WordPress.org

In this episode, John James Jacoby and I are joined by Scott Bolinger. Bolinger recently attended a Content and Commerce Summit where WordPress and WooCommerce were not mentioned. Bolinger shared the perspective he gained from an attending the event and speaking with a friend who uses Shopify.

We discuss what happened to WordPress’ ease of use, which user segment the project is developed for, and how can it provide an end-to-end user experience that’s on par with SaaS offerings like SquareSpace or Wix. We also talk about the challenges associated with setting up a WordPress site after the installation process. Last but not least, we discuss why some people are not recommending WordPress to friends or family anymore.

Stories Discussed:

DonateWC Reaches Fundraising Goal
WordCamp for Publishers Videos Now Available on YouTube
Apply Filters Podcast to be Retired after 83 Episodes
Facebook to Re-license React after Backlash from Open Source Community
WordPress Explores a JavaScript Framework-Agnostic Approach to Building Gutenberg Blocks
SI CAPTCHA Anti-Spam Plugin Permanently Removed from WordPress.org Due to Spam Code

Picks of the Week:

Otto shares tips and advice on selling plugins.

Metroid: Samus Returns and Nintendo 3DS.

Mindful Communication in Code Reviews by Amy Ciavolino.

WPWeekly Meta:

Next Episode: Wednesday, October 4th 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #289:

WordPress.com now supports seamless integration between Google Photos and the WordPress media library. Users can connect their Google accounts to have access to their photos when inserting an image.

Google Photos has gained popularity due to its automatic tagless organization and free, unlimited backup for photos and videos up to 16MP and 1080p HD. In May 2017, the service reported 500 million monthly users backing up more than 1.2 billion photos and videos per day.

When inserting pictures on WordPress.com, users can also take advantage of Google’s smart image searching capabilities. The service is fairly good at recognizing what is in your images and where they were taken, even if you haven’t specifically categorized them or added descriptions.

The new Google Photos integration is also available for Jetpack-enabled sites when posting via the WordPress.com interface. (It is not available in wp-admin of self-hosted sites.) Unfortunately, this experience is still rather buggy. After adding photos, WordPress.com didn’t seem to be able to save drafts and it was also unable to display the most recent photos from the past week.

Users should also note that when you authenticate with Google Photos, it will open access to the photos from every single site that you have connected to that particular WordPress.com account. This access is, however, is limited to the specific user who connected. Multiple users on a site will each need to authenticate separately and can connect their own Google accounts. The users do not have access to each other’s photos. It’s also easy to revoke access at wordpress.com/sharing.

The new Google Photos feature has been very well received by WordPress.com users, as it saves them the trouble of downloading images from the service and then uploading to their media libraries. It’s not quite as convenient for Jetpack-enabled sites, because it adds additional steps to the publishing process.

“Excellent feature, but will it be available directly from self-hosted sites without using WordPress.com?” one user asked. “This cuts out so many steps in our publishing workflow, but then adds several more if we then need to login to WordPress.com to do this. Our admin setup is complex, so switching to editing here isn’t an option. I have multiple contributors who write directly and this would be a game changer if they could directly upload their images from their account.”

A WordPress.com representative confirmed that there are currently no plans to support a standalone version in Jetpack. They are, however, looking at supporting other services, such as Flickr, in the future.

The following is a guest post by Brad Williams who shares his experience at Camp Press this past weekend. Brad is the Co-Founder and CEO of the website design and development agency WebDevStudios.

He is also a co-author of the Professional WordPress book series. Brad is a US Marine Corps veteran and has been developing websites for over 20 years, including the last 10 where he has focused on open-source technologies like WordPress.

I’ve been to a number of WordCamps and tech-related events over the years. They all follow a similar pattern of speakers, panels, sponsors, after-parties, etc. We’ve all been to these types of events and generally know what to expect; so when Mendel Kurland pitched the idea of Camp Press to me as ‘geeks camping,’ I was intrigued.

I went to Camp Press with no idea of what to expect. I honestly have never felt less prepared for an event as I did for this one. I like to plan. So, going to an event where I wasn’t 100% sure how it would work had me feeling nervous. What I soon realized is that I liked being pushed out of my ‘safety bubble.’

The Camp Press location was absolutely amazing and truly helped make the event special. We stayed at a large summer camp style setup, about an hour outside of Oklahoma City called Fry Lake. If you aren’t familiar with Oklahoma, just imagine driving an hour from a large city to the middle of nowhere. Perfect.

Fry Lake had cabins, shower and bathroom facilities, an amazing swimming lake with diving boards, and a full cafeteria kitchen. We were literally back at the type of summer camp we experienced as kids, and we immediately knew it.

As we learned more about each other, we quickly became more comfortable as a group. We shared stories, laughed, cooked, and debated topics from tech to TV shows. We discussed very personal struggles and experiences, some of which I would guess haven’t been shared outside of close family. We sang songs around the campfire, performed late-night improv, made s’mores, and enjoyed each other’s company.

Even more amazing is that nothing was scripted. There was no agenda, set activities, presentations. It was just natural interaction. Over the course of a few days, we all grew closer to each other. There was an unspoken bond forming between everyone at Camp Press.

I didn’t know what to expect going to Camp Press. What I promptly learned is that was the entire point of the event—doing the unexpected, pushing yourself outside of your comfort zone, making new friends, having fun and serious conversations, and doing all of this without the normal technology that is always around us.

When is the last time you had a detox from digital life? My detox was last weekend, and I can’t wait to do it again!

For more insight into Camp Press and to get Mendel’s perspective, check out the event’s official blog post.

On September 30 2017, the WordPress Polyglots Team – whose mission is to translate WordPress into as many languages as possible – will hold its third Global WordPress Translation Day, a 24-hour, round-the-clock, digital and physical global marathon dedicated to the localisation and internationalisation of the WordPress platform and ecosystem, a structure that powers, today, over 28% of all existing websites.

The localisation process allows for WordPress and for all WordPress-related products (themes and plugins) to be available in local languages, so to improve their accessibility and usage and to allow as many people as possible to take advantage of the free platform and services available.

In a (not completely) serendipitous coincidence, September 30 has also been declared by the United Nations “International Translation Day”, to pay homage to the great services of translators everywhere, one that allows communication and exchange.

The event will feature a series of multi-language live speeches (training sessions, tutorials, case histories, etc.) that will be screen-casted in streaming, starting from Australia and the Far East and ending in the Western parts of the United States.

In that same 24-hour time frame, Polyglots worldwide will gather physically in local events, for dedicated training and translations sprints (and for some fun and socializing as well), while those unable to physically join their teams will do so remotely.

A big, fun, useful and enlightening party and a lovely mix of growing, giving, learning and teaching, to empower, and cultivate, and shine.

Here are some stats about the first two events:

Global WordPress Translation Day 1

•   448 translators worldwide
•   50 local events worldwide
•   54 locales involved
•   40350 strings translated, in
•   597 projects

Global WordPress Translation Day 2

•   780 translators worldwide
•   67 local events worldwide
•   133 locales involved
•   60426 strings translated, in
•   590 projects

We would like your help in spreading this news and in reaching out to all four corners of the world to make the third #WPTranslationDay a truly amazing one and to help celebrate the unique and fundamental role that translators have in the Community but also in all aspects of life.

A full press release is available, along with more information and visual assets at wptranslationday.org/press.

For any additional information please don’t hesitate to contact the event team on press@wptranslationday.org.

I grew up in a suburb to Stockholm, where me and my brothers would wrestle over who was allowed to use our first PC. I think it was a pre-owned old beaten Compaq Deskpro 386. We only stopped arguing once we could sit down together and play Civ; one of us at the controls, the others giving advice on what moves to make.

Dipping Into The Web

I learnt HTML and built my first pages on Geocities and out of necessity: I needed a place to publish my angsty teenage poetry. But people didn’t come to my website for the bad poetry, instead they filled my guestbook with webdesign and HTML questions.

I have built websites for myself and others since the mid 90’s and kept a few clients on the side while studying. At this time, there was not a lot of computer or programming classes available for high school students. It had been easy enough to learn HTML online by reading guides, message boards and similar. During one of my final semesters, my school announced a new class called “Computers for girls”. I signed up hoping to learn enough to assemble or upgrade my own PC. The class was a joke. Instead of teaching us about motherboards, memory or networks, our teacher showed us where to put the cords…

He didn’t realise that most of us already spent every recess in the computer halls, chatting over IRC. In order to learn the basics of actual programming (not just HTML), I had to take adult education evening- and summer classes since my school didn’t offer any.

Derailed

After high school I did like many others of my generation: I fell in love with someone I had only met online, who lived on the other side of the world. All to the soundtrack of Savage Garden’s “I Knew I Loved You”.

It took all my savings and courage to travel back and forward between Sweden and the US, while studying from a distance.

When my boyfriend suddenly passed away in 2001 I had to make drastic changes in my life.

I was in the middle of moving, I couldn’t keep up with deadlines or deal with clients, and I was barely able to finish my project managing and programming classes. I had to forget all our plans, start over, and take a desk job instead.

Coming Back To The Web

Many years later one of my former clients asked if I had tried WordPress. It took me a few months to decide if I liked it or not, partially because I didn’t know PHP, and because I didn’t have great experiences from trying Joomla and Drupal.

I did some customization work and eventually I submitted my first theme to WordPress.org. Of course my theme was a mess and did not even work as expected.

But I appreciated that someone took the time to look at my code and explain what I needed to do to fix it and where I could read more. It was very rare to receive such feedback.

