WordPress Planet

January 21, 2017

WPTavern: Wix Removes GPL-Licensed WordPress Code from Mobile App, Forks Original MIT Library

photo credit: winterofdiscontentcc

In October 2016, Matt Mullenweg called out Wix for using GPL-licensed code from the WordPress mobile app and distributing it in its proprietary app. After identifying a path for Wix to comply with the license, Mullenweg confirmed he would be willing to go to court to protect the GPL.

Wix CEO Avishai Abrahami’s response to the allegations failed to address the issue of licensing, dodging the question with references to other open source contributions. Abrahami seemed to indicate that Wix would open source its mobile app but was not clear whether it would be GPL licensed:

“We always shared and admired your commitment to give back, which is exactly why we have those 224 open source projects, and thousands more bugs/improvements available to the open source community and we will release the app you saw as well,” Abrahami said.

The Wix Twitter account also gave the impression that the entire app would be released under the GPL:

Publicly communicating these intentions bought the company time to educate its developers on the implications of the GPL and find another path forward for the app.

The app has not been released under the GPL and Wix has discontinued development on the GPL-licensed repositories. On November 1, 2016, Wix changed the license on the react-native-wordpress-editor, the repository that was forked from the WordPress mobile app, to GPLv2. The next day, they began work on react-native-zss-rich-text-editor, a new repository forked from the original MIT-licensed library that the WordPress mobile app code built upon.

It appears that Wix never planned on complying with the GPL, since the company immediately began working on an alternative approach. Wix has since released updates to its mobile apps and presumably has incorporated its own editor component that is based on the original MIT-licensed library.

It is not clear whether Wix completely started over with its fork or if the company’s developers incorporated some of the commits previously made in the WordPress mobile app’s GPL-licensed fork. Wix has not responded to numerous attempts to contact them for an official statement.

Wix Invents Its Own “Enhanced” MIT License for the Forked Library

Here’s where the story takes an odd turn. Instead of distributing the new editor code under a standard open source library, Wix has written its own license, which it is calling the “Enhanced” MIT license (EMIT). It explicitly prohibits relicensing under the GPL and requires the developer to license modifications under the EMIT:

This license is exactly like the MIT License, with one exception – Any distribution of this source code or any modification thereof in source code format, must be done under the Enhanced MIT license and not under any other licenses, such as GPL.

Furthermore, the license prohibits the code being redistributed under any copyleft license:

when the Software is distributed as source code, the licensee is prohibited to change the license of the Software to any “viral” copyleft-type license, such as, inter alia: GPL, LGPL, EPL, MPL, etc.

Wix explained the reason behind the creation of the new license in its introduction, citing what it calls a “bug” in the MIT license. The MIT permits developers to re-license their modifications as GPL. The text of the “Enhanced” MIT license characterizes this practice as bullying:

We believe MIT license has a bug since it allows others to use it against its nature. Our belief is that the MIT license is intended to make source code available to anyone who wants to use it without additional obligations, but we have found cases where someone takes a project licensed under MIT license, adds a few lines of source code to it, and then changes the licensing to a different, more restrictive license which is against the nature and the intent of the MIT license. By doing so, the source code released under the original MIT is no longer a true “free/open” source code, thus undermining the intention of the original creator of the source code.

The concept of this Enhanced MIT license is simple and more robust – you can do what you want with this source code, exactly like any other MIT license, but if you release it again as open source (even if modified), you must release it under this Enhanced MIT license – to be clear, this is not a “viral” license, it only refers to the actual source code released under this license and not to other components interacting with it. If GPL is a viral license, this license can be described as a “robust” one as it prevents licensing changes that are against its nature and it defends its own licensing principles. The essence of the Enhanced MIT license is to prevent bullies from using open source code that is truly free and open under the MIT License and turning it into other viral and more restrictive licenses – such as GPL.

The license has only ever been used in this particular instance and does not appear to have been written by a lawyer or someone who has studied copyright and licensing issues professionally. I contacted the Free Software Foundation’s licensing and compliance team regarding the legitimacy of Wix’s “Enhanced” MIT license. FSF copyright and licensing associate Donald Robertson III said the team is currently reviewing it and may require legal counsel before making a definitive comment. When they have completed the review, they will publish a statement and list the license in the FSF directory of free and non-free software licenses. These are also broken down into copyleft and GPL-compatible classifications.

“As you can see from the GPL-incompatible licenses, there are plenty of free software licenses that are incompatible with the GPL, and many of those licenses would be incompatible with other copyleft licenses on the same basis,” Robertson said. “So it is possible for a license to be free even if it doesn’t work well with the GPL. We’ll have to do some review on this particular license before we can make any comment specific to it.”

Wix has not submitted its EMIT license to the Open Source Initiative, a community-recognized organization that acts as stewards of the Open Source Definition (OSD) and also reviews and approves licenses as OSD-conformant. OSI has not yet responded to my inquiry about the legitimacy of the license, but I spoke with Karl Fogel, an open source specialist who consults with organizations on open source licensing and the implications of using it in business.

“This so-called ‘Enhanced MIT’ license is poorly drafted and internally inconsistent,” Fogel said. “I feel on safe ground in saying that were it ever submitted to the OSI for approval, it would be rejected quickly.”

Fogel also commented on the inherent contradictions in the license’s introduction and permissions.

“An obvious internal inconsistency is that in the Introduction, it says that redistribution in source code format ‘must be done under the Enhanced MIT license and not under any other licenses, such as GPL,'” Fogel said. “But then later, in point (2) of the conditional permissions grant, it says ‘when the Software is distributed as source code, the licensee is prohibited to change the license of the Software to any ‘viral’ copyleft-type license, such as, inter alia: GPL, LGPL, EPL, MPL, etc.’

“So the Introduction is saying that redistribution is not permitted under any other open source license, but then the permissions grant section only bars redistribution under copyleft licenses, leaving open the possibility to distribute under other non-copyleft licenses. Which is it?”

According to OSI, copyleft “refers to licenses that allow derivative works but require them to use the same license as the original work.” In requiring the EMIT to be used for derivative works, the license adopts the viral nature Wix ostensibly wanted to avoid with the GPL. This emasculates the MIT, robbing it of its essential freedoms. For this reason and many others, the EMIT appears to be an illegitimate variant of the MIT.

“A larger issue is that the reasoning in the Introduction about how the standard MIT license supposedly has a ‘bug’ makes no sense,” Fogel said. ” It asserts that redistribution under an open source copyleft license would somehow be more restrictive than not doing source redistribution at all (e.g., as with a standard proprietary license). There is no sensible definition of the word ‘restrictive; in which releasing code under a copyleft license would restrict someone’s use of that code more than not having the code in the first place would restrict them.”

Fogel does not think the EMIT is a valid derivative of the MIT license and is not convinced that it can be considered a license at all.

“It is very clear that a lawyer did not write this license,” Fogel said. “I think Abrahami must have written it himself. I hesitate to even call it a license; it’s not clear what a judge would do with it, except perhaps sell tickets.”

Wix’s EMIT License is a Hostile Reaction to the Call for GPL Compliance

The EMIT license not only takes shots at the GPL but also injects a moral pronouncement against all those who subscribe to the tenets of copyleft licensing. The restrictions in the EMIT effectively “weaponize the license” against other open source projects, as one Reddit user said in acomment on the situation. This encompasses a large portion of the open source community.

Wix may not be able to publicly admit its violation of the GPL, as it has not yet answered for the past infringement of distributing the code in its mobile app. In looking back over the timeline of events, Wix’s public communication that implied it would comply with the GPL was disingenuous, as the team was scrambling behind the scenes to fork the original library and slap a new “anti-copyleft” license on it. The company has no respect for the GPL and, in fact, has communicated its disdain for the license in the language of its new EMIT license.

“I remember reading this exchange when it happened,” Fogel said. “This is not a case of gray areas or ‘the truth lies somewhere in the middle.’ Matt Mullenweg of WordPress is 100% right, and Wix CEO Avishai Abrahami is, quite simply, wrong. Mullenweg was extremely direct about what the problem was and how to fix it. Abrahami’s response was an evasive mishmash of brazen non sequiturs and willful refusal to acknowledge Mullenweg’s point, which was simply that if Wix is going to use WordPress code that is distributed under the GNU General Public License, then Wix has to follow the terms of the GPL like anyone else.

“Abrahami’s poor behavior could only have been intentional,” Fogel said. “I just don’t see any other way to interpret it, given how easy to understand Mullenweg’s letter is, and how clear the issues are here.”

Wix’s illegal use of GPL code in a proprietary app could easily be chalked up to ignorance or an oversight if the company had simply attempted to comply. Instead, they wrote a license that swipes back at copyleft proponents everywhere. The EMIT actually manages to trivialize both the GPL and the MIT in one fell swoop.

“The GPL is not a disease,” said Lawrence Rosen in a document titled The Unreasonable Fear of Infection. “It is designed to satisfy certain philosophical and economic objectives that are widely shared by many members of the open source community.”

In writing its own “Enhanced” MIT license Wix has demonstrated a careless disregard for open source licensing and hostility towards those who use copyleft licenses to guarantee user freedoms.

Although some onlookers in the open source community disapproved of the two CEO’s handling the disagreement in open letters, there are plenty more who appreciate that the issue is being hammered out in public. Fogel said he hopes the situation “will draw some attention to the fact that the GPL actually means something and can be enforced.”

by Sarah Gooding at January 21, 2017 12:04 AM under wix

January 20, 2017

WPTavern: Obama Foundation Launches New Website Powered by WordPress

The Obama Foundation launched its new WordPress-powered website today. The future presidential center, which will be located in Chicago, will manage projects both in the city and other places around the world.

