especially comment_form_field_comment and comment_form_after_fields, developers should test their themes and plugins using WordPress 4.4 nightlies.

If you run into any problems or inconsistencies, please report them to ticket #29974. What do you think of the change? Do you think readers want to write their comment first instead of filling out the other three fields?

by Jeff Chandler at September 27, 2015 07:02 PM under wordpress 4.4

WPTavern: WordCampus Renames Event to WPCampus

WPCampus Featured ImageWhen WordCampus was announced, some of our readers expressed concern that the event’s name is too similar to WordCamp US and would cause confusion.

There was also concern that without being officially sanctioned by WordCamp Central, the event would infringe the WordCamp trademark that is owned and protected by the WordPress Foundation. To alleviate these concerns, the organizing group changed the name from WordCampus to WPCampus.

Rachel Carden, one of the event’s primary organizers, says the team had a backup plan from day one, “While most of the community agreed that the name WordCampus was spot on, the possibility of changing our name was proposed from day one as WordCampus was being confused with WordCamp US,” Carden said.

“As much as we love WordCampus, we didn’t want it to get in the way of what we hope to achieve, so the topic was passionately discussed at a planning meeting. The entire community cast their votes for a new name and WPCampus was selected as the clear winner,” Carden told the Tavern.

More than 250 people have expressed interest in WPCampus. If you’re interested in speaking, sponsoring, or attending the event, please fill out the survey.

by Jeff Chandler at September 27, 2015 05:25 PM under wpcampus

September 26, 2015

Matt: Cars should be Open Source

“The reality is that more and more decisions, including decisions about life and death, are being made by software,” Thomas Dullien, a well-known security researcher and reverse engineer who goes by the Twitter handle Halvar Flake, said in an email. “But for the vast majority of software you interact with, you are not allowed to examine how it functions,” he said.

The Times has a great look at hacker and car manufacturer mishaps and makes the case over and over again for Open Source. It’s great to see more of the world waking up to the importance of open source.

by Matt at September 26, 2015 06:18 PM under Asides

September 25, 2015

WPTavern: Freenode to Purge Inactive Nicks, Channels, and Accounts on October 2nd

photo credit: 13Moya 十三磨牙 - ccphoto credit: 13Moya 十三磨牙cc

Freenode, the IRC network responsible for hosting communication servers for WordPress and many other open source projects will be performing maintenance on or around October 2nd. Freenode will remove expired nicks, channels, and accounts.

Although a lot of people have switched to SlackHQ from IRC to communicate in real-time, the WordPress support channel with hundreds of users still exists on Freenode with no plans to move it to Slack.

If you have a registered account on Freenode and have not identified with the service in 120 days or more, you must authenticate your account before October 2nd. You can do this by connecting to Freenode and using the /msg nickserv identify command, then enter your password.

If you’ve forgotten your password, use the /msg nickserv sendpass command to recover lost passwords. Alternatively, use the /msg nickserv help sendpass command to receive help recovering your password.

It’s especially important for users who have registered channels on Freenode to authenticate or else the username and channels associated with it will be removed.

by Jeff Chandler at September 25, 2015 06:57 PM under irc

Donncha: WP Super Cache 1.4.5

WP Super Cache is a fast caching plugin for WordPress. It will help your site run faster and serve more traffic.

This is a security and bugfix release.

  • Some servers display a directory index when no index.html is found in a directory. That may reveal the filenames of cache files.
  • There were issues in the settings page that might allow an attacker to browse or delete files named index.html.
  • PHP Object Injection could occur if an attacker managed to inject malicious code into the legacy cache meta files.

When you upgrade, your “legacy cache” files for logged in users will be deleted. This may have an impact on your site:

  • If your site is slow at generating new pages.
  • If you have many known users (logged in users or people who comment).

Your site will suddenly have to generate new cache files for all visiting known users.

Relying on caching like this is not recommended for these types of users as it’s very inefficient. Each user has a separate cache file that must be checked whenever the plugin does administration work like cleaning up stale cache files.

If most of your traffic is anonymous users who don’t comment you don’t need to worry about this.

Directory Listings

If a server is configured to show directory listings it will show files and directories in the cache directory to visitors who access those directories directly through their browser. This might reveal private posts, and in the case where legacy caching is enabled for known users the login cookie was stored in “.meta” files that could be downloaded.


Files named “index.html” were added to the main cache directories to stop remote users viewing the contents of the cache directories. Unfortunately it’s not possible to add empty index.html files to the supercache directories because those files could be served by accident to legitimate visitors of the site. However, the plugin will also add a directive that disables directory listings to the file cache/.htaccess. You can now also change the location of the cache directory on the Advanced Settings page of the plugin. If you can’t disable directory indexing on your server and you have private posts you should change this location and use PHP mode to serve cache files.


If a directory index is found in the cache directory it will show a warning like this to administrators:

index.html warnings

Clicking the logout link will log everyone out, except the user who clicks it, but it guarantees that the login cookies are updated, just in case someone has copied the cookie from an old meta file.

Directory Traversal and File Deletion

User input in the settings page wasn’t properly sanitised. The code that sanitised directory paths when deleting cache files wasn’t secure and might allow an attacker to view or delete files named index.html. Deletes are protected by a nonce, limiting the useful lifetime of the URL however.

PHP Object Injection

The plugin used serialize and unserialize to store data in “legacy cache” meta files. This might be used to perform a PHP object injection attack. Serialised data is now stored as JSON data.