I joined the Theme Review Team’s mailing list, listening in and learning. I started reviewing themes to learn more and to improve my own themes.

For those who do not know what the Theme Review Team does, we test and review the code (every single file) of themes that are submitted to be included in the WordPress.org theme directory.

My Secret Power

Because I am on the autism spectrum, the structure and patterns of coding languages suits me well. I need both structure and a creative outlet in my life, and coding is therapy, much like a puzzle or a coloring book. I love my once dreaded desk job, because it gives me the opportunity to help people on a different scale than I ever could as a freelancer. Being a volunteer on WordPress.org lets me combine both worlds.

I could never have imagined that WordPress would become an important part of my life, that I would spend this much time on it (sometimes up to 20 hours per week), or that I would be asked to be one of the team leads for the Theme Review Team in 2017.

Today I honestly don’t know what I would do if I could no longer contribute to WordPress the way I know and am familiar with. It is an essential part of my everyday life.

WordPress is also challenging because you can only do so much without interacting with others… And even though I find that difficult, I have had to learn that it is something I need as well.

I have to remind myself from time to time that here, I am allowed to be myself, with all my flaws, to contribute as much or as little as I choose, at my own pace.

And to be able to contribute and to help others, I also have to remind myself that people are not scary.

And Then WordCamp

I was a volunteer online for 6 years before I had the courage to go to my first WordCamp, which took place in my own home town. When I was finally there, I only spoke to 3 or 4 people. My second WordCamp went better, but the experience was still overwhelming.

During my third WordCamp, which was WCEU 2017, I helped lead the Theme Review section of the contributor day, having to speak in front of 500 people.

The thing is, even when it overwhelms you, this community and its energy is addicting.

Everything changes once you go to your first meetup or WordCamp, meeting people who share your interest and passion. The community at large is open and welcoming, passionate, curious and caring. And it is trying to be a safe place for us all.

The Theme Review Team

There always seem to be a lot of opinions and even controversy surrounding the Theme Review Team. It is not always easy to handle the pressure and the amount of responsibility that is placed on you because so many people have a financial interest in WordPress themes. As a team lead or moderator, you often have to try to find the least bad solution to many different kind of situations.

By the end of September, it is time for the current team leads to step back and welcome our next leads. I am looking forward to the break, but also to see what new ideas they will bring.
It takes time to change a system that has been in place for this many years, and truthfully, sometimes it is painfully slow. It has proven difficult to find a system where themes without errors can be added to the directory quickly, and where reviewers can support authors who need extra help.

This amazing team of volunteers has managed to reduce the queue time from 7 months down to 8-10 weeks. We still hope to be able to reduce it further, possibly by automating parts of the code review.

Finally, the Theme Review Team is open to everyone and always looking for new volunteers.

The post Challenge Gladly Accepted appeared first on HeroPress.

WordPress’ #core-js Slack channel hosted a lively and productive meeting this morning led by Andrew Duthie. The discussion focused less on specific framework comparisons and more on the role a framework will play in building JavaScript-powered interfaces for WordPress. Contributors were joined by core developers and leaders from the React and Vue communities, Chrome engineers, and other interested parties from outside the WordPress community.

“This chat will focus largely on identifying requirements in building core features, overlap with plugin and theme authors, and patterns to reducing framework lock-in,” Duthie said. “Ideally this is higher-level than simply debating the merits of specific frameworks in a vacuum, and should be seen as an opportunity to collaborate between projects to set a path forward for WordPress which will provide flexibility and resiliency to future churn.”

Duthie began by asking what role a framework should play in a WordPress developer’s workflow and also asked framework contributors to offer their perspectives on recommendations for extendable interfaces. This question provided attendees with the opportunity to weigh in on topics such as support for web components, framework-agnostic block interoperability for Gutenberg, and how this might affect WordPress’ plugin ecosystem.

“I disagree a bit with the idea that whatever core (in this case Gutenberg) uses to power some of the intricacies of building a stateful app is going to be the de facto standard for plugin development,” Gutenberg engineer Matías Ventura said. “The actual framework here, in general terms, is going to be what WordPress exposes and the APIs.”

With a framework-agnostic approach to building Gutenblocks, the library that core decides to build on doesn’t have to become the de facto standard for plugin developers but many outside the Gutenberg team believe that it will inevitably end up that way in practice. There are entire teams of engineers waiting on this decision that are committed to adopt whichever framework WordPress bets on.

“To provide some perspective on how WP’s decision on a framework impacts developers downstream, I’m a developer at Boston University and our plan is to focus on whichever framework WP decides upon, even if Gutenberg has a completely agnostic API,” Adam Pieniazek said. “We’re primarily a WP shop (~ 1,000 site WP install powers most/a lot of our public web presence) and end up creating huge customizations on top of WP that often require diving into core to see what is actually happening in the background. I like Vue more than React personally, but if WP decides upon React, BU will focus on building expertise in React for when we need to peek/debug beyond the API. It doesn’t mean we won’t also use Vue but it won’t be our primary focus.”

Pieniazek feedback echoes that of Gravity Forms co-founder Carl Hancock, who said his team is ready to adopt whatever library WordPress selects.

“People are going to end up adopting whatever core uses for the most part despite the rainbows and butterflies some are claiming as it relates to creating an abstraction layer so plugin/theme developers can use whatever they want,” Hancock said in the #core-js channel earlier this week.

Many participants from outside the WordPress community seemed to be in agreement with a framework-agnostic approach and none were eager to force a single framework on all developers working with WordPress. The remaining concern is how this works out practically and whether it puts developers in the confusing position of using a framework on top of a framework.

“Since Gutenberg itself is going to become a platform to build for, the best level of separation is if the framework is used to build the core, but isn’t exposed as API to block builders,” AMP engineer Paul Bakaus said. “This gives one the choice to replace the underlying foundation whenever necessary.”

Gutenberg engineer Riad Benguella summarized the approach the team has been discussing:

I think what we try to communicate is something like:

– WordPress Core is going to use this X framework internally
– If you want to use it, we think it’s good
– If you want to use something else, you can just as easily as you’d use the Core’s chosen framework

Benguella also said that one of the goals for Gutenberg is “to set the basis for how we extend WordPress’ UI in the future.” Once it ships, the team will likely set its sights on other parts of the wp-admin and build them in the same way.

“If all parts of WP’s UI can be extended via a standard interface, whether it be a simple ‘data down, events up’ API, or expecting a WC, I think this would cleanly separate the concerns of ‘what framework to use for core’ vs. ‘what framework to use for extension development,'” Vue.js creator Evan You said.

When asked for his thoughts on on React becoming a primary framework for WordPress, React maintainer Dan Abromov was hesitant to advocate for WordPress adopting the library. His response underscored the necessity of having a framework-agnostic approach for extending Gutenberg and future WP interface overhauls.

“I don’t really know WordPress well, so it’s hard for me to say whether it’s a great fit for the use case or not,” Abramov said. “Generally we use React for highly interactive UIs and find that it scales well with the app size. I’m also happy to answer technical questions about it. But I think in general people have strong opinions about, for example, templating vs expressiveness, and I don’t feel like forcing React upon everyone is the best way.”

“I also feel the same way,” Evan You said. “Forcing a single framework on everyone, regardless of which one, is IMO not a good idea because it is bound to alienate the group of devs who are not into that framework, and imposes a bigger long term stability risk.”

Abramov also said that people are already “very bitter and divisive” about the subject of selecting a framework. He also tweeted a similar sentiment prior to the meeting.

When I read discussion threads (e.g. about WordPress) there’s a sense that people perceive every team as hostile to others. That’s false.

— Dan Abramov (@dan_abramov) September 26, 2017

Think of it like tending a garden. You’re welcome to hang out at ours. Other gardens are great too

— Dan Abramov (@dan_abramov) September 26, 2017

“I believe it’s important (and technically feasible) to separate ‘which framework to use for core’ and ‘which framework community devs use for extensions,'” Evan You said.

“Yes, I think there’s a goal here to be unopinionated for what we’re exposing to plugin authors, so long as the APIs/interfaces we do expose are sufficiently flexible (and easy) to build the UIs and interactions they need to implement,” Andrew Duthie said.

The topic of supporting web components interoperability for Gutenblocks was also part of the discussion during the meeting.

“While less powerful than most of the actual frameworks at this point, they are likely to become a W3C standard, ensuring that they will stick around and evolve,” Felix Arntz said. “Plus once browser support is fully there, there’s less functionality to implement by an actual framework built on top.”

Polymer.js representative Justin Fagnani said he disagreed that they are “less powerful” and noted that web components already are a W3C standard.

“I think WP is also uniquely positioned to help drive forward support for web components natively everywhere,” EventEspresso core dev Darren Ethier said. “Pretty much all the frameworks have the ability to work with the web component spec now. It’s just a matter of proper implementation.”

Several participants referenced custom-elements-everywhere.com, a site that displays popular JS frameworks’ progress on communicating Custom Elements in a way that promotes interoperability. Matías Ventura asked React and Vue core devs how web components (and their future) fit into each framework at the moment.

“In React, we have some web component support but haven’t made it a large priority since use cases have seemed slim in the past, especially since adding Web Components hasn’t made a lot of sense in a first-party application where you control the whole stack – but we do have some support for them nonetheless and I’m happy to entertain adding more, either now or in the future,” Sophie Alpert said.