“More than a library or a museum, it will be a living, working center for citizenship,” President Obama said. “That’s why we want to hear from you. Tell us what you want this project to be and tell us what’s on your mind.”

The website integrates the Typeform service for collecting feedback from citizens on their hopes and dreams, as well as the people and organizations that inspire them.

WordPress developers were excited to see that the former President is using the WP REST API introduced in WordPress 4.7.

The custom theme for the Obama Foundation is built using ZURB’s Foundation as its front-end framework. It integrates the jQuery Cycle Plugin for galleries.

The website was created by Blue State Digital, an agency that got its start on the campaign trail and now focuses on serving causes and brands.

President Obama is the first president to select WordPress for his presidential center website.

by Sarah Gooding at January 20, 2017 05:39 PM under News

January 19, 2017

BuddyPress: BuddyPress 2.8.0 Beta 1

BuddyPress 2.8.0 Beta 1 is packed with new features and enhancements and is now available for testing. You can download the BP 2.8.0-beta1 zip or get a copy via our Subversion repository. We’d love to have your feedback and testing help.

BuddyPress 2.8.0 requires PHP 5.3+, and will not be activated on a server with a lower version of PHP. We also remind you that BuddyPress 2.8.0 will require at least WordPress 4.3.

A detailed changelog will be part of our official release notes, but, until then, here’s a list of some of our favorite changes. (Check out this report on Trac for the full list.)

  • BP Email: Allow end user to specify which PHPMailer should be used #7286
  • Companion Stylesheet – Twentyseventeen #7338
  • Minimum PHP version is 5.3 #7325#7299
  • Support List-Unsubscribe header in emails #7390
  • Make group search more flexible #7418 and other groups improvements, like #7419#7399#7388#7386#7375
  • Lots of new filters in various parts of the code, like #6667#5193
  • Lots of inline documentation tweaks and other fixes and improvements

BP 2.8.0 is almost ready, but please do not run it in a production environment just yet. Let us know of any issues you find in the support forums and/or development tracker.

Thanks everyone for all your help to date. We are excited to release BuddyPress 2.8.0 in February!

by Slava Abakumov at January 19, 2017 11:03 PM under beta

Post Status: Shaping a vision of success

Editor’s note: This guest post is written by Jenny Beaumont, a co-organizer of WordCamp Paris and WordCamp Europe. She’s spent the last two decades building things in and around the web, writes a terrific newsletter, and lives in France.

One of the highlights of my year, and a fitting end to 2016 as my sabbatical drew to a close, was attending the 2nd annual WordCamp US, held December 2-4 in Philadelphia, Pennsylvania.

The trip met my expectations in every way, from the warm-hearted nature of the locals to the super-sized portions at every delicious meal, and from the diversity of attendees to all of the extraordinary conversations I had during that short week I was in town.

“You might have noticed that this year’s programming at WordCamp US had some more of a human side, in addition to just the technical that we’ve had before,” said Matt Mullenweg, co-founder of WordPress and CEO of Automattic, during his much-anticipated State of the Word.

“I think that a lot of our opportunities to grow over the coming year are on the human side, and understanding the humanity of an open source project and working together and creating the code that’s going to touch humanity as well.”

Moving into 2017, ready for new opportunities and with the next edition of WordCamp Europe on the horizon, I find myself thinking about growth past and present, and about what success might look like for all of us in this new year.

Growth and competition for WordPress

“It’s really all about pie,” replied Mullenweg when asked about the future of a WordPress entrepreneur, stating that as long as the pie continues to grow, everyone can get a piece.

He talked about how the new focuses of the WordPress project—the REST API, the Editor and the Customizer—along with an inclusive design-lead approach, should allow WordPress to reach new audiences.

WordPress has seen incredible growth in recent years, now representing over 27% of websites, a full 20% ahead of competing platforms. This translates to 58.5% market share of all monitored content management systems, when looking at the top 10 million sites.

This doesn’t mean that the competition isn’t trying to close the gap. Mullenweg reported that the top proprietary platforms, such as Squarespace and Wix, spent upwards of 320 million in advertising dollars in 2016, often directly targeting search engine queries for WordPress.

“I think that in the past WordPress got by on a lot of sort marketing by happenstance,” he said, admitting the need to look at the marketing of WordPress in new ways, and hopefully pooling the resources of the community to do so.

“I think we have a real opportunity especially as the businesses around WordPress grow larger and larger, to actually coordinate a bit […] there’s no one company in the WordPress ecosystem that’s large enough to match 300 million dollars, and spend on telling people the WordPress story. But no one company needs to be large enough, because we’re a community.”

All in all, he painted a bright picture for the future for the WordPress ecosystem, the community of people who come together around a common purpose and ideal—the WordPress project and its mission to democratize publishing—and in so doing create a new paradigm for work and the web, the byproduct of which is a flourishing economy.

I can’t help but wonder, how big can the pie get? And while we concentrate on growth and competition, how do we measure the success of our mission? How will we know when we’ve democratized publishing? Can or should WordPress achieve this goal alone?

The numbers game for WordCamps

“We must tilt our hat and bow down to Europe, which beat us this year,” Mullenweg capitulated as he wrapped up his report on community growth, expressed in the number of events and event attendance worldwide.

Growth is an indication that we’re doing something right. An increase in the numbers tells us that more people are interested and getting involved. This is what an open source project needs to reach a wider audience, stay competitive and accomplish its mission: people to make it happen.

But should success be measured solely in numbers? Is it healthy to think that there can be winners and losers when it comes to the success of our community as a whole?

In its first three years, WordCamp Europe grew at a slow and predictable rate. Then last year, for some reason, it exploded. We sold our initial batch of 1500 tickets practically overnight, and ended up selling nearly 2200 tickets in total.

What happened? Did WordCamp Europe’s reputation catch up with itself, creating this burgeoning interest? Was Vienna simply an incredibly attractive destination for a lot of people? Or was it the organizing team that did an outstanding job at marketing and outreach?

WordCamp US was in its second year, and we can ask similar questions about why they didn’t see the growth they were expecting. Is the event, with its transition from the long-standing WordCamp San Francisco, still in its infancy, so that slow growth is to be expected? Was going to the same destination two years in a row not as appealing to attendees? Did the team do an adequate job of communicating around the event?

In my mind, both WordCamp Europe and WordCamp US were successful events. Each did a lot of things well, and some other things less well. Attendees I encountered, whether speakers, sponsors, volunteers or the general public, seemed to have a rewarding experience and their expectations met.

Because that’s why we put these events on, right? Not to “get the numbers” or “win”, but to create an enriching experience.

Bigger is not necessarily better

So, how big do we let ourselves get? This has been an ongoing question for us on the WordCamp Europe team since things took on a new dimension in Vienna.

When I asked Paolo Belcastro, WordCamp Europe local team lead in 2016 and global team lead for 2017, what he thought about growth he said, “For me a successful event is when we have one ticket left over. It should be our goal to make sure that everyone who wants to attend, can.”

This is a philosophy that I stand beside. It reflects our focus on attendees and on inclusiveness, so that it doesn’t matter whether we have 1000, 2000 or 3000 people, it only matters that we do our best to accommodate everyone and put on a great event for however many show up.

It does not, however, answer the question.

It’s exciting to run a popular event, and it’s easy to get carried away with that excitement and sense of accomplishment knowing that so many people want to attend, that so many people are being impacted in positive ways. When we focus solely on the numbers, and adopt a “bigger is better” mentality, it’s also easy to lose sight of some important consequences of growth.

Professional level of production

Keep in mind that we didn’t originally plan an event for 2200 people last year, and so we had to improvise, which meant a significant budget increase and a lot of extra work for the organizing team.

It also catapulted us into a new level of production. Putting on a large event is not the same as putting on a smaller one, and once you get up above 2000 attendees, it has a trickle down effect. It means organizing a speakers dinner for upwards of 300 volunteers, and an after party for 1500. These are events in and of themselves. We’re brought to collaborate with professionals in the events world—caterers, vendors, venues—while we’re still volunteers working in our “spare time”, some of us with more experience than others at making this all happen.

Increased cost of WordCamps

While the average ticket price per day has gone down, from $20 to $15.79, the cost of putting on a WordCamp has increased. Mullenweg reported that the cost of WordCamp US was $516 per person, while attendees continue to pay a mere $40 for entry to the two-day event, including lunch both days, free-flowing coffee, access to the contributor day and after party, not to mention the great swag, which included both a t-shirt and an adorable Wapuu plushy this year.

The additional 90% of this cost falls to sponsors. Sponsors are not volunteers running a non-profit, they are businesses. As we ask more and more of them, they understandably are starting to question what they get in return. Our response has typically been, “you’re supporting the community and gaining exposure,” but is that enough and for how long? How much is too much to ask?

Setting expectations for sponsors and attendees

How much is too much to ask of anyone? As we ask more of sponsors they expect more in return. As we grow, try to predict growth and to outdo ourselves every year, the task for organizers becomes more demanding. As we create bigger and better events, attendees expect to find the same elsewhere.

An event with 10,000 attendees would be amazing. We probably couldn’t call it a WordCamp, though. It would be a WordPalooza, and would require a full-time staff and a new approach to programming, sponsorship and organization on the whole. Does an event have to grow into order to be successful? Can maintaining a certain level of participation and quality also be considered a success?