The format of legacy cached files has changed. The files in the meta directory no longer have a .meta extension. They are .php files now and each file has a “die()” command to stop anyone loading them.
The data stored in those files is now stored as JSON serialised data. The login cookie is an MD5 hash now as well.
When you upgrade the plugin your existing legacy cache files will be deleted and regenerated as visitors use your site.

Apart from those security fixes there have been a number of enhancements and bugfixes:

  • Disabling the plugin no longer deletes the configuration file. Uninstalling will do that however.
  • Enhancement: Only preload public post types. Props webaware.
  • It’s now possible to deactivate the plugin without visiting the settings page.
  • Fixed the cache rebuild system. Rebuild files were deleted immediately but now survive up to 10 seconds longer than the request that generate them.
  • Minor optimisations: prune_super_cache() exits immediately if the file doesn’t exist.
  • The output of wp_cache_get_cookies_values() is now cached per visit.
  • Added PHP pid to the debug log to aid debugging.
  • Various small bug fixes.
  • Fixed reset of expiry time and GC settings when updating advanced settings.
  • Removed CacheMeta class to avoid APC errors. It’s not used any more.
  • Fixed reset of advanced settings when using “easy” settings page.

This release wouldn’t be possible without the help of Brandon Kraft, Dane Odekirk, Ben Bidner, Jouko Pynnönen and Scrutinizer. Thank you all!

Related Posts

by Donncha at September 25, 2015 05:19 PM under wp-super-cache

WPTavern: Lessons I Learned Moderating Comments in WordPress

In the past 4-5 weeks, I’ve moderated every comment submitted to WP Tavern. Not only was it an experiment to see what would happen but a new way for me to use WordPress. The experiment introduced me to several drawbacks in WordPress’ comment moderation system.

Lack of Context

Comments that are pending moderation in the WordPress backend that are in response to another comment are hard to moderate. Take the following screenshot for example. This comment is in response to a comment submitted by Norcross. Unless I open Norcross’ comment in a new browser tab or window, I have no idea what the context of the conversation is. Pending notifications in the WordPress mobile app also don’t show text from the parent comment.

WordPress 4.3 Comment Content AreaWordPress 4.3 Comment Content Area

I propose that WordPress core adds the text from parent comments to replies in the backend so I know what people are responding too. This also helps when replying to comments from the backend as I’ll know the context of the conversation.

Lack of Notifications That a Comment in Moderation is Approved

WordPress does not send an email notification when a comment is approved from moderation. However, there are a lot of people working to add this feature to WordPress 4.4.

A Whitelisting System for Anonymous Comments

The biggest drawback to comment moderation is that not every comment needs to be moderated. A whitelisting system can lessen the burden of having to moderate each comment.

WordPress provides the ability to blacklist comments. You can also configure a set of parameters to determine when a comment goes into the moderation queue such as, number of links, content within the comment, and if the comment author has a previously approved comment. None of these configurations are useful if WordPress is configured to send every comment to moderation.

WP Tavern does not have open registration and allows comments from anonymous people. This makes whitelisting difficult since the IP address, name, URL, and email address of a commenter can easily change or be imitated. The whitelisting component of WordPress becomes more useful if you can tie it to a registered user account.

I’m unsure if WordPress can improve this area of the moderation system or if it’s an assumed risk administrators take when accepting anonymous comments.

A Major Time Suck

Moderating every comment is a pain and sucks up time that can be spent doing something else. During my vacation last week, I continued to moderate comments from the WordPress mobile app because if I didn’t, the conversation stopped. I’ve concluded that by accepting anonymous comments, there needs to be a way for the audience to help moderate instead of doing it on my own.

In a future post, I’m going to list a few WordPress plugins I’ve discovered that takes the commenting system to the next level. Many of the plugins solve one or most of the problems listed above.

by Jeff Chandler at September 25, 2015 03:52 PM under moderation

WPTavern: WP Super Cache 1.4.5 Patches XSS Vulnerability

If you use WP Super Cache, you should immediately update to version 1.4.5 as it patches a XSS vulnerability in the settings page. This version also prevents PHP object injections. In addition to security patches, 1.4.5 contains a number of bug fixes. Make sure to update your sites as soon as possible to patch the vulnerability. You can find more details on this release on Donncha Ó Caoimh’s website.

by Jeff Chandler at September 25, 2015 02:37 PM under xss

Post Status: All about the WordPress REST API and its current state — Draft podcast

Welcome to the Post Status Draft podcast, which you can find on iTunes and via RSS for your favorite podcatcher. Brian and his co-host, Joe Hoyle, a co-founder and the CTO of Human Made, discuss some of today’s hottest, current WordPress news.

This week, Joe and Brian go into depth discussing all aspects of the WordPress REST API, and the state of the API today.

With the recent merge proposal, there is a good chance it will be included in WordPress core via a two stage process in the WordPress 4.4 and 4.5 releases. The first release would be the core infrastructure and the second release would include the endpoints. This is our longest podcast, but we go in depth on one of WordPress’s most anticipated features in years.


Direct Download


  • Brief overview: what is the REST API?
  • Why is the REST API important, and why are people excited about it?
  • REST API proposal
  • Reviews from the core team
  • New REST API core component
  • Trac Ticket
  • Comparison’s to Drupal’s REST API
  • Customizer roadmap in regards to the API
  • Authentication and future REST API projects


by Brian Krogsgard at September 25, 2015 05:21 AM under Developers

WordPress Planet

This is an aggregation of blogs talking about WordPress from around the world. If you think your blog should be part of this send an email to Matt.

Official Blog

For official WP news, check out the WordPress Dev Blog.


Last updated:

October 09, 2015 05:30 PM
All times are UTC.