“On the high level I think frameworks like React/Vue provide what is not really addressed in web components: efficient and declarative DOM updates reacting to state changes,” Evan You said. “This is also why Polymer exists on top of WC. I have always acknowledged the value of WC as an interop interface.”

Overall, attendees at the meeting were respectful, collaborative, and eager to contribute their expertise to help WordPress contributors find the best way forward in the framework selection process. The discussion will continue at next week’s meeting and likely in the comments of a forthcoming Make/Core post summarizing the meeting.

The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code. The plugin added a CAPTCHA image test to WordPress forms to prevent spam and was compatible with forms generated by bbPress, BuddyPress, Jetpack, and WooCommerce. It had more than 300,000 active installs at the time of removal.

Mike Challis, the original author of the plugin, said that a WordPress.org user named “fastsecure” became the new owner of SI CAPTCHA Anti-Spam in June 2017. Challis was not aware of the new owner’s plans for the plugin but posted a notice on the WordPress.org support forums to inform users about why it was removed.

“The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts,” Challis said. He also linked the incident to a ring of WordPress plugins that researchers at Wordfence say were part of a coordinated spam campaign. Display Widgets, one of the most notable plugins in this group, was recently permanently removed from WordPress.org for a series of violations wherein the author had injected malicious code.

Challis said the new owner failed to display any spam on sites due to how the code was implemented, but the code could have been activated at a later time:

The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.

SI CAPTCHA Anti-Spam users who still have the plugin installed may see an update available in the WordPress admin. Plugin team member Samuel (Otto) Wood removed the malicious code and released 3.0.3 as a clean version that is a safe update for users who still rely on the plugin. Wood recommends users find an alternative, because SI CAPTCHA Anti-Spam will not be re-listed in the directory or receive any future updates.

The incident is another reminder for users to be on alert when WordPress.org plugins change hands, as the buyers do not always disclose their actual intentions for the plugin. Users in search of an alternative to SI CAPTCHA Anti-Spam will find many alternative options on WordPress.org. AntiSpam by CleanTalk, Simple Google reCAPTCHA, and CAPTCHA Code are a few examples that may work as replacements, depending on what other plugins you need the anti-spam capabilities to support.

Facebook has announced its intentions to re-license React, Jest, Flow, and Immutable.js under the MIT license. React community members began rallying around a petition to re-license React after the Apache Software Foundation (ASF) added Facebook’s BSD+Patents license to its Category X list of disallowed licenses for Apache PMC members. Facebook’s engineering directors officially denied the request in mid-August, citing the burden of meritless patent litigation as the reason for keeping the patents clause.

Facebook moved forward on this decision in full recognition that it might lose some React community members as a consequence. Many open source project maintainers began to look for alternatives. In a surprising move, Matt Mullenweg announced that WordPress would also be parting ways with React and planned to remove it from the upcoming Gutenberg editor.

Mullenweg’s decision to drop React from consideration for WordPress was likely an influential factor in Facebook’s eventual about-face on the topic of re-licensing the project. Facebook’s announcement on Friday acknowledges that the company failed to convince the open source community of the benefits of its BSD + Patents license:

We’re relicensing these projects because React is the foundation of a broad ecosystem of open source software for the web, and we don’t want to hold back forward progress for nontechnical reasons.

This decision comes after several weeks of disappointment and uncertainty for our community. Although we still believe our BSD + Patents license provides some benefits to users of our projects, we acknowledge that we failed to decisively convince this community.

The React 16 release, slated for this week, will ship with the updated MIT license. Facebook declined to respond to our request for further comment and said their post is the only public statement they will be providing.

It’s not yet clear whether WordPress will continue on with React, picking up where the team left off on Gutenberg, or shift to another library. Core contributors had originally decided on React while attending WordPress’ community summit in Paris last June, although this decision had not yet been made public when the greater open source community started petitioning Facebook to re-license React.

“I’m just so tired of this drama,” Gutenberg engineer Riad Benguella said. “We spent days and days thinking about the best framework for WP, and this change will just add more thinking, complexity, and uncertainty to our decision. I’m just tired of all this…we all have to rethink everything.”

Mullenweg, who had previously penned a several-thousand word unpublished announcement about how WordPress would be adopting React, did not confirm whether WordPress is still examining other libraries.

“Our decision to move away from React, based on their previous stance, has sparked a lot of interesting discussions in the WordPress world,” Mullenweg said in a post published to his blog this weekend. “Particularly with Gutenberg there may be an approach that allows developers to write Gutenberg blocks (Gutenblocks) in the library of their choice including Preact, Polymer, or Vue, and now React could be an officially-supported option as well.”

The regularly scheduled core JavaScript meeting is set for Tuesday, September 26 at 15:00 GMT and contributors plan to discuss the role a JS framework will play in current and future core focuses. The time has been changed to be two hours later than originally planned in an effort to accommodate more contributors across various timezones.

I am surprised and excited to see the news that Facebook is going to drop the patent clause that I wrote about last week. They’ve announced that with React 16 the license will just be regular MIT with no patent addition. I applaud Facebook for making this move, and I hope that patent clause use is re-examined across all their open source projects.

Our decision to move away from React, based on their previous stance, has sparked a lot of interesting discussions in the WordPress world. Particularly with Gutenberg there may be an approach that allows developers to write Gutenberg blocks (Gutenblocks) in the library of their choice including Preact, Polymer, or Vue, and now React could be an officially-supported option as well.

I want to say thank you to everyone who participated in the discussion thus far, I really appreciate it. The vigorous debate and discussion in the comments here and on Hacker News and Reddit was great for the passion people brought and the opportunity to learn about so many different points of view; it was even better that Facebook was listening.

Scott Bolinger, a product developer focused on the WordPress space who has created several products, including AppPresser and Holler Box, recently attended Content and Commerce Summit 2017.

This conference focuses on what’s working in eCommerce, digital media, information publishing, and subscription commerce. According to Bolinger, WordPress and WooCommerce were not topics of discussion.

“It really opened my eyes going to an event where no one even said the word WordPress once,” Bolinger said. “The audience at this conference was non-technical, mostly marketers selling stuff online. I watched a presentation where the presenter had slides with 20+ different recommended tools on them, and not a single mention of WordPress.

“This is an eCommerce conference, WooCommerce is 41% of all eCommerce stores, and not a single person said the word WooCommerce. All I heard about was Shopify and Amazon.”

According to SimilarTech, WooCommerce is leading in the top 100K sites, top 1M sites, and the entire web while Shopify is leading in the top 10K sites. While Shopify has a lot less market share, it’s used on substantially higher trafficked sites.

Bolinger shared the perspective of a friend who uses Shopify to sell clothing and will gross more than $1M in revenue this year. According to his friend, Shopify is easy to use, from setting up a theme, to the plugin/app ecosystem to add functionality.

“When my friend said Shopify is easy to use, this is a whole different category of great user experience,” Bolinger said. “This is building a site from scratch for a completely non-technical user, and them loving the end result and the experience.”

Bolinger raised an interesting point in that, Wix, Shopify, and SquareSpace are closed, SaaS offerings where they can control the user experience from end-to-end. This is impossible to do with WordPress because there are too many moving parts and core can not control how plugins and themes take part in that experience.

While WordPress core can’t necessarily solve the problem, it hasn’t stopped webhosts from trying. GoDaddy,  Bluehost, and others have created onboarding solutions that try to control the end-to-end user experience.

Bolinger shared a sentiment that many in the WordPress community have advocated in recent years. “If we’re honest, the strength of WordPress is not that it’s easy to use for non-technical people. It’s an open-source platform that is easy for developers to extend and customize for clients.”

• WordPress is Not Easy
• WordPress is not easy – and that’s OK
• Is WordPress As Easy As We Think?

There was a time, somewhere between WordPress 2.3 and WordPress 3.5, where one of the main reasons people used WordPress was because it was easy. Between then and now, what caused WordPress to lose its ease-of-use factor?

SquareSpace, Wix, and Shopify didn’t exist in the early days of WordPress, they were late to market. This gave them the advantage of implementing all the lessons learned through WordPress’ lifespan and since it’s a closed system, they can iterate rapidly.

The biggest reality check that Bolinger shares is that there are a lot of people WordPress simply doesn’t cater too.

“There is a large contingent of people who just want to get stuff done, they don’t want to fuss with the tech”, He said. “They don’t care about open source or owning their data. They don’t want to install a theme and setup their widgets, or search thousands of results to find the best SEO plugin.

“They don’t want to set up ‘managed hosting’, an SSL certificate, or a payment gateway. They just want to sell their products and make money as fast and easily as possible.”

I encourage you to read the full post as it provides a perspective of WordPress not often shared within the WordPress bubble. How does WordPress become a platform that delivers the kind of experience from end-to-end that Bolinger’s friend describes?

The discussion regarding WordPress’ JavaScript framework selection continues in the #core-js Slack channel ahead of next week’s meeting. One of the more recent topics is the possibility of framework-agnostic block rendering for Gutenberg, which would allow developers to extend the new editor using any JS library they prefer. This means that Gutenberg blocks, which are colloquially referred to as “Gutenblocks,” could be built with Vue, React, Preact, Angular, or whatever the developer feels comfortable using.

Proponents of this idea contend that pursuing a more flexible approach makes WordPress’ core JS framework decision less critical. While answering questions on the #core-js channel, Gary Pendergast explained how Gutenberg could be built to maintain the separation.