Because it’s also possible that WordCamp US and WordCamp Europe will simply plateau at a certain capacity. The world may not be ready for a WordPalooza.

Competition and success

“One of the reasons why I think WordPress has such a collaborative community, when you see competitors hanging out with each other and getting drinks […] is that it’s a growing pie. So everyone’s slice of that pie can grow alongside. If it were shrinking or a static pie, the only way to grow would be taking some pie from someone else.”

Competition is widely considered good for business. It pushes companies to innovate and guard against complacency. It encourages a focus on customer service and helps protect consumers through competitive pricing. Competition in the marketplace confirms there is a market to be had, that demand is strong for the products or services being offered. It seeks to establish a basis for fairness, while letting companies vie for market share, sales and profit margins.

The friendly, collaborative nature of the WordPress community is born out of the open source philosophy of contribution and sharing. It is, in my mind, our greatest strength. Support within the community is unparalleled. We consistently root for one another, learn from one another, share our triumphs and our difficulties, through mergers, acquisitions, hirings, firings, career changes and even the occasional drama.

How big can WordPress get? Arriving at 100% market share is neither a likely nor a desirable scenario, if you believe in the benefits of competition and fair trade. The pie is not likely to grow exponentially, but rather will turn into something else entirely as the technology, the world and the web evolve, and the project along with them.

Success and expectations

“When we are candid about our shortcoming, it allows us to be better towards going to the future,” Mullenweg said in talking about the WordPress Editor.

This is a sentiment we can apply across the board, to ensure that our philosophy and our mission are reflected in our words and actions as we bring new users to our platform and welcome newcomers to our community.

Healthy competition, whether inside or outside of the community, helps us strive to be the best we can be. Raising the bar can produce some extraordinary results, allowing us to be inspired by one another, taking on ideas that we might find valuable for our audiences, customers, clients. Healthy competition allows us to learn, have fun, grow and share that wealth of knowledge around us.

Unhealthy competition causes us to lose sight of our goals, focusing on numbers instead of the people affected by them. In a community such as ours that prides itself on inclusiveness, we can only succeed or fail together.

In this coming year I’d like to see success shaped through managing expectations and staying true to our purpose. I’d like to see it shaped by people, not numbers, by the humanity of this open source project that brings us together, allows us to create, to innovate, to provide for ourselves and our families.

I’d like to think that a future vision of success could be when growth is neither the goal, nor our limitation, when we’re no longer looking to a growing pie, but rather to a renewable spring or self-sustaining garden. I’d like to think that one day we will be able to say that we’ve succeeded in democratizing publishing, and if and when we do, I doubt that we will have done it alone. And that’s a good thing.

See you in Paris

I have no idea how many people will show up to WordCamp Europe in June, but I do know that it will be another fantastic event. I also know that you can help make it a success by participating. You can apply to speak, to volunteer, to sponsor, and/or buy a ticket. So many ways to be a part of making it happen. So, see you there? Wait, let me rephrase: see you there!

by Jenny Beaumont at January 19, 2017 06:02 AM under Planet

WPTavern: Jetpack 4.5 Expands Monetization with WordAds Integration

Jetpack is starting 2017 with a major release that is heavy on enhancements and improvements. Version 4.5 includes more than a dozen new shortcodes and widgets, along with revamped support for VideoPress. One of the most intriguing new features announced in this release, however, is the integration with WordAds, WordPress.com’s advertising program.

Jetpack users are required to be on the Premium plan ($9.00/month or $99/year) in order to sign on with WordAds. The feature is then available within the Engagement tab along with settings for adjusting ad placement.

Eligibility for WordAds was previously limited to sites that had thousands of page views per month, but this requirement is lifted for those who have purchased a Premium or Professional Jetpack plan. Unlike Adsense, which pays for clicks, WordAds pays based on the number of impressions combined with many other factors. According to Derek Springer, an Automattic employee who has worked on WordAds for several years, the traffic requirement was given to set earnings expectations and to ensure support resources were adequately available.

How Much Can Publishers Earn through WordAds?

It’s difficult to to gauge how much a publisher can earn using WordAds, and Automattic doesn’t publish any sample earnings. The WordAds network has more than 60 partners bidding for advertising space in realtime, including Google’s AdSense, Google, AdX, Facebook Ads, AOL, Yahoo, and Amazon. WordPress.com’s Daily Post blog likened the network to a stock market with prices rising and falling as available space changes.

When asked about the average return for every 1,000 impressions, Derek Springer said it’s challenging to estimate due to the complex set of factors influencing the revenue publishers can earn. These include location and number of ads, geography of viewer, percentage of viewers with ad blockers, and other factors.

“Generally speaking, a site with majority US views with high-quality content can expect to earn the most, while non-English language, low-quality (copied content, nsfw, spam, purchased traffic) sites can expect to earn very little (if anything),” Springer said. “Our network over the past year or so has gotten pretty good at appropriately rewarding high-quality sites with high-quality traffic (and penalizing the inverse).”

For years, bloggers have traded stats and earning records, speculating on what influences WordAds’ unpredictable payouts. In 2014, the Human Breed Blog published a collection of data from blogs that made their WordAds earnings publicly available. The data demonstrated inconsistency in earnings for many publishers, including the author’s own blog, where earnings varied wildly from 2014-2015:

My earnings have dropped down to half (From $22.55 in October 2014 to $11.77 in May 2015) despite my page views being higher than 20,000 views per month. The return per 1,000 Ad Impression (CPM) has dropped from $2.25 in October 2014 to $1.17 in May 2015 and the return per 1,000 Page views (CPV) has dropped from $1.39 in October 2014 to $0.51 in May 2015.

The Human Breed Blog 2014-2015 WordAds Earnings

This example is representative of the experience of many WordAds publishers in 2014-2016.

“On my blog SQLwithManoj.com, for the months May, June, and July, the ‘Ad Impressions’ were around ~10k and earnings were in the range of $25 to $48 respectively each month,” said Manoj Pandey, blogger at SQLwithManoj.com. “But in the month of August the ‘Ad Impressions’ were showing ~100k, i.e. ~10 times the previous months, but earnings are still in the same range.”

For many publishers participating in WordAds, there seems to be little correlation between impressions and payouts from month to month. Numerous publishers have reported progressively lower earnings despite having higher traffic numbers than previous months. Clarissa’s Blog, included in the collection of public earnings above, published stats from June 2014 to December 2015 that show a dramatic decrease in the amount paid for impressions.

“You have no way of knowing where the ‘ad impressions’ figure comes from and why it varies from one month to another,” Clarissa said. “You will have to trust WordPress on that. I experimented with placing the maximum amount of ads as opposed to a moderate amount of ads and that had absolutely no impact on the number of ad impressions.”

Things started changing in 2016 for Clarissa who now reports that earnings are increasing. “I have no idea why but the payments seem to have returned to the higher rates,” Clarissa said. “Right now is a good time to do WordAds.”

Others continue to report declines on the WordPress.com forums as recently as this week.

“I used to get $800 for 800K impressions,” said the owner of rebirthonlineworld.com. “A few months ago I got $100 for more than 2 million impressions. Last month, only $90 for 500K impressions. This is a big problem for me.”

WordAds Vastly Overpaid for Low-Quality Traffic During Its First Years

In 2013 WordAds paid out $1 million to publishers on its network. According to Derek Springer, earnings since then have been “pretty flat the past year” due to industry-wide declining ad rates.

“We’ve been slowly clawing our way back from the trough of early 2015, which was a historical low for us,” Springer said. “So more folks were paid out, but rates as a whole were at their lowest point in 2015. We’ve been steadily increasing our rates and paying out less to low-quality content/traffic, so if you’re a high quality site it’s likely your rates haven’t fallen too much.”

Behind the scenes, WordAds was quietly evolving its network to better distinguish sites that would deliver more value to its advertising partners, which accounts for many of the dramatic declines in earnings.

“Pre-WordAds 2.0 our network didn’t have the precision to distinguish between high-quality and low-quality (spam, nsfw, bot views, etc) traffic and we had to make some coarse estimations on how to chop the earnings value up,” Springer said. “The net effect was that we vastly overpaid low-quality traffic for the first handful of years.”

Since WordAds 2.0 the program is gotten better at paying users for high-quality content and traffic. The team has more information on the traffic the network is getting and buyers have more information about the content they are bidding on.

“The net effect is that advertisers refuse to bid on low-quality content and traffic and those sites that were previously earning lots are now getting pennies on the dollar,” Springer said. “I would estimate that after investigation 95% of the time the folks complaining about low payout have something kinda scammy going on, usually copied content or paid traffic (and frequently both).”

“Paid traffic” in this instance refers to users who have paid a service to send bots to a page to refresh constantly in order to artificially inflate pageviews. One recent highly publicized incident of this kind of fraud is a case where Russian hackers stole more than $3 million per day from video advertisers using nonhuman bot traffic. Similar tactics have been used on WordAds, motivated by a misconception that pageviews are equal to ad views.

The Decline of the Advertising Industry

Another factor contributing to lower earnings over the past few years is the general decline of the advertising industry. A 2015 Reuters Institute Digital News survey indicates that nearly half of US internet users have some form of ad blocking software installed. Reuters Institute’s latest predictions forecast a 24% increase in US users with ad blocking in 2017. Advertisers have to fight harder to get the attention of the remaining half of consumers and many companies have decided to allocate those funds elsewhere.