“I’m really not joking when I say that this decision doesn’t matter, even for people contributing to Gutenberg,” Pendergast said. “In #2463, the library is treated entirely as a utility library, much like we use lodash, for example. It performs a handful of tasks, and it can be relatively easily pulled out and replaced with something entirely different, with no disruption to the rest of the codebase. For people contributing to Gutenberg, they’re contributing in the Gutenberg coding style, not the style of whatever library we happen to import.”

When asked about a timeline for when the decision will be made and what factors are being considered, Pendergast replied that there is no timeline and that those interested in participating should blog about their experiences and write examples of things they can build with the JS frameworks they are familiar with.

“There is neither roadmap, nor timeline, nor does there need to be,” Pendergast said. “As Matt mentioned, it’s really just a technical decision – the important decision for the wider community was choosing ‘not React.’ Unfortunately, this decision has been blown way out of proportion, and heavily conflated with ‘what JS library will I be able to build my plugins with?’ and sometimes ‘what JS library’s practices will Gutenberg blocks resemble?,’ neither of which are related. Tweets and posts that treat it like a horse race are not helpful in this way.”

Pendergast said whatever library is selected will “continue to be wrapped by the WordPress element, the underlying library won’t be exposed.” The Gutenberg team is working to remove all library dependencies from its components so that plugin developers can use any library they choose.

However, other community members are not so eager to relegate the JS library selected for core to a simple technical decision or utility library.

“Most developers understand that their plugins are not bound by the framework chosen for core/Gutenberg,” Kevin Hoffman said. “But that doesn’t diminish the significance of the decision. If we want to encourage more contributors, we’d be well served to choose a framework in which a significant majority feel capable and confident. If this majority is out there developing plugins with one framework and has to learn another in order to contribute to core, then we’re limiting the number of potential contributors.”

Peter Booker contends that no matter how elegant Gutenberg’s separation is, having a decent understanding of the library chosen for core affects a developers’ ability to deeply troubleshoot certain issues.

“I do not think we should be so dismissive of the choice as a minor technical decision,” Booker said. “Understanding how PHP, JavaScript, and Backbone (among other things) work is essential to be able to properly debug problems with WordPress. The JS framework chosen for Gutenberg is going to impact a great many people, even if we are not core contributors. It will be essential knowledge to be able to fully troubleshoot issues. This is a decision which will impact far more people than just the Gutenberg team.”

What are the implications of providing a flexible, framework-agnostic approach to building Gutenblocks?

Jason Bahl asked if anyone has tried mixing React, Preact, Vue, and Angular in a single app to see if it is “a recipe for a performance nightmare.” He posed an example scenario wherein Gravity Forms builds Vue-based Gutenblocks, Yoast has React-based blocks, WooCommerce builds blocks with Preact, and another plugin uses Ember.

“It sounds kind of nice to be flexible and allow folks to use whatever but also like it could lead to a lot of division on best practices, and potentially performance issues,” Bahl said. “We’ll see tutorials pop up for how to build Gutenblocks in Vue, React, Preact, Ember, Vanilla JS, etc., which would be cool to see, but also confusing and potentially cause further divide in the community and accepted best practices. Flexibility is nice to a degree, but a strong opinion at some level is also good.”

Carl Hancock, co-founder of Gravity Forms, contends that offering a framework-agnostic approach to building Gutenblocks will have little influence on developers who are extending the project. The decision cannot be made less critical by offering more flexibility, because developers will inevitably adopt whatever WordPress core uses.

“People are going to end up adopting whatever core uses for the most part despite the rainbows and butterflies some are claiming as it relates to creating an abstraction layer so plugin/theme developers can use whatever they want,” Hancock said. “Which means however complex that core framework ends up being will have a direct impact on the barrier to entry for plugin and theme developers. That barrier to entry has been historically low to date and a direct contributor to the growth of WordPress as a self-hosted CMS. Dramatically raising that barrier to entry isn’t necessarily a bad thing. For example, Gravity Forms will use Preact, Vue, whatever, because we have the manpower and skillset to do so when we can finally decide to do so once core makes it’s decision.”

WordPress’ Opportunity to Advance the Web

WordPress currently powers 28% of all websites, according to W3 Techs, and whatever framework it chooses will make a major impact on which library many developers decide to learn in order to extend the software and advance their careers.

Matías Ventura, one of the technical leads on the Gutenberg project, encouraged participants in the discussion to look at the bigger picture and embrace the opportunity to work together and collaborate on a solution for WordPress that will advance the web. The team’s efforts to collaborate with representatives from competing frameworks stands apart in an ecosystem that is generally fragmented and fractious.

“I’m excited about the opportunity we have to advance web development in terms of JavaScript UI representation, in a similar way to how WordPress was a driving force for web standards during the past decade,” Ventura said. “That’s also where I see us having a responsibility as a project, as people will continue to learn web development through WP. Many people have been introduced to PHP through WordPress, originally just interacting with WP functions and APIs, eventually diving a bit more deeply into the language as needed. I do see our core remaining close to JS the language, as that gives the most meaningful tool to learn, spanning across all frameworks and libraries.”

Ventura assured participants in the ongoing discussion that the Gutenberg team is listening and working towards a solution that will push the web forward.

“We are absolutely aware that how we build and what we offer through Gutenberg is going to affect the dev community and we are not taking this lightly—quite the opposite,” Ventura said. “I’ve been talking with Evan (Vue) and Jason (Preact) because rather than having a ‘choose your framework’ contest, this seems an opportunity to collaborate and push the web forwards.”

DonateWC, an initiative focused on providing less fortunate people an opportunity to attend large WordCamps has reached its fundraising goal of 1,000€. Ines van Essen expressed gratitude and appreciation for the donations. “The responses and feedback that have come in during the past week have been overwhelming,” She said.

“I can’t believe we can already move to legalizing things and actually getting things done. Lesson learned: do not spend two years thinking about something you could maybe do at some point in the future. The time is now, and it’s time to change some lives.”

Essen confirmed that Automattic is not affiliated with the initiative although quite a few of her colleagues are supportive of the idea. “Everyone can do something to help another community member,” She said. “Whether that’s buying someone a meal, sharing a ride, or even sharing a room. DonateWC is a big picture thing, but there’s so many other things you can do to help under privileged groups.”

Essen hopes to have the non-profit and other legal aspects of the project taken care of in time to sponsor at least one person to WordCamp US. Part of the funds will be used to pay someone to design a logo and for social media marketing. If you’re interested in helping out with the project, please get in touch.

WordCamp for Publishers, held last month at The Denver Post building, was the first niche WordCamp to be focused around a specific industry. The event was designed for people who use WordPress to manage publications and also to encourage collaboration among project maintainers who build open source tools for publishers.

In addition to hands-on technical workshops, the schedule included a variety of publishing-related topics, such as monetization, content distribution, newsletter tools, and print and digital workflows.

“The schedule prompted a great deal of learning and discussion that extended well beyond the content typically found at a regional WordCamp,” attendee Maura Teal said. “One of the best aspects of this conference was chatting with other developers and leaders involved in media on the web. There were multiple sessions and hallway discussions that brought intriguing solutions to the table. My primary takeaway was that there certainly needs to be more WordCamps of this kind – that is, focused on a niche but still rooted in community.”

The unique format of the event offered more small group opportunities than a traditional WordCamp does for learning, asking questions, and collaborating around tools and strategies that directly relate to publishers.

“WordCamp for Publishers was not your average or typical WordCamp,” attendee Dwayne McDaniel said. “It felt a lot more like WPCampus insofar as the general mood and feeling I got from the participants. Getting to see folks from competing media companies openly discussing how to solve their common challenges, I learned a whole lot and I am grateful to have had the chance to learn about the publishing space.”

Videos for all of the sessions held in the auditorium are now available in a YouTube playlist. They will also be uploaded to WordPress.tv in the near future. Organizer Steph Yiu said the event was so successful that they are already planning next year’s conference. Anyone interested in volunteering or donating a venue can get in touch with the organizing team.

Brad Touesnard and Pippin Williamson are retiring from podcasting. Their bi-weekly show Apply Filters, a favorite podcast among WordPress developers, will go off the air after publishing its 83rd episode. The hosts have not yet revealed why they are retiring but plan to share more details in the final episode.

We’ll answer that next week during the episode! :)

— Apply Filters (@applyfilters) September 20, 2017

Apply Filters focused primarily on development and technical topics but also provided a wealth of information on business models, pricing, and marketing in the WordPress product ecosystem. The first episode aired August 15, 2013, just after the Heartbeat API was introduced in WordPress 3.6.

The show’s imminent retirement was announced on Twitter today to the disappointment of its many loyal fans. According to the information available on the sponsors page, each episode was receiving more than 2,000 downloads in the first three months after publishing. Roughly 54% of the audience identified as developers.

During the past six months, the frequency of the episodes had slowed to once per month. I wouldn’t be surprised if the hosts became too busy to keep up with the show, as they both lead successful WordPress product businesses. Touesnard and Williamson plan to record one final mailbag episode before retiring the show indefinitely and are inviting listeners to send in any last questions.

The Core Media Widgets feature plugin introduced a gallery widget in the 0.2.0 release this week. WordPress 4.8 added the new audio, image, and video widgets from this feature plugin. The gallery widget is targeted for merge into the upcoming WordPress 4.9 release.

In testing the new feature I found it to be a simple, straightforward implementation of a gallery widget that could easily replace many plugins that are currently filling this need for users. The option to edit or replace a gallery is immediately available and users can easily rearrange or randomize the images included.

On the frontend the gallery displays neatly in a thumbnail grid. I was able to change the number of columns while editing the gallery, but the preview in the admin did not match the the way the gallery looks on the frontend. The number of columns is correct on the frontend but not in the admin preview. This might cause some confusion for users if it isn’t fixed before landing in core. Contributors to the plugin are looking at this issue.

Overall, the implementation is user-friendly and similar to adding galleries in posts and pages. However, the widget could still use some testing, especially with different plugins installed. For example, with Jetpack enabled, users can choose between a thumbnail and a slideshow gallery, but the slideshow option doesn’t seem to work correctly in the widget. WordPress.org has several hundred plugins that implement some sort of gallery widget and these plugin authors will want to test the new core widget.

Theme authors will also need to test how the core gallery widget interacts with their themes. After testing the gallery widget with several popular WordPress.org themes, I found that many display the thumbnails with unsightly outlines and unpredictable spacing between images.

Weston Ruter, who authored the dev note post when the previous media widgets were introduced in 4.8, said that the paragraph regarding default theme updates is still applicable:

Themes that add custom styles to the MediaElement.js player (namely Twenty Thirteen and Twenty Fourteen) were updated from just styling it within syndicated content, to also include instances within widgets. Most themes don’t restrict styles for captioned images or media players to just post content, that is, limit CSS selectors to classes output by post_class(). If your theme does, make sure to either remove that constraint or include a .widget selector.

Ruter said another dev note will be coming with common theme changes that are required to add the right styling for galleries. Users and theme/plugin developers can test the gallery widget right now on 4.8.2 or 4.9-alpha using the Core Media Widgets plugin. Once the widget is added to WordPress, it will be deactivated in the feature plugin for future releases. Contributors plan to merge the new widget into core next week, provided testing goes well.

While I was supposed to be on vacation last week, I instead had surgery for a broken ankle. Tune in to hear the hilarious explanation on how I broke it. The lesson I learned is to not chase animals out of the yard.

John James Jacoby and I discuss the news of the week, including a major decision where Gutenberg will not be written in React due to a patent clause in its license. Other topics include, blind speaker selection for WordCamp US, bbPress performance improvements, and our picks of the week.

Stories Discussed:

Equifax Launches WordPress-Powered Site for Consumers Affected by Security Breach
SWFUpload Will Officially Be Removed From WordPress
WordPress.org Adds New Support Rep Role for Plugin Pages
Display Widgets Plugin Permanently Removed from WordPress.org Due to Malicious Code
WordPress Abandons React due to Patents Clause, Gutenberg to be Rewritten with a Different Library
DonateWC Aims to Provide Travel Sponsorships to Attend Large WordCamps

Picks of the Week:

WordPress Global Translation day is next Saturday, September 30th. Twenty-four hours dedicated to translating the WordPress ecosystem through sessions, training marathons, and local events.

Local by Flywheel is software that easily creates a local environment for WordPress development.

From the folks behind GiveWP, Give Live is a series of webinars for the community.

WPWeekly Meta:

Next Episode: Wednesday, September 27th 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #288:

The first time I ever made a WordPress site, I got 180,000 views in 2 days, 253 comments, and (give or take) 7 death threats.

It was 2014 and I was working on an MBA at Florida State University during the peak of the Jameis Winston controversy, where a football quarterback was accused of rape and protected from prosecution by the university and local police. I had used WordPress before, but not a lot. But, in true democratizing publishing, giving a voice to the voiceless fashion, when I had something I wanted to say, I knew just the thing to get it out there with minimal know-how: a free, single page WordPress.com site.

I had just returned to Florida from a summer in New York City. To my amazement, I got the life-changing opportunity, paid for by the university’s College of Social Sciences paid, to go up there for a summer of exploration in the social entrepreneurship and technology circles after pitching Florida State on a concept for financial education.

Beginning the Journey

I had become interested in financial education around the age of 16, when my family became homeless for a month. My mom hadn’t been able to make the rent, so we got kicked out, and then couldn’t find an apartment easily due to my mom’s lack of credit. Later, I started working at a major commercial bank and met hundreds, if not thousands, of people in similar situations (and saw the ways in which major commercial banks don’t help these people, but that’s a different conversation).

Imagine having been homeless at 16. Then, 6 years later, you’re attending graduate school, funded by the university, and that same university also paid for you to live in the country’s most expensive place for 3 months so that you could learn about executing your ideas on how to make a positive difference through technology entrepreneurship.

You would probably be overcome with gratefulness. But you would also likely be extremely protective of the people making such a thing possible.

Now imagine, that while Florida State University’s programs making such an impact on you, a football player’s actions are driving the narrative of this place you want to be proud of.

Imagine me, telling the story I just told you, and watching people connect the dots between what institution was making all of this possible for me, and what they had heard of it. “Oh, my God, with the quarterback that raped that girl?” they would say.

I would link you to the page I created, but quite honestly, it wasn’t a lot more than a profanity-laden rant (of admittedly epic proportions). But, it got a reaction: she needs to shut the f**k up. She’s completely right. She’s an “attention-seeking whore!”. She’s the story we should be focusing on. She’s just upset her Kickstarter campaign failed.

There it was: WordPress had amplified my voice, and everyone else’s, too.

Finding WordPress Business

Today, I’m the lesser-known half of Caldera Labs, makers of Caldera Forms, a top drag-and-drop form building plugin for WordPress. A few weeks ago, we got a one-star review on WordPress.org that called me out by name: “their team is useless, especially Christie Chirinos.” I received caring notes from several seasoned WordPress product developers, reassuring me that these things happen and I ought to not take it personally. “It’s not the first time someone’s been mean to me on the internet, and it probably won’t be the last,” I wrote in a Slack DM to my incredible business partner, the part of Caldera Labs you probably know, Josh Pollock. Josh laughed.

My road from single-page rants on WordPress.com to WordPress product leadership was actually pretty straightforward, although certainly wrapped in incredible fortune. I kept up that blog for a few months at the request of some of those 253 people (and the dismay of some others). Eventually it was forgotten for my financial education project’s website, which went from Wix to self-hosted WordPress.

Some months of working on that site made me acutely aware that if I wanted to execute more of my ideas, I should learn more code. I started learning JavaScript and PHP. I met Josh somewhere around that time. He liked my WordPress.com story, and encouraged me to keep learning, while picking my brain on what my almost-finished MBA thought about Caldera Forms.

A professor asked me if I would work on his academic WordPress website for a fee. I was a broke graduate student, so I said yes. Suddenly I had clients. When I graduated, Josh approached me with a proposal to join him in business. I said yes, but my only condition is that I’m moving back to New York City. Josh said, remote work is the norm.

Despite the quote-unquote “formal business education,” I was flabbergasted when the full weight of what a WordPress product business entailed hit me. I didn’t understand the community. I didn’t understand the niche’s culture. Much of what I learned were business norms, were completely non-existent in WordPress. I communicated all of this to Josh.

“I have no idea what I’m doing.”

“Of course you don’t, you’ve never done this before.”

He introduced me to the extensive library of talks on WordPress TV on imposter syndrome.

Diving Into WordCamp

For me, it clicked at the inaugural WordCamp US. I showed up to the event looking like a deer caught in the headlights and was welcomed with open arms. I got to put faces to all of the names I had learned in the last half-year, and surprise: they were nice. They were welcoming. They were understanding.

I scoffed at the idea that I would have anything to contribute on Contributor Day, and then found out that the polyglots team could totally use an immigrant that speaks 4 languages. More importantly, I became completely inspired by the mission of WordPress. I realized that, by total accident (or perhaps completely on purpose), I had become a part of something bigger than myself. I had to stick with it, no matter how hard it was.

In the year after that, I also began to find a small niche for myself. I became “the girl with the MBA,” smart, young, and clearly lucky. “There’s not a lot of people in the space with your background,” said the host interviewing me on a WordPress podcast. Meanwhile, I’m thinking to myself, “oh my god. I don’t even understand why you invited me. I’m very grateful, but I also really don’t know that much about business. Didn’t you notice? Didn’t anyone tell you?”

Move forward a year, and results started rolling in. I spoke at 4 WordCamps and many other shows. Josh published his 2016 Year In Review, where he outlined the explosive growth that Caldera Forms experienced at the end of the year and acknowledged the benefit of having partnered with me. He doesn’t know this, but I cried when I read that (now he knows).

It was surreal: the unlikely thing that we set out to do was working.

This year, 2017, has consisted of taking on the next step in that process: teaching myself how to turn all of those thoughts on their heads. I have had to unlearn “why me?” and internalize “why not me?”, and most importantly, practice differentiating the story that I tell myself about myself versus the evidence-based reality.

Self Discovery

A crucial part of this stage has been learning that what I do does not define who I am. That’s a tired joke where I live. The joke goes that you can go to any bar, and participate in the same script: what’s your name? What do you do? “I’m Christie, and I’m a partner and the business manager at a commercial WordPress plugin shop, Caldera Labs” is a story, and it immediately sparks self-doubt. That isn’t an answer that describes an evidence-based reality, it is an answer that describes a story, and stories by definition require effort to be believed.

Who I am, I am learning, is the collection of my experiences, which then drive my priorities in how I do what I do, which is business.

In that podcast interview, I wasn’t told “there aren’t many business managers in the space.” I was told that there weren’t a lot of people with my background in the space. It’s the collection of my stories – of immigration, difficult childhoods, arguments in business school classrooms and accidentally viral WordPress websites, that perfectly positioned me to do what I’m doing right now.