According to the Interactive Advertising Bureau’s latest Internet Advertising Revenue report, search advertising on desktop declined for the first time in 2016, falling 12% to $8.9 billion. However, mobile advertising grew 105% from $3.6 billion to $7.4 billion. Mobile search is having an increasingly strong impact in shaping a site’s traffic.

These factors are outside of WordAds’ control but they weigh heavily on how many impressions publishers will receive. If the vast majority of a site’s visitors are using ad-blockers and the site isn’t easily found via mobile search, it is likely to suffer earning declines on any ad network.

“Ad rates industry wide have fallen over the past few years,” Springer said. “Ad buyers just aren’t paying what they used to and more users are using ad blockers. They heyday of the late aughts/early twenty-teens may never return as ad buyers realized they just aren’t getting the return they were expecting.”

WordAds Needs More Transparency Around Partners and Reporting

It is difficult for publishers to improve their strategies for generating ad revenue when earnings fluctuate wildly without any explanation beyond changes in advertising rates. After reviewing the product’s forums, many are requesting more transparency around why their earnings have dropped despite higher numbers of impressions. They want to know if advertising rates have dropped for the month, if partners have dropped out of the network, or if their content failed to connect with visitors on certain days.

WordAds users have experienced problems with incorrect reporting, record low payouts, and blank banner displays. In the past there have also been considerable delays in publishers receiving their monthly earnings. Springer said improving the reporting process is a top priority for the team this year.

“The flip-side/challenge of working with dozens of networks is that none of them pay us very consistently,” Springer said. “In the past there was no unified collection process on our end, so we would have to wait to collect from each partner and then split it up and send folks earnings out in one batch. However, for the past year and a half or so we’ve been working with a company called IPONWEB to unify our earnings, reporting, and ad buying process (this is what powers WordAds 2.0). We’re at the point where we can begin to provide closer to real-time earnings reporting.”

Automattic is Optimistic about Expanding the
WordAds Program with Jetpack

The number of WordAds sites are up 111% year over year. WordAds currently has a few thousand self-hosted sites running AdControl/Jetpack Ads and Springer said the team is expecting that number to grow considerably now that integration has been added to Jetpack. The AdControl plugin is still available for non-Premium Jetpack users but the standard application and traffic requirements apply. Springer said they plan to phase out the plugin at some point in the future but there are no definite plans yet.

“Tens of thousands of WP.com sites are approved WordAds (meaning they applied and were approved) out of many tens of thousands more total applications,” Springer said. “Additionally, every freemium WordPress.com site is running our ad network, though we naturally keep all the revenue from those sites.”

With a gaggle of new publishers joining WordAds through Jetpack, one might imagine that rates and payouts for existing users would decrease as more advertising space becomes available. However, this isn’t how advertising networks work.

“Generally speaking, advertisers want to display more ads than most publishers are able to provide (known as inventory), so adding more publishers/inventory to a network is a net benefit to advertisers and is what attracts the bigger, higher paying ad buyers,” Springer said. “If we can tell our ad partners ‘We have 10,000,000,000 pageviews available this month across our network,” then that attracts much more lucrative buyers than if a user has to try to attract them on their own. Advertisers also like that they can cut one deal for a million sites as opposed to having to cut them piecemeal and are generally willing to give us better deals. The whole ‘powers 27% of the web’ is a pretty tasty morsel for ad networks.”

Advice for Publishers New to WordAds: Keep Expectations Realistic

Seamless advertising is a major incentive for Jetpack users to sign up for the Premium plan, which also includes backups, one-click restores, security scanning, and 13GB video storage. The prospect of being able to flip the switch to turn on ads and potentially start earning money is very compelling, especially for users who have struggled with other forms of advertising that were not WordPress-compatible.

The general outlook for WordAds is improving, as the product has evolved to reward higher quality content. As advertisers receive a better return on their investments, their confidence in bidding should increase. However, most publishers should expect to see fluctuations on earnings.

WordPress.com’s Daily Post Blog advises new publishers to temper their expectations with the knowledge that they would need “hundreds of thousands of pageviews to generate meaningful earnings.” For most average bloggers, the ad revenue may not buy more than a decent cup of coffee.

Mortiz Linder, an owner of traveluxblog.com, published his earnings and described his experience as “rather average.”

“It’s a nice idea to gain something without effort, to get at least something back for all the work we put into traveluxblog each day,” Moritz said.

by Sarah Gooding at January 19, 2017 01:40 AM under wordads

January 18, 2017

WPTavern: WPWeekly Episode 260 – SiteGround, Affiliate Summit Recap, and New Security Czar

In this episode of WordPress Weekly, Marcus Couch recaps his trip to Affiliate Summit 2017 held in Las Vegas, Nevada last weekend. Based on the vendors that were on the expo floor, mobile is the e-commerce platform of the future. We discuss the news of the week and share how you can get involved in the WordPress Marketing Group. We end the show with Marcus’ plugin picks of the week.

Stories Discussed:

Aaron D. Campbell Replaces Nikolay Bachiyski as WordPress’ Security Czar
Postmatic Basic Rebrands as Replyable, Moves Two-Way Email Commenting to SaaS Product
SiteGround Auto-Issues Let’s Encrypt Certificates for New Domains

Plugins Picked By Marcus:

Background Image Cropper adds cropping to background images for parity with header images. This feature is starting out as a plugin to gauge user interest and to determine if it improves the user experience of background images.

Woo Product Remover allows you to remove all WooCommerce products from your site. It removes products, their metadata, relationships, as well as product variations and their related meta data from the database.

WP Tasks After Install completes a series of tasks most commonly performed after WordPress is installed. These tasks include, removing the default Hello World post, setting permalinks to %postname%, activating Akismet, and more. The plugin will automatically deactivate itself when the tasks are completed.

WPWeekly Meta:

Next Episode: Wednesday, January 25th 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #260:

by Jeff Chandler at January 18, 2017 10:59 PM under siteground

HeroPress: Living A Better Life Thanks To WordPress

My experience as a remote worker lets me have greater foreight which in turn allows me to carry out so many activities.

To me, as well as many others, WordPress is more than a technical choice, it’s a lifestyle choice. I didn’t see it as such right away. Looking at the last 4 years of my life, I can fully appreciate its impact.

Aspiring to a life full of adventures and whimsy; I never really fit the mold. American TV series and movies that taught me my dreams could be achieved if I worked hard enough. Armed with that knowledge (and without a fancy diploma to my name), I worked bank, police, IT, supply chain jobs until I discovered the joy of making websites.

My newfound passion (and many sleepless nights of work) helped me become a webdesigner. At the time, Joomla!, Spip and Typo 3 were the big names out there (in France). After achieving the role of Artistic Director as a freelancer; it took me a few years to open my own web agency. That moment changed my thinking: it was no longer ME but WE. And when a client asked us to use WordPress, we got to experience the CMS and its community.

Focusing on WordPress

Our team quickly realized that WordPress could do much more than “just blogs”. In France, the CMS kept having a reputation as a blog only platform. Complex websites were not made in WordPress. Our agency decided to convince clients otherwise. To achieve our mission and hone our skills, we decided to get closer to the WordPress community. I naively offered my help in evangelization efforts to the Paris WordCamp organizers. Except that there was one clear hurdle in our path: we had never contributed anything to the community before! This meant that we were relatively unknown. Needless to say that the feedback we received wasn’t what we expected.

Contributions: It’s About Helping Others

Contributing meant one thing: bring something to the WordPress ecosystem to help improve it. The WordCamp association’s president asked us to answer questions on the French forum as a token of our goodwill, to show our commitment.

I started to answer questions right away but felt like an imposter. All the questions on the forum seemed so technical. I didn’t know how to contribute since I wasn’t a developer. It wasn’t like I was going to create a theme or plugin anytime soon. I kept obsessing over ways I could provide value to the community. I thought about my skills but couldn’t come up with something that would make a real difference.

Sure I could speak English, but translating documents was not something I felt comfortable doing.

So I turned to the previous WordCamp Paris conference and took a closer look at the participants. There, I found my first clue: a marketing expert! I reached out to him to see if I could interview him. As Marketing Director of a press group, he had lead a big WordPress project for his company. Interviewing him brought me two things: an article for our blog discussing what could be done with WordPress and a solid understanding of how the inner workings of the French WordPress community. He gave me an idea of the path one would take to end up giving a conference at the WordCamp. I didn’t realize it at the time, but by picking a name on a conference program, I would meet one of the key players in my WordPress story: Benjamin.

Meanwhile, I continued to write articles about projects made with WordPress, sometimes ours, sometimes the competition’s. Good WordPress knows no bounds so it was necessary for me to showcase all the amazing websites made with this CMS. It’s also how I discovered my main competitors (before meeting them in the flesh later at various events).

A white paper detailing the success of WordPress as a CMS got my name out. This allowed me to gain the courage to pitch my first conference. Providing feedback on projects allowed me to find my place in the WordPress community. Focusing on my experience and helping others didn’t require developer skills. My contribution was in writing and not in coding.

My First WordPress Conference As A Speaker

My first conference topic was on how to create a multilingual, multi-site project with WordPress in 3 months. Needless to say that I was nervous. I mean, speaking in front of 300 people is not something I had done while working at a bank, or in the police force or in any other job really. Adventure: here I come!

The WordPress community was very kind to me and my first conference experience was a memorable one.