The main reason I wanted to write for HeroPress when Topher offered was to take these thoughts out of my story. The more I grow into this role, the more I’m learning that this is especially common with people like me.

Research is being conducted more and more every day seeking to discover why we don’t become entrepreneurs who fearlessly pursue happiness and high-risk, high-reward situations (the common trope being that privilege is being told to strive to be anything one wants to be, while others are told to strive for an escape from instability).

Most of it boils down to the idea that many minorities, women, immigrants, people from low-income households – take your pick – have convinced themselves of a story that does not, in fact, reflect the reality of their possibilities.

It’s a shame, because there’s almost as much research that demonstrates that businesses with diverse leadership teams outperform homogeneous teams almost every single time.

Let’s start talking about this, even if this isn’t something that directly relates to you. Because, if that is the case, chances are that this is a topic that relates to someone you know. Diversity of thought is an important part of our WordPress community narrative. If you are not the person who must assess replacing a story with an evidence-based reality, you may be someone who is positioned to engage in powerful actions to promote diversity of thought, like encouraging someone else to challenge the stories they tell themselves and the stories they tell others about themselves. “I’m Christie, and I lead all of the business development and marketing for a commercial WordPress plugin shop, Caldera Labs” sounds a lot better.

The post What I Do Does Not Define Who I Am appeared first on HeroPress.

WordPress 4.8.2 is available for download and users are encouraged to update as soon as possible. This release patches eight security vulnerabilities and has six maintenance related fixes. Hardening was also added to WordPress core to prevent plugins and themes from accidentally causing a vulnerability through $wpdb->prepare() which can create unexpected and unsafe queries leading to potential SQL injection (SQLi).

To see a full list of changes, check out the release notes. Auto updates are rolling out to sites that support them but if you’d like to update manually, you can browse to Dashboard – Updates and click the Update Now button.

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by these security issues:

1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
4. A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
6. An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
7. A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
8. A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
9. A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.8.2 contains 6 maintenance fixes to the 4.8 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.8.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.2.

Thanks to everyone who contributed to 4.8.2.

WooCommerce 3.2 RC1 is coming next week ahead of the plugin’s second major release this year. Version 3.1 introduced a new built-in product importer/exporter that supports CSV files and brought significant improvements to extension management. Version 3.2 is on track to make the process of updating stores a smoother experience with a long-awaited new feature that displays version compatibility checks to users prior to updating their extensions.

Many WooCommerce store owners experienced considerable difficulties in updating to version 3.0 due to incompatibilities with extensions that were not fully compatible. The widespread problems with updating caused a direct hit to the plugin’s reputation, even though the main issue was with third-party extensions not being ready to go for 3.0. WooCommerce 3.2’s new pre-update extension version checks will help users to be more informed about the status of extension compatibility before updating.

WooCommerce plugin developers can now add two new headers to their extensions to specify a minimum required version and a “tested up to” version.

/*
* Plugin Name: WooCommerce Barter Gateway
* Plugin URI: https://wordpress.org/plugins/woocommerce-gateway-barter/
* Description: Take payments by bartering crops and livestock.
* Author: WooCommerce
* Author URI: https://woocommerce.com/
* Version: 3.0.7
* Text Domain: woocommerce-gateway-barter
* Domain Path: /languages
* WC requires at least: 3.0.0
* WC tested up to: 3.2.0
*/

Plugin authors are recommended to update these headers after each major and minor WooCommerce release. (Patch releases do not require headers to be updated.)

The core WooCommerce plugin will check through the extension headers and display a warning to users when updates are available, detailing which plugins have or haven’t been tested with the latest major version.

WooCommerce developer Claudiu Lodromanean cited several important benefits for extension developers in a post announcing the new feature:

• You will have to field fewer complaints from users that the new WooCommerce version broke your plugin. They will have clear warnings about the dangers of upgrading when the plugin is incompatible. This should reduce your support load when new versions of WooCommerce are released.
• You will not have to rush updates to your plugin. If a user upgrades WooCommerce and your plugin breaks you are under a lot of pressure to release an update fast. If the user waits until a compatible version of the plugin is released before updating WooCommerce you do not have this problem.
• Users will trust your plugin more. By adding the header you are letting the user know that the plugin has been tested, works with their version of WooCommerce, and is actively maintained to be compatible with WooCommerce.

The pre-update version checks for extensions is an exciting improvement for store owners and the greater WooCommerce developer community. Updates will be much easier when users can see at a glance which of their extensions are ready to go. Developers are also interested in seeing this feature applied for themes and the WooCommerce team confirmed they will look into the possibility.

WooCommerce 3.2’s release date has been pushed back one week to October 11 to give store owners and extension developers enough time to test. The first release candidate is slated for September 27.

DonateWC is a new initiative by Ines van Essen, Happiness Engineer at Automattic, that aims to provide an opportunity for less fortunate people to attend large WordCamps. Essen was inspired to create the non-profit organization after realizing how expensive it was to attend WordCamp US 2015. “As I did not work for a company that could send me there, I had to pay for travel, accommodation, and food/drinks myself,” She said. “All in all, I spent a full month’s worth of income to attend.”

While many WordPress focused businesses purchase and give away WordCamp tickets, DonateWC sponsorships include the following:

• A WordCamp ticket
• Door to door transportation
• Accommodation
• Food and drink money
• Internet access

To be eligible for a sponsorship, you can not work for a company that is involved in WordPress or known to sponsor employees to WordCamps. You must be active in the community and either a speaker or volunteer at the WordCamp you’re attending.

Essen has a crowdfunding campaign through GoFundme and is asking for 1,000€. The initial 1,000€ will be used to design a logo, register the non-profit in the Netherlands, customize the theme for the site, and commercial plugins. However, if you can help out with providing any of the above, the savings will go towards sponsoring more people. Once DonateWC officially becomes a non-profit organization, a call for sponsors will go out.

If DonateWC is an initiative you believe in, consider donating to the campaign.

Version 4.0 of the Akismet plugin for WordPress is available.

This update, a.k.a, “Akismet for the REST of Us,” adds endpoints to the WordPress REST API for configuring Akismet and retrieving Akismet stats. Documentation is available here, or you can read the code that adds the endpoints in the `class.akismet-rest-api.php` file.

The progress indicator on the “Check for Spam” button has been improved as well and now shows the percentage of comments that have been rechecked rather than just a loading indicator.

This release also removes support for versions of WordPress before 4.0. If you’re running anything older than that, you should upgrade.

To upgrade, visit the Updates page of your WordPress dashboard and follow the instructions. If you need to download the plugin zip file directly, links to all versions are available in the WordPress plugins directory.

After last week’s news that WordPress is abandoning React due to its unfavorable patents clause, the discussion regarding the selection of a new framework is heating up again. As Vue is once again among the leading contenders, I reached out to Vue.js creator Evan You to get his perspective on the possibility of WordPress adopting the framework.

“Yes, I had a conversation with the WordPress team mostly answering questions they had about Vue,” You said. “The discussion happened before Matt’s announcement of moving away from React. It was mostly intended for filling the team in with the state of Vue and there was no particular conclusion made from it.

“To be honest, I got the feeling that the team had already decided to go with React and simply wanted to explore other options before they make the final call. I was a bit surprised by Matt’s post, but also understand the concerns behind that decision. I think React is a technically sound choice, and the whole patent issue is unfortunate.”

Vue is back in the mix alongside Preact.js and other libraries WordPress core contributors are considering adopting. You has been active in the comments on the WordPress core development blog during the previous discussion, as well as more recently in the discussion in Gutenberg’s GitHub repo, clarifying misconceptions about the financial stability of the project.

You has been careful to disclose his bias when participating in conversations about which framework WordPress should adopt. During my interview with him, he offered the community three reasons why he sees Vue as a good fit for the project:

“Now that WP has decided to pick a different framework, as the creator of Vue, I surely hope that the WordPress team can adopt Vue,” You said. “Below is why I believe Vue would be a good fit for the choice:

• “As an independent open source project (not born from within a major corporate), Vue provides a good alignment in terms of OSS values with the WordPress project. It’s fully MIT licensed, and its development is sustained by open financial contribution channels (via Patreon and OpenCollective). This means WordPress can easily ensure Vue’s sustainability by becoming a major sponsor.
• “Vue is one of the most approachable frameworks out there, with an established and active community, and ever-growing amount of learning resources. Adopting Vue would provide a low entry barrier and smooth learning curve for devs just getting into WordPress development. This also aligns with what made WordPress successful.
• “As an incrementally adoptable framework, Vue’s flexibility means it can be adapted in different use cases ranging from embedded widgets, plugin development to full single-page applications. It can be used without any compilation step in simple use cases, while being mature and powerful enough for more complex use cases such as Calypso and Gutenberg. It offers the complete stack from vdom + ability to use raw render functions, server-side rendering, routing, state management, build tooling, browser devtool extensions, to editor tooling support.”

Evan You and six others from the Vue.js core team will be participating in an AMA on Hashnode at 12PM on September 20, inviting general questions about the project, how to use it and contribute, and general programming advice. The questions are already rolling in and their answers should provide more information about the future of Vue and its place in the wider JavaScript ecosystem.

WP Tavern has also reached out to Jason Miller, creator of Preact.js to get his perspective on the possibility of WordPress selecting Preact and what it would mean for both projects. The React-alternative is another strong contender among JS libraries WordPress is looking at for use in core.

The Gutenberg team has been working to ensure that WordPress developers will be able to create “Gutenblocks” using any JS library they prefer with different explorations of framework-agnostic block rendering. Ultimately, this would make creating plugins and themes less dependent on the library that is chosen for use in core. Other community members involved in the discussion, however, are keen to emphasize that the framework selected will have an impact on the greater WordPress product ecosystem, far beyond its use in Gutenberg, and are not eager to down play it as a simple technical decision. We’ll have a more detailed look on that in a separate post.

In addition to the discussions on independent blogs, the Gutenberg GitHub issues queue and the #core-js channel on WordPress Slack are both hosting active conversations on the upcoming decision. This week’s core JavaScript chat has been cancelled due to many of those involved traveling or unable to attend. The agenda for the next meeting is to discuss the role a JavaScript framework will play in current and future core focuses (including but not limited to the Gutenberg editor). This meeting is scheduled for Tuesday, September 26, 2017, 8:00 AM CDT.

One of the first addons for HeroPress I ever thought of was sending people to WordCamp who might have a hard time getting there. HeroPress started out to be a voice for people on the fringe of WordPress, and being outside the ability to go to WordCamp practically defines the fringe.

I never could figure out the logistics of how to make it work. How is money handled? International law? So the idea languished.

On the other side of the world, Ines van Essen had the same idea. She’s far more clever than I though, and she’s making it happen. She’s starting a new organization called DonateWC, specifically to help people get to WordCamp.  Not just local WordCamps, but the large ones like WordCamp Europe and WordCamp US. Trips that can cost multiple months, or even a years salary.

I am so so so excited that this is happening, Ines is my hero.

How You Can Help

To get things really rolling Ines needs some funds.  I mentioned logistics earlier; if this isn’t handled properly a tax agent somewhere is going to come investigating. A non-profit org needs to be created, a logo needs to be created, a site needs to be built, a board needs to be formed, etc. Getting started costs money.

So there’s a GoFundMe page for DonateWC. All things considered she’s not looking for very much money right now, we can DO THIS.

If we can make this thing work it’s going to really change lives. Please help out if you can, and keep an eye on the project. The first person to get sent to WordCamp is going to make history.

The post DonateWC: Getting People to WordCamp appeared first on HeroPress.

With the recent news that WordPress is abandoning React due to its BSD + Patents license, core contributors are now revisiting the discussion of the merits of other frameworks. Gutenberg development is currently on hold until a new library is chosen to replace React, and selection is likely to be imminent to prevent further delay.

Vue is once again a strong contender with a recent surge in enthusiastic support in discussions on GitHub, Mullenweg’s announcement, and social media posts. One of the chief concerns WordPress core contributors had regarding Vue in previous discussions was the longevity of the project and its dependence on creator Evan You, who has historically done most of the development.

The Vue project has recently been taking steps to mitigate this drawback. Earlier this week You announced that Vue is now accepting financial support on OpenCollective, a platform for funding open source projects in a transparent way. You already has a successful Patreon campaign where contributors are paying $8,815 per month to support his work on Vue, but the new OpenCollective account will support the work of core contributors and community events.

“When I started the Patreon campaign, the primary goal was providing myself with enough income so that I can work on Vue full-time,” You said. “Today, as the Vue community grows, there are more and more contributions from the community, and OpenCollective’s transparent expense model could help us scale the financial contributions beyond a single developer.”

Just four days after launching, Vue already has an estimated annual budget of $9,895 on its OpenCollective account. You is still independently accepting contributions on Patreon to fund his full-time work on the project.

Preact, the other leading contender WordPress core contributors are considering, has had an account on OpenCollective since late 2016. Backers and sponsors have contributed to a $16,091 estimated annual budget for the project.

Both Vue and Preact have growing networks of financial supporters and are not heavily influenced by a single corporation’s interests. WordPress core contributors continue to discuss the merits and drawbacks of the two frameworks on various places around the web, but the discussion is somewhat scattered and it’s difficult for participants to know where their feedback will receive consideration.

“The main options are actually all pretty good, and we’d probably be fine going with any of them, which is makes it a tough decision — objectively and technically there isn’t one clear without-a-doubt winner,” Matt Mullenweg said today in WordPress’ #core-js Slack channel.

An updated post detailing the frameworks and technical considerations that contributors are now examining has yet to be published to the make/wordpress.org development blog. Having communication throughout the process of selecting the framework, instead of announcing it after the decision, would go a long way towards keeping the community informed and involved. We’ll be following the public discussion as it develops.

This evening Matt Mullenweg announced on his blog that WordPress has decided to move away from React due to its BSD + Patents clause licensing. Gutenberg engineers will be rewriting the new editor to use another JavaScript framework and Automattic plans to rewrite Calypso as well:

We had a many-thousand word announcement talking about how great React is and how we’re officially adopting it for WordPress, and encouraging plugins to do the same. I’ve been sitting on that post, hoping that the patent issue would be resolved in a way we were comfortable passing down to our users.

That post won’t be published, and instead I’m here to say that the Gutenberg team is going to take a step back and rewrite Gutenberg using a different library. It will likely delay Gutenberg at least a few weeks, and may push the release into next year.

Mullenweg clarified that Automattic has been happy with React and that the company’s general counsel didn’t think they would ever run into the patent issue. He also commended Facebook on being “one of the better open source contributors out there” and for making their intentions clear. Ultimately, Mullenweg decided that he wasn’t comfortable with the larger WordPress community inheriting the patents clause:

Automattic will also use whatever we choose for Gutenberg to rewrite Calypso — that will take a lot longer, and Automattic still has no issue with the patents clause, but the long-term consistency with core is worth more than a short-term hit to Automattic’s business from a rewrite. Core WordPress updates go out to over a quarter of all websites, having them all inherit the patents clause isn’t something I’m comfortable with.

After the Apache Software Foundation added Facebook’s BSD+Patents license to its Category X list of disallowed licenses, many open source project leaders and developers petitioned Facebook to consider re-licensing React, as many React-based projects are now having to be rewritten. Facebook decided it wasn’t budging on the patents clause and opted to continue protecting its own interests, fully recognizing that it may lose some React community members.

In the past Mullenweg has been outspoken about how Automattic was betting on React. Many in the community considered WordPress adopting React to be a foregone conclusion, given that both Calypso and Jetpack’s new admin interface were built on it, as well as WordPress’ new Gutenberg editor. In making the costly decision to rewrite Gutenberg and Automattic’s products in another library, Mullenweg has demonstrated he is willing to lead the WordPress project in a direction where the community can feel confident about continuing to use and extend the software.

“The decision on which library to use going forward will be another post; it’ll be primarily a technical decision,” Mullenweg said. “We’ll look for something with most of the benefits of React, but without the baggage of a patents clause that’s confusing and threatening to many people. Thank you to everyone who took time to share their thoughts and give feedback on these issues thus far — we’re always listening.”

Gutenberg could certainly use the extra time and may gain a new crop of contributors, given that the learning curve for the new library isn’t likely to be as steep as learning React.

At the end of May, WordPress core contributors had narrowed their considerations for a new JavaScript framework to React and Vue. It appears that Vue is still a strong contender. After a commenter on Mullenweg’s post suggested switching to Vue, he replied that it has been frequently suggested and that the team has met with Evan You, Vue’s lead developer.

When I interviewed Evan You in June, he said he didn’t have enough perspective on WordPress core to make an unbiased recommendation but offered feedback on some technical issues being discussed at the time. He also clarified some common misconceptions about Vue, which WordPress’ React proponents had been using as leverage in their arguments against adopting it.

Mullenweg also confirmed in the comments of his post that Preact is another library under consideration. Preact.js is a lightweight 3kB alternative to React that uses the same API but is MIT-licensed. Some are already speculating about Preact being the front-runner for the replacement, as Gutenberg already has a branch devoted to trying it.

There is a Preact “try” Gutenberg branch. But there is no Vue.js “try” Gutenberg branch. https://t.co/mFRYTLIV3b

— Carl Hancock (@carlhancock) September 15, 2017

Also, Mullenweg’s comment that the decision “will likely delay Gutenberg at least a few weeks, and may push the release into next year,” seems to only be feasible if the team rewrites the project using Preact.

For Gutenberg, not Calypso. I’d take a friendly bet like some booze.

— Matt Mullenweg (@photomatt) September 15, 2017

Public reactions to the news that WordPress is shifting away from React have so far been overwhelmingly positive. Many are thankful and relieved that Mullenweg made the tough decision to change course and select another library after investing so heavily in React.

The discussion regarding the new framework continues behind closed doors and is not open to the public, although a pull request for using Preact in Gutenberg is open on the project’s GitHub repo and some community discussion regarding the library selection is happening there.

Big companies like to bury unpleasant news on Fridays: A few weeks ago, Facebook announced they have decided to dig in on their patent clause addition to the React license, even after Apache had said it’s no longer allowed for Apache.org projects. In their words, removing the patent clause would "increase the amount of time and money we have to spend fighting meritless lawsuits."

I'm not judging Facebook or saying they're wrong, it's not my place. They have decided it's right for them — it's their work and they can decide to license it however they wish. I appreciate that they've made their intentions going forward clear.

A few years ago, Automattic used React as the basis for the ground-up rewrite of WordPress.com we called Calypso, I believe it's one of the larger React-based open source projects. As our general counsel wrote, we made the decision that we'd never run into the patent issue. That is still true today as it was then, and overall, we’ve been really happy with React. More recently, the WordPress community started to use React for Gutenberg, the largest core project we've taken on in many years. People's experience with React and the size of the React community —  including Calypso — was a factor in trying out React for Gutenberg, and that made React the new de facto standard for WordPress and the tens of thousands of plugins written for WordPress.