During this conference, I wanted to highlight the plugins we used for this project. I mentioned a French startup that had launched a premium plugin as its first product. I found their approach interesting, so I thought I would give them a little visibility. Showcasing good WordPress websites, themes and plugins was already a habit of mine by then. The French team were happy to be mentioned and happened to be present at the event. They came to talk to me after my conference. Turns out, we had a lot to talk about. The company’s name: WP Media. They would open a new chapter of my WordPress story.

During the closing night, I also met a lot of people. Some of them, just like Benjamin were going to have a big impact on my life. Many became great friends as well as mentors like Jenny Beaumont.

Once I got started, there was no stopping me! I continued to speak at events (WordCamp Lyon, WP Tech Nantes), attended meetups, continued writing articles to highlight WordPress projects.

The following year, I joined the organizing team of WordCamp Paris.

Meanwhile, I go to my first WordCamp Europe which was a major new turn.

WordCamp Europe 2014 Changed My Life

Going to the WordCamp Europe changed my life. It’s an experience I highly recommend. If you can, go to the next WordCamp Europe!

The organizers managed to pack so many international speakers that my head was spinning. Speakers were coming from all over the world. The quality of the talks (and speakers) along with the breadth of subjects covered open so many possibilities. You could end up changing your approach to WordPress or finding a new method of working with your peers.

I attended a conference by Noel Tock named Beyond the code where he explained how he managed his life working in remote while traveling at the same time. He also gave insights as to how to monitor your time and how to optimize it.

Realizing that such a life was possible; that you could achieve this time of freedom by reclaiming your time was a massive discovery.

The second eye-opening conference for me was Simon’s lecture on Running an open source. He explained that that undertaking Open Source also meant contributing and collaborating with a community, including your competitors. Simon showed us for 30 minutes that working with competitors was not only beneficial for us agencies, but also for the customer, and for the WordPress community as a whole.

Professional WordPress

Becoming a strong voice in the professionalisation of WordPress in France and encouraging web agencies to contribute and to exchange more had become priority subjects.

I have launched a WP Next association for professionals

  • To ensure the promotion of WordPress, mainly with professionals, managers of information system, internet director, new media, … and more generally all IT decision makers.
  • To enhance the skills of WordPress professionals with decision-makers,
  • Promote French know-how around the WordPress CMS, associated technologies and services

I also launched with Deborah Donnier a documentary project Think WP to make known WordPress and its community.

A new turn

With these activities I gradually moved away from the creation of websites. Having so many opportunities tied to WordPress available to me, I decided to take a new turn. During the Wordcamps across Europe, I took great pleasure in exchanging with WP Media. We had kept contact since our first meeting. My profile and experience seemed to like a great fit for a new role in the WP Media adventure. I took a leap and became COO of the startup about a year ago. I manage my agency in parallel.

I now work 100% remotely and so does a great portion of my agency. As for WP Media, everyone works remotely. Being a remote worker frees me from constraints that are inherent when you live in the Paris region (it’s a city and province in France). Time spent on commuting is used for other activities.

My experience as a remote worker lets me have greater foresight which in turn allows me to carry out so many activities.

Today, I can proudly say that I attended the US WordCamp last year and am helping organize this year’s WordCamp Europe with Jenny and Benjamin.I feel like I belong in a global community that thrives thanks to its members and their desire to improve WordPress.

WordPress helped me along the path to a life full of adventures and long lasting friendships. It offers so many opportunities to forge beautiful projects, stories and more.

I hope that my story will inspire someone else to get started and find the courage to persevere on the way to a life full of adventures (with or without WordPress). Give yourself time and open yourself to other points of view to help build the life you aspire to.

Thank you for reading my story and see you at WordCamp Europe 2017!

The post Living A Better Life Thanks To WordPress appeared first on HeroPress.

by Emilie Lebrun at January 18, 2017 12:00 PM

January 17, 2017

WPTavern: How to Add Users to BuddyPress Groups in Bulk

On a site I’m working on that runs BuddyPress, I created a new group and wanted to add nearly 400 registered users to it. Unfortunately, adding users to BuddyPress groups in bulk is not a core feature. I searched Google for a solution and while the BuddyPress Members Import plugin is recommended in many of the support threads, the feature alone is not worth spending $49.

Continuing my search, I discovered a code snippet published by Alexander on the WPMU DEV forums that works perfectly. To use it, copy the code and add it to a custom WordPress plugin or paste it to your theme’s functions.php file. I added the code to the top of my theme’s functions.php file.

Code Snippet at the Top of my Theme’s Functions.php File

The JavaScript portion of the snippet adds a new item to the Bulk Actions drown-down menu named Add to BP Group.

Add to BP Group Bulk Action Menu Item

Select the users you want to add to a group and select Add to BP Group. A prompt appears asking for the Buddy Group ID you want to assign the users to.

BuddyPress Group ID Prompt

To locate the Group ID, click on the Groups admin menu and click on the group’s name. The URL will look something like this admin.php?page=bp-groups&gid=357&action=edit and the ID is the number that appears after gid=. After entering the ID number, click the Ok button. All of the users you selected will be assigned to that group.

In the comments of the code snippet on GitHub, Strand-C said he wasn’t able to move 165 users at a time and had to move 50 instead. I tested this theory by moving nearly 400 registered users at the same time to a new BuddyPress group and didn’t encounter any issues. Keep in mind that the site I’m working on is relatively new, is running WordPress 4.7, and has very little traffic which could explain why I didn’t have a problem.

Being able to manage BuddyPress groups in bulk should be a core feature. There is at least one open ticket on BuddyPress trac to add Bulk Edit options to Groups. Until these features make their way into BuddyPress, the code snippet above is a free work-around that makes adding users to groups in bulk a lot more convenient.

by Jeff Chandler at January 17, 2017 10:23 PM under users

WPTavern: SiteGround Auto-Issues Let’s Encrypt Certificates for New Domains

SiteGround is now auto-issuing Let’s Encrypt certificates for every domain hosted on its shared servers. The company has also begun issuing and installing certificates on new accounts automatically after customers register domains or direct new domains to SiteGround’s servers. This also includes add-on domains added in cPanel. The certificates are also auto-renewed as long as the domains are pointed to the host’s servers.

“Since the launch of Let’s Encrypt our customers have installed nearly 40,000 such certificates,” said Hristo Pandjarov, WordPress specialist at SiteGround. “This is less than 10% of the 500,000 domains we host. Together with the paid certificates we may say that 15% of the domains we host were using the HTTPS protocol before we started the auto-issuing procedure.”

SiteGround is a sponsor of Let’s Encrypt and one of the first to auto-issue certificates to self-hosted WordPress customers. Let’s Encrypt passed 20 million active certificates in 2016 and the pressure is on for more sites to adopt SSL in 2017 with Google marking insecure sites in Chrome and using HTTPS as a ranking signal.

“What prompted this decision is that we truly believe HTTPS is the future standard for web protocol and we also believe it is the better protocol,” Pandjarov said. “This is a good enough motivation for us to take the step of installing it automatically. We have decided to automate the SSL issuance and setup almost right after the appearance of the Let’s Encrypt initiative. Matt Mullenweg’s statement at WordCamp US that issuing SSL certificates will be a very important factor in evaluating a web host, was one more validation that this planned automation was a decision in the right direction.”

According to Pandjarov, the vast majority of SiteGround’s customers are running WordPress. Respondents to the company’s 2016 client survey indicated that more than two thirds of them use WordPress, which Pandjarov said is a 10% increase in the popularity of WordPress among SiteGround users.

Next Step for SiteGround: Pre-Configuring WordPress Installs to Use SSL with One Click

Auto-issuing certificates does not guarantee that SiteGround customers will jump through the hoops to configure their sites to use the certificates. Installing a certificate on an existing WordPress site is not as straightforward as a simple click in most cases. SiteGround is working on fully automating this process for its WordPress customers.

“If we really want to get closer to 100% HTTPS usage, we need to do more than just automatically issue the certificate,” Pandjarov said. “Our next step is to provide a way to pre-configure an active WordPress site, hosted on our servers, to work with the already issued SSL with one click. Additionally, our auto-installer is being updated to install all new WordPress sites as https-ready.”

SiteGround doesn’t yet have an ETA for one-click SSL configuration but Pandjarov said the announcement will be coming soon.

by Sarah Gooding at January 17, 2017 09:52 PM under ssl

January 16, 2017

WPTavern: Postmatic Basic Rebrands as Replyable, Moves Two-Way Email Commenting to SaaS Product

Postmatic is rebranding its WordPress.org Postmatic Basic plugin as Replyable and pushing the two-way email commenting feature into a new SaaS product. After discovering that many users simply want email commenting, without additional post delivery and newsletter features, Postmatic launched Replyable to offer this starting at $3/month.

“Replyable was born out of user feedback,” founder Jason Lemieux said. “Postmatic does more than most sites need and the price is squarely mid-market. From the beginning we’ve heard from users that they already use another newsletter service and just want Postmatic to handle comment subscriptions – but that alone isn’t worth $20 to too many people. With Replyable we can offer it for $3.”

Lemieux and his team have now transitioned Postmatic to be purely a Saas product without a presence in the WordPress.org directory.

“Postmatic will continue to grow as a complete engagement system and, if anything, become even more complex and go further up market,” Lemieux said. “Sites which use Postmatic tend to dive in deeply. It is meant to function as a package. Grow a list, deliver to it, get them talking about your ideas, monetize the results.”

The Replyable plugin on WordPress.org now simply covers comment subscriptions with all other features available in the commercial products.

Ripping an existing feature out of a free plugin and making it paid is fairly unusual and can have a negative impact on how users perceive the plugin. However, Postmatic has a plan to allow legacy users to continue using the features they had before by switching to Postmatic Labs. It’s an inconvenient change but is required for those who don’t want to upgrade to a commercial plan.

Although WordPress.org says Postmatic has approximately 1,000 active installs, Lemieux estimates there are 8,000 users including those using the commercial plugin or the Labs plugin. He would not share any specific revenue figures but said he learned some important pricing lessons in leading the bootstrapped startup for the past two years.

“We aren’t a runaway WordPress success story but we’re alive and loving our jobs,” Lemieux said. “About six months ago it became apparent that we needed to get out of the mid market. We had a huge group of people saying, ‘I just want email commenting and will totally pay you 5 bucks a month for it,’ and another group saying, ‘We pay $6,000 a month sending Mailchimp RSS campaigns but yours are better for only $1500. Why so cheap?’ That’s been a frustrating reality and a big lesson in knowing your audience and pricing appropriately.”

Next on Postmatic’s Roadmap: Epoch 2

In July 2015, Postmatic introduced Epoch as a Disqus alternative, offering 100% realtime commenting for WordPress. The plugin submits comments via AJAX so that they appear instantly without refreshing the page. Lemieux and the team have been working on the second version for nearly a year.

“Epoch 2 is a huge step forward,” Lemieux said. “We built it on top of the REST API and Angular. It’s fast and incredibly light. Commenting isn’t sexy – I don’t think it will ever be, but comments are great for SEO, community, and for building brands and authority. Comments aren’t going away. In fact, they are vitally important to keeping the web as a place for discourse, conversation, and the sharing of ideas. We need to continue to make them a better experience. Epoch isn’t groundbreaking in its functionality but it does the job of making sure sites of any size can still run native WordPress comments.”

Postmatic continues to innovate with native comments, an aspect of WordPress that doesn’t have as many commercial players as something like forms or e-commerce. Lemieux attributes this underserved area to the poor reputation of previous non-native solutions.

“I think it is because of the rise and fall of third party commenting system,” Lemieux said. “Early in WordPress history services like Disqus and Livefyre grabbed huge parts of the comment traffic on WordPress sites by offering more features, better speed, and improved moderation tools (with the hidden cost of selling your users down the river). It was certainly a siren song. But most all of them stagnated, violated user trust, or just plain didn’t work well. And commenting got a bad name. Naturally came the trend in disabling comments and, well, now here we are and people are trying to have conversations 140 characters at a time.”

Lemieux said the innovation he sees happening outside WordPress makes him believe that comments can overcome their past reputation.

“Things are getting better – and hopefully more folks will begin to innovate,” Lemieux said. “Lucky for us other blogging and publishing platforms are innovating and coming up with interesting ideas all the time. Some of them, like inline commenting from Medium, do make their way back over to WordPress. That makes me optimistic.”

by Sarah Gooding at January 16, 2017 03:49 PM under wordpress comments

January 14, 2017

WPTavern: Aaron D. Campbell Replaces Nikolay Bachiyski as WordPress’ Security Czar

Aaron D. Campbell, WordPress Core Contributor at GoDaddy, is replacing Nikolay Bachiyski as WordPress’ Security Czar or WordPress Core Security Team Lead. The role was created in 2015 to provide more structure and focus around incident responses.

“The responsibilities of the position include, organizing the security team and making sure all security concerns and reports get triaged and ultimately fixed, coordinating the security side of releases, and being a point of contact for any security related things that need one,” Campbell said.

Matt Mullenweg, co-creator of the WordPress project, thanked Bachiyski for being the first to accept the role and putting the foundation in place for future team leads, “This is also a good time to thank the dozens of volunteers who participate in the security group, and the researchers and reporters who bring issues to our attention,” he said.

Campbell says he plans to finish what Bachiyski started by getting WordPress.org onto HackerOne. “Nikolay did a lot of work around expanding our team as well as getting the foundation laid for moving over to HackerOne,” he said.

“We aren’t quite ready to make the move completely, but I hope to phase out the security@ E-Mail address in favor of HackerOne in the near future.”

In late 2016, GoDaddy hired Campbell to contribute to WordPress core full-time. The company continues to back his involvement in WordPress, “The role is completely voluntary,” Campbell said. “GoDaddy has truly been extremely hands off while funding me to do all this, and I’m grateful to have that continue.”

If you think you’ve discovered a security vulnerability with the self-hosted version of WordPress, you’re encouraged to responsibly disclose it to the security team by emailing security @ wordpress.org and include as much detail as possible.

by Jeff Chandler at January 14, 2017 11:53 PM under security

WPTavern: Automattic Releases Free Plugin for Exporting Photos from Lightroom to WordPress

Yesterday Automattic released a new free plugin the makes it easy for Lightroom users to export their photos to WordPress. Lightroom is an Adobe product for managing and editing photos, and the plugin works with the software on MacOS and Windows. It is compatible with both WordPress.com and Jetpack-powered sites.

The Lightroom plugin requires a WordPress.com account to install. Users can then select photos in Lightroom and export them to a WordPress site with all the standard settings available, such as image resizing, watermarking, output sharpening, and more. The plugin automatically exports titles and captions. A large number of photos can take awhile to export, but once the upload is finished users can find their images in the WordPress media library.

When asked for tips on suggested upload size and compression, Automattic representative John Godley said, “WordPress.com can handle pretty much anything you throw at it! I personally go for a high quality and large size so it looks good on a HiDPI screen, and then let WordPress resize as necessary to fit the viewers device.”

It’s not yet clear how the release of Automattic’s free plugin will affect the commercial products that exist for a similar purpose. FloLight, WPLR Sync, and other solutions will need to offer more features with a quicker setup if they want to compete with the new free Lightroom plugin.

Those who want to use the plugin must already have a Lightroom license (standalone or subscription). Although this is a relatively small subset of overall WordPress users, it saves a great deal of time for photobloggers and those who process a large number of photos with Lightroom before posting online. For most, this plugin simplifies what was previously a tedious, multi-step process of manually uploading the photos after working with them in Lightroom.

by Sarah Gooding at January 14, 2017 12:13 AM under lightroom

January 13, 2017

WPTavern: Wes Bos Launches JavaScript30, a Free 30-Day Vanilla JS Coding Course

For those who failed to “learn JavaScript deeply” last year, 2017 offers a clean slate for restarting your JavaScript learning goals. Wes Bos, a developer and educator known for his high quality video tutorials, recently launched a free 30-day vanilla JS coding challenge course that provides structure for developing a new habit of daily learning.

JavaScript30 walks users through building 30 things in 30 days with no frameworks, no compilers, no libraries, and no boilerplate. The course is suitable for beginner to intermediate developers and designers who want to get a solid grasp of JavaScript fundamentals. It purposely steers clear of abstractions like frameworks to help students gain a better understanding of browser APIs while working in the DOM without a library.

Bos designed the course to help students gain competence through building things, the advice he gives to anyone wanting to improve their JavaScript skills.

“So, you’ve done a few courses and read a few books but still don’t feel great about your relationship with JavaScript,” Bos said. “How do you get better? Build things. Lots of things. Build 1,000 things. Keep it up and don’t stop.” The course is packed full of quick, interesting, and practical projects.

JavaScript30 includes access to 30 videos, 30 days of starter files, and completed HTML, CSS, and JS Solutions for each day. The videos are accessible and ESL-friendly with closed captions provided.

Bos said he spent more than 300 hours creating the videos as a thank-you to those who have supported his paid courses.

“I see a huge need for these videos and I really think it will help many…become comfortable creating with JavaScript,” he said.

Bos is also the author of the free Learn Redux course, which includes 2.5 hours of videos that help students get started with React.js, Redux, and React Router. Some of his other popular courses include React for Beginners, Learn Redux, and ES6 for Everyone.

by Sarah Gooding at January 13, 2017 10:05 PM under javascript

WPTavern: WPWeekly Episode 259 – 2016 Year in Review Part 2

In this episode, Marcus Couch and I recap the news that made headlines during the second half of 2016. I explain why there wasn’t a show last week and we close out the episode with our predictions for 2017. We’ll be back to our regular show format on Wednesday, January 18th.

WPWeekly Meta:

Next Episode: Wednesday, January 18th 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #259:

by Jeff Chandler at January 13, 2017 09:37 AM under year in review

January 12, 2017

WPTavern: 2nd Edition of Producing Open Source Software Now Available for Free

The second edition of Karl Fogel‘s “Producing Open Source Software: How to Run a Successful Free Software Project” is now available for download. Fogel, a partner at Open Tech Strategies and OSS contributor since 1997, was a founding developer in the Subversion project. He has worked for more than a decade as an open source specialist, helping businesses and organizations evaluate, launch, and manage open source projects.

Producing Open Source Software version 2 was released for free this week under the Attribution-ShareAlike 4.0 International license. The first edition was published in 2005 but the landscape of OSS has changed drastically over the past 12 years. In 2013, Fogel successfully raised $15,376 towards his $10,000 Kickstarter goal to fund the revision.

The book includes topics like ‘Free’ Versus ‘Open Source,’ choosing a license, version control, social and political infrastructure, the economics of open source, culture, and communication. It was written for managers and software developers but can also be informative for newcomers to open source projects.

Fogel originally planned on finishing the second edition by the end of 2013 but experienced delays due to starting his company. Some chapters also took longer to revise than he anticipated.

“In retrospect, if I had understood what the pressures of a young and growing company would be, I would not have started the 2nd edition when I did,” Fogel said. “It has been a lesson.” Fortunately, for the 314 Kickstarter backers who might have been waiting on his work for four years, progress was immediately available in the public repository for the book. Fogel didn’t keep any private version of the book elsewhere.

“While there are substantial changes throughout the book, the most expanded chapter is probably Chapter 5, ‘Participating as a Business, Non-Profit, or Government Agency,'” Fogel said. “That chapter’s title used to be just ‘Money,’ so that gives you some idea of what the new material is.”

He also found the third chapter on technical infrastructure to be more time consuming than the others due to all of the changes in the past decade. It took roughly four and a half months to revise it to include modern development tools.

One of the central focuses of the book is the value of collaboration and the direct benefits it provides to an open source software project.

“Competence at cooperation itself is one of the most highly valued skills in free software,” Fogel wrote in the preface. “Good free software is a worthy goal in itself… But beyond that I also hope to convey something of the sheer pleasure to be had from working with a motivated team of open source developers, and from interacting with users in the wonderfully direct way that open source encourages. Participating in a successful free software project is a deep pleasure, and ultimately that’s what keeps the whole system going.”

by Sarah Gooding at January 12, 2017 11:13 PM under open-source

Post Status: New Year’s resolutions for WordPress developers

Editor’s Note: This is a guest post by Jack Lenox. Jack is a developer at Automattic and hails from the United Kingdom.

For just over a year now, I have been working on the WordPress.com VIP team at Automattic. I had been working at Automattic for the two years prior to this – and had been developing sites with PHP and WordPress for almost ten years prior to that. So you might imagine that I had a pretty good handle on developing stuff with WordPress.

And you would be wrong. Getting started with the VIP team was an eye-opening and occasionally terrifying learning experience, occasionally resulting in me thinking: “please excuse me for a moment while I go and fix some horrible vulnerability in all of my WordPress sites.”

Recently, I have cautiously found myself feeling slightly more comfortable with my position on the team. For some time, I have been wanting to document the most interesting and impactful things that I have learned in the past year.

As some readers may know, a significant part of a developer’s job on the VIP team is reviewing code. Thus, with us being at the start a new year, I have hereby compiled some of the most interesting best practices I have discovered as a list of New Year’s Resolutions:

1. Use strict comparison operators

One of the many quirks of PHP is that it enjoys juggling. In particular, it enjoys juggling types. This means that without explicit instruction, PHP doesn’t see a difference between a string of “string”, an integer of 0, and a boolean value of true.

So for example this:

$var = 0;
if ( $var == 'safe_string' ) {
    return true;

Will return true. I know, what?! The easy solution here is to simply use strict comparison operators.

So that’s === instead of ==, and !== instead of !=. This pops up in a few other places too. By default the in_array() function has its strict parameter set to false.


in_array( 0, ['safe_value', 'another string'] );

Will return true. To fix this, simply pass a third parameter of true.

While we’re here, there’s one other form of comparison we should be aware of, and that’s hash_equals(). This provides a string comparison that prevents timing attacks.

While a relatively uncommon form of attack on the web, it’s worth being aware of a timing attack. What is it? Well, when PHP compares two strings, it compares them one character at a time.

So in the case of something like this:

$submitted_password = $_POST['password']; // For argument's sake, let's say it's "pa45word"
$password = "pa55word";

if ( $submitted password === $password ) {

PHP’s thought process in human terms is: Is the first character of each string p? Yes it is. Is the second character of each string a? Yes it is. And so on.

It will do this until it realizes that the third characters differ and at that point it will bail. Thus, with sophisticated timing software, a password can gradually be worked out by calculating how long the process is taking. If the process takes slightly longer with one character than it does with every other character, an attacker will know that they have worked out the first character.

Automated processes can keep doing this until the entire password is worked out. hash_equals() will compare two values, but will not bail early if it detects a difference.

In conclusion, if you’re comparing sensitive values, use hash_equals()!

2. Use Yoda condition checks, you must

The WordPress PHP Coding Standards suggest that you should: “always put the variable on the right side and put constants, literals or function calls on the left side.” Initially, this might just sound like a bit of pedantry, but it actually has a very practical application.

Consider how catastrophic the following typo could be:

if ( $session_authorized = true ) {

Oh dear, instead of checking that $session_authorized is true, I am instead assigning the value of true to that variable.

Now the secrets are being unleashed to whoever wants them. This could easily be missed when checking the code for bugs, even by a reviewer.

Now imagine if the first line was expressed as:

if ( true = $session_authorized ) {

Well, it doesn’t. We can’t assign a variable to the static boolean value of true.

Hopefully it won’t take us too long to work out why our code is still broken, but the secrets remain safe. So we’re good! 😀

3. ABE. A Always, B Be, E Escaping. Always Be Escaping. ALWAYS Be Escaping.

Not having a firm grasp of the concepts of validation, sanitization and escaping can make you a very dangerous developer indeed.

To the extent that libraries like React escape all output by default and to bypass this functionality, you have to use the attribute: dangerouslySetInnerHTML

Validation is checking that what your code is being passed is even vaguely what it’s expecting. So for instance, if we’re expecting an integer, we can use something like: $zipcode = intval( $_POST['my-zipcode'] )

The intval() function returns its input as an integer and defaults to zero if the input was a non-numeric value. So while this won’t prevent our code from being passed zipcodes that aren’t valid, it does protect our code from being passed anything that isn’t a number.

Naturally, we could go a step further to see if the zipcode actually appears to be valid. For example, 1111111111111 is not a valid zip code, but intval() doesn’t know that.

Fortunately, beyond integers, WordPress has a bunch of handy helper functions for almost every data type including my favourite: is_email().

Sanitization is cleaning input to make sure that it’s safe in the context where we want to use it. This prevents one of the most common forms of security vulnerability, an SQL injection attack.

We also sanitize to fix practical things, like checking for invalid UTF-8 characters. WordPress has a class of sanitize_*() helper functions; here’s an example of how one looks in the wild:

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Therefore no matter what garbage we might have been passed in $_POST['title'], it won’t cause any real problems.

Escaping is similar to sanitization, but instead it is cleaning what we’re sending out, rather than what we’re taking in. A major reason for doing this is to prevent another of the most common forms of security vulnerability, a Cross-site Scripting (or XSS) attack.

We want to clean our output to ensure we aren’t accidentally echoing out something very dangerous that we didn’t realize we were inadvertently storing in our database (or perhaps fetched from an API).

WordPress has a bunch of very useful helper functions here. Some common examples of these in the wild are:

<h4><?php echo esc_html( $title ); ?></h4>
<img alt="" src="<?php echo esc_url( $great_user_picture_url ); ?>" />
<ul class="<?php echo esc_attr( $stored_class ); ?>">

There is also wp_kses() which can be used on everything that is expected to contain HTML, and will filter out elements that are not explicitly allowed.

As a general rule, the the_*() and get_the_*() theme functions are already escaped. However, the get_bloginfo() function, for example, is not escaped.

For further information here, I highly recommend checking out the VIP team’s documentation on Validating, Sanitizing, and Escaping.

4. Stop trusting everything

Don’t trust user input. Don’t trust what’s in your database. Don’t trust any variables.

Treat every variable with contempt.

This way, even if, for example, someone sneaks some dodgy XSS code into your database, it’ll still get escaped on output and your site will be better protected.

5. Avoid inserting HTML directly into the document (when using JavaScript)

Doing something like this is dangerous because the data that we’re using could include many more DOM elements that dramatically alter the anticipated behavior of this code, and make it vulnerable to XSS attacks:

    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var link = '<a href="' + data.url + '">' + data.title + '</a>';

jQuery( '#my-div' ).html( link );

Instead, we should programmatically create DOM nodes and append them to the DOM. So the above instead becomes this:

    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var a = jQuery( '<a />' );
    a.attr( 'href', data.url );
    a.text( data.title );

jQuery( '#my-div' ).append( a );

This is how a library like React does things behind the scenes. You can read more about this in a wonderful post about preventing XSS attacks in JavaScript by my colleague, Nick Daugherty.

6. Review code

Have you ever reviewed a plugin before using it? I know, who’s got time for that right? I’ll tell you who: you.

I have come to realize that reviewing code is possibly one of the best exercises for improving as a developer. Even if you’re quite new to programming or development, and you still feel pretty green, you really should give it a go.

A great way to start is to review the next plugin you decide to use on your website. Before activating it, pop it open in your text editor of choice, and just spend some time scanning through it to understand what it does.

A method I like to use here is to interpret each line of the code in simple English. You can even say it loud if you like – assuming you’re not sitting in a café or co-working space where people might become worried about you.

You might be surprised at how often you find bugs and quirks in the code, or that the code isn’t conforming to the best practices outlined above. And if you discover issues, why not create a patch? Or if the plugin is on GitHub, create a pull request.

You can also review your own code. A great method for doing this is to never deploy code straight into production. Instead, leave it on the day you finish it, and review it line by line in the morning. This method is easiest to adopt if you’re using something like GitHub where you can create a pull request with the changes, then review the pull request yourself the next day before merging it.

In this vein, I highly recommend watching my colleague, Ryan Markel’s, fantastic talk on this topic from WordCamp US 2016.

7. Upgrade your tools (or at least use PHP_CodeSniffer)

There are lots of tools that help make web development easier, but if you’re doing a lot of WordPress development, the most valuable is probably PHPCodeSniffer. It reads your code and automatically reviews it for bugs and coding standards inconsistencies while you type.

It’s kind of like a spell checker, but for code. No matter how good your English is, you still use spell check right? So why wouldn’t you spell check your code?

Here’s a bonus for you: the WordPress VIP Coding Standards are available by default with the WordPress Coding Standards for PHPCodeSniffer. So with that, it’ll check if you’re following most of the above resolutions.

As you might imagine, using PHP_CodeSniffer also really helps highlight potential problems when you’re reviewing plugins and other people’s code.

8. Be curious

Far too often, I’m guilty of searching to try to find out what a particular WordPress function does, or scanning Stack Overflow to see if someone’s having the same problem as me.

I have historically had a bad habit of seeing much of what WordPress does as magic, and avoiding getting too deep in the inner workings. But actually, it can be very beneficial to find out answers for yourself, instead of trying to find others who have already done the work.

In essence, WordPress is quite simple. The code largely consists of functions taking arguments, and doing things with those arguments, and passing the results onto other functions taking arguments, and so on.

It doesn’t take much to start unpicking something, and working out exactly what’s happening behind the scenes. So next time you’re struggling with a function, try going straight to looking at what the function actually does.

Personally I find the WordPress GitHub repo that mirrors the core SVN repo to be a very useful way of doing this.

The WordPress strapline is that “code is poetry”, and for its flaws I find that on the most part, the WordPress codebase is very readable, if nothing else! 😉

I’ll conclude by taking this opportunity to wish you a very happy and prosperous new year!

Note: Some of the above has been gleefully plagiarized from WordPress.com VIP’s Code Review documentation. It’s an Aladdin’s cave of useful advice, and I highly recommend working your way through it as and when you can.

by Jack Lenox at January 12, 2017 09:26 PM under Developers

WPTavern: Tom McFarlin to Launch Marketplace for Blogging Plugins, Finds New Maintainer for WordPress.org Plugins

Daily blogger and plugin author Tom McFarlin has found a new maintainer for five of his WordPress.org plugins. Within two days of putting the plugins up for adoption, McFarlin announced that Philip Arthur Moore will be taking over Category Sticky Post, Comment Tweets, Single Post Message, Tag Sticky Post, and Tipsy Social Icons. Moore, who is currently working as CTO at Professional Themes, has inherited roughly 10,000 users overnight in the transfer of maintainership.

WordPress.org plugin adoption stories are few and far between. The most common scenario for an orphaned plugin is to languish in the directory until it disappears from search results (with the exception of exact matches) after two years of no updates. In McFarlin’s case, he was looking to tie up some loose ends before shifting Pressware’s focus to launching Blogging Plugins, a marketplace for extensions that streamline WordPress for regular bloggers.

“Last year, I had a few false starts when trying to launch what was originally called Pressware Plugins,” McFarlin said. “Fast-forward a few months and we’re going to focus on something called Blogging Plugins. We already have two free plugins available, though there’s an entire set of plugins, marketplace, and more coming.”

Moore’s adoption of the plugins, which includes the first plugin McFarlin ever wrote, allows Pressware to move forward with its 2017 objectives. McFarlin said he selected Moore based on the quality of his open source projects and reputation in the WordPress community.

“For those of you who aren’t familiar with Philip’s side projects, you may be familiar with Subtitles,” McFarlin said. “It’s a plugin that falls right in line with my personal ethos of how things should work with WordPress: You activate it, it’s ready to go, and it feels native within the application.”

The adopt-me tag is used on WordPress.org to indicate plugins where the author is looking for a new maintainer. With just two pages of listings, it’s not yet widely used. Most developers find it easier to fork an open source plugin and WordPress.org has recently made it easier than ever for authors to close a plugin by simply emailing the plugin team.

However, not all orphaned plugins are ready for end of life measures. Circumstances change in plugin authors’ lives, but the strength of the user base is one of the primary indicators of a project that could thrive in new hands. The built-in user base is also one of the main advantages of adopting a plugin as opposed to forking it.

Developer and ZDNet columnist David Gewirtz discovered the full weight of adopting a plugin’s users when he took on 10 plugins from the adopt-me section of the directory. Gewirtz, who inherited approximately 50,000 users, said the experience helped him reconnect with real users.

“The value I’ve gained as a columnist, advisor, and educator that has come from interacting with users from so many nations with so many different skill sets and missions has been off the charts,” Gewirtz said. “I thought I’d keep my programming chops up, and I’ve certainly done that. But I never expected I’d gain a much broader perspective that I’d be able to apply to all of the areas of my professional life and meet so many cool people.”

Adoption is arguably the healthiest outcome for any orphaned project – not just for the sake of reducing plugin abandonment but also for continuing support for users. Many of them blindly depend on plugins with no understanding of how they work.

Once a plugin is downloaded and installed on users’ sites, it gains a life of its own. Adoption strengthens a project’s history by proving it can weather storms that might otherwise cause the plugin to become obsolete and wipe out the user base.

by Sarah Gooding at January 12, 2017 07:59 AM under plugin adoption

Matt: Thirty-Three

I’m taking it easy this week, nothing too crazy — just sharing good meals and wine with friends. Which is probably a good example of my goals for the year: putting family and loved ones first, slowing down (to go further), and deliciousness. (Single Thread Farms blew me away.)

2016 was a year of incredible contrasts: it was the saddest and most challenged I’ve ever been with the passing of my father, and while that overshadowed everything there were also bright moments of coming closer to family, deepening friendships, and growing professionally with incredible progress from both WordPress and Automattic. That momentum on the professional side is carrying through and right now I’m the most optimistic I can recall, and thrilled to wake up and get to work every day with the people I do.

I talked about trying to spend longer stretches of time in fewer places, and that definitely happened. I flew 162k fewer miles than the year before, and visited 35 fewer cities. My blogging decreased a lot too — from 252 posts in 2015 to 76 posts in 2016, but the posts I did write were at least 50% longer. I made it to 9 more of the Top 50 restaurants and stand currently at 50% of the list. I finished 22 books, including a lot more fiction including my first few graphic novels like Ex Machina, Y: The Last Man, and Watchmen. I watched 35 movies, 9 of which were from the Marvel universe on a single flight from Cape Town to Dubai.

Last year I said, “it’s exciting to make the most of the opportunity that the volatility, love, loss, glory, failure, inspirations, and setbacks that 2016 will bring.” I didn’t know how right I would be, and wish I hadn’t been.

This year doesn’t start with new plans, but rather three intentions continued from a few months ago. I revealed one yesterday, and promised I would expand today on the others, so here they are:

  1. Symmetry — Balance in all things, including my body which is stronger on my right side and much tighter on my left side. We also need symmetry in WordPress between the .org and .com products which differ too much.
  2. Stillness — In echoes of Pico Iyer, so much of my life in my 20s was about movement, and “going places to be moved.” In my 30s I’m looking inward. As Saint Augustine said in Book X, chapter 8 of Confessions: “Men go forth to wonder at the heights of mountains, the huge waves of the sea, the broad flow of the rivers, the vast compass of the ocean, the courses of the stars, and they pass by themselves without wondering.”
  3. Yellow Arrows — The idea that there are clear indications of where to go next at every fork in the road, and if not you should paint them. I wrote more on this  yesterday.

Previously: 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, and 32.

by Matt at January 12, 2017 07:59 AM under Essays

January 11, 2017

WPTavern: WordPress 4.7.1 Fixes Eight Security Issues

WordPress 4.7.1 is available for download and fixes eight security issues that affect WordPress 4.7 and below. The PHPMailer library was updated to patch a remote code execution (RCE) vulnerability. WordFence reported the vulnerability last month as critical and that it affects WordPress core.

However, in the announcement post for 4.7.1, Aaron Campbell, WordPress’ new Security Czar says that, “No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.” Dawid Golunski and Paul Buonopane are credited with responsibly disclosing the vulnerability.

WordPress 4.7.1 also fixes an issue where the REST API exposed user data for all users who authored a post of a public post type. This release limits this ability to only post types which have specified that they should be shown within the API. Brian Krogsgard and Chris Jean are credited with responsibly disclosing the vulnerability.

In addition to patching eight security issues, this release fixes 62 bugs. To see a full list of changes, visit the release notes page or you can view them on Trac. Sites should update automatically but if you’d like to update sooner, visit your site’s Dashboard, select Updates, and click the Update Now button.

by Jeff Chandler at January 11, 2017 11:19 PM under wordpress 4.7.1

WPTavern: Facebook Launches Journalism Project, Plans to Expand Monetization of Instant Articles

After taking heat for the proliferation of “fake news” and misinformation on its platform during the US presidential election, Facebook is aiming to strengthen its ties with the news industry.

“We care a great deal about making sure that a healthy news ecosystem and journalism can thrive,” Facebook director of product Fidji Simo said in the announcement today.

The new Facebook Journalism Project will focus on creating news products with feedback from publishers, providing training and tools for journalists, and promoting news literacy for the public.

In 2015 Facebook launched Instant Articles to deliver publishers’ content instantly in exchange for advertising revenue. The platform will be expanding the feature to combine multiple Instant Articles in one post, starting January 12, 2017.

image credit: Facebook

“We’ve heard from editors that they want to be able to present packages of stories to their most engaged readers on Facebook,” Simo said. “We’re starting to work with several partners on how best to do this. We’re going to start testing this using Instant