We had a many-thousand word announcement talking about how great React is and how we're officially adopting it for WordPress, and encouraging plugins to do the same. I’ve been sitting on that post, hoping that the patent issue would be resolved in a way we were comfortable passing down to our users.

That post won't be published, and instead I'm here to say that the Gutenberg team is going to take a step back and rewrite Gutenberg using a different library. It will likely delay Gutenberg at least a few weeks, and may push the release into next year.

Automattic will also use whatever we choose for Gutenberg to rewrite Calypso — that will take a lot longer, and Automattic still has no issue with the patents clause, but the long-term consistency with core is worth more than a short-term hit to Automattic’s business from a rewrite. Core WordPress updates go out to over a quarter of all websites, having them all inherit the patents clause isn’t something I’m comfortable with.

I think Facebook’s clause is actually clearer than many other approaches companies could take, and Facebook has been one of the better open source contributors out there. But we have a lot of problems to tackle, and convincing the world that Facebook’s patent clause is fine isn’t ours to take on. It’s their fight.

The decision on which library to use going forward will be another post; it’ll be primarily a technical decision. We’ll look for something with most of the benefits of React, but without the baggage of a patents clause that’s confusing and threatening to many people. Thank you to everyone who took time to share their thoughts and give feedback on these issues thus far — we're always listening.

Following up on the success of WordCamp Belfast last October, the WordPress community in Dublin will be hosting its first WordCamp October 14-15. Both camps began the early stages of planning last year and the two communities have shared some of the same organizers across their teams to help get these new camps off the ground in Ireland.

WordCamp Dublin will be held at DCU Business School and ticket sales will be capped at 250. In truly affordable WordCamp tradition, tickets are only €35 and include access to two tracks of speakers on both camp days, catered lunch, and an after party on Saturday night in Dublin City Centre.

“Given it’s our first WordCamp Dublin it’s difficult to select a venue when we’ve no idea about how many people would like to attend,” co-organizer Colm Troy said. “But demand so far has been great so if you want a ticket I’d recommend getting one sooner rather than later.”

Most of the camp’s five organizers are also part of the Dublin WordPress meetup, which is fairly active with 25-30 people attending regularly. They meet the first Thursday of every month and host a local speaker to teach attendees something new. WordPress developers generally gravitate towards the more technical talks, while WordPress users are more interested in talks about improving and promoting their websites.

WordCamp Dublin will feature one track with advanced WordPress, coding, and development topics and a second track that covers aspects of running a business, growing website traffic, podcasting, and other related topics.

“​The Dublin WordPress community, based on what I’ve seen and experienced elsewhere (Buenos Aires, Paris, Vienna, UK, Italy), is pretty unusual,” co-organizer Rodolfo Melogli said. In addition to co-organizing the local WordPress meetup, Melogli also organizes the Dublin E-commerce and WooCommerce Meetups.

“We have complete beginners, who after years of using other CMSs have finally decided to start using WordPress,” Melogli said. “We have passionate bloggers, who have been exploiting the SEO and content management features of WordPress since the very beginning. Then, we’ve got successful themers, popular plugin developers and experienced WordPress freelancers. Making sure everyone is catered for at each WordPress meetup and at the upcoming WordCamp is our biggest challenge and main priority.

“The beautiful thing about the WordPress community, and especially in Dublin, is that you can have a successful theme seller sitting beside a complete beginner. And they both have things to share.”

Organizers have just announced the full lineup of speakers for the WordCamp and co-organizer Colm Troy said the team was “blown away by the quality and quantity of excellent speaking applications” they received.

The camp’s designers have created a new “blocky” style wapuu for the occasion to accompany the event’s modular design theme. They were aiming for a Lego-like wapuu while incorporating the cosmopolitan landmark “Spire of Dublin.”

“​We have a couple of ideas floating around that will definitely add a unique Irish aspect to WordCamp Dublin but it’s too early to let the cat out of the bag on those yet,” Troy said. “In terms of what people can expect, Dublin and Ireland in general has a well earned reputation as one of the most welcoming places in the world. In many ways, our welcoming spirit is closely aligned with the ethos of the WordPress community and I think it’s going to be a really special weekend for attendees regardless of whether they’re new to WordPress or WordCamp veterans.”

GitHub announced the launch of Atom-IDE this week, a new set of packages that extend its open source JavaScript-powered code editor to include IDE-like functionality. This first release includes packages that support TypeScript, Flow, JavaScript, Java, C#, and PHP.

“The start of this journey includes smarter context-aware auto-completion as well as a host of code navigation features such as an outline view, go to definition, find all references as well as other useful functions such as hover-to-reveal information, errors and warnings (diagnostics) and document formatting,” Atom engineer Damien Guard said.

Atom, which was open sourced in 2014, is relatively new to the world of text editors, but its directory lists more than 6,700 packages to extend its functionality. WordPress developers have created more than a dozen packages that support actions and filters, WP-CLI commands, documentation, and snippets for third-party plugins.

Those who have adopted Atom appreciate its extendability, but the most common complaint from the Atom community is that the code editor is noticeably slower than many others. This has been a frequent topic of discussion for several years and its creators admit that performance isn’t one of its strongest features. However, sometimes extreme performance issues can be caused by a package that a user has installed.

Atom partnered with Facebook’s Nuclide project developers to develop the new Atom IDE UI package that uses Atom’s atom-languageclient library in displaying features supported by the language server protocol. Users who want to get started with Atom-IDE will need to install the Atom IDE UI package as well as an IDE language support package (i.e. ide-php).

Using Atom-IDE currently requires Atom Beta 1.21+. In the future the team plans to add support for more languages, which will most likely happen through outside package contributions.

“With the help of our community, we plan to expand the number of languages that Atom-IDE can support and make it possible for you to run and edit applications, making Atom-IDE a true IDE,” Damien Guard said. “We hope to see future language support for the great languages out there including Rust, Go, Python, etc.”

Display Widgets, a plugin with more than 200,000 active installs, has been removed from WordPress.org due to its authors inserting malicious code. SEO consultant David Law was the first to bring this issue to the attention of the plugin team after discovering that Display Widgets was inserting content into sites from external servers and also collecting visitor data without permission. He posted to the WordPress.org forums several times to warn other users.

Wordfence has been warning its customers about the plugin during the past several months and published a timeline tracking how Display Widgets was removed from WordPress.org on four separate occasions. According to their independent investigation, the plugin included a backdoor that allowed the plugin author to publish spam content to the sites where Display Widgets is installed. It also prevented logged-in users from being able to see the content.

Pagely banned the Display Widgets plugin from its hosting platform this week:

For our customer’s safety, we have banned the plugin from our customer sites…The plugin will remained banned on our network until a time that we see someone has taken responsibility for the plugin and the future of patching its code.

Display Widgets had recently changed hands, as it was acquired from the team that created Formidable Forms. The previous owners have issued a warning about the plugin on Twitter, advising users to remove it from their sites.

We don't have a way of contacting users of our old Display Widgets plugin. But if you are using it you should uninstall immediately.

— Formidable Forms (@FormidableForms) September 12, 2017

It is not yet confirmed whether the plugin was acquired solely for the purpose of distributing malware, but its new owners have been fairly persistent about getting it added back to WordPress.org after each of its violations.

Display Widgets Users Advised to Update to Version 2.7 or Remove the Plugin

Users have no way of finding out that they are running malicious code unless they hear about from their host, security company, or some other third party. They do not receive a notice in the WordPress admin about the plugin having been removed from the directory. Since Display Widgets was a fairly popular plugin, there are likely many sites that still have it active and those website owners are probably unaware of the spam content they are publishing.

Yesterday the plugin team issued a notice that Display Widgets 2.7 is a clean version that restores the plugin to version 2.0.5 before the malicious code was added:

We will be leaving this version deploying updates, however at this time we will NOT be allowing for its adoption. The second owner has effectively destroyed any trust a person might have in the plugin.

Note: You CANNOT visit the page or download it as a new plugin for a reason. This plugin is done. It’s not supported, it’s not worked on, nothing. So if you have it, upgrade. Otherwise, find something else to use.

Display Widgets is now likely to end up in the graveyard of abandoned plugins, but there are many other options for adding conditional widget display to WordPress sites. Jetpack’s widget visibility module, Widget Options by Phpbits Creative Studio, Custom Sidebars by WPMU Dev, and Content Aware Sidebars are a few popular alternatives on WordPress.org.

The plugin team does not currently disclose why certain plugins have been closed or removed from WordPress.org, but they are working on providing better communication for users. One meta trac ticket requests that closed plugins have a public page instead of disappearing completely. In another related ticket, plugin team member Mika Epstein has proposed that when plugins are closed or disabled, there should be a dropdown for WordPress.org admins to select a reason why. She suggested the following as available options:

• Security Issue
• Author Request
• Guideline Violation
• Licensing/Trademark violations
• Merged into Core

The issue with Display Widgets was fairly public as users posted about their investigations on the WordPress.org support forums and various companies issued warnings about it. However, many plugins are disabled without the public knowing why. Even a short explanation like the proposed examples above would be a major improvement over leaving WordPress.org plugin users in the dark. It would assist site owners in knowing whether they need to prioritize looking for an alternative or simply wait until the situation is resolved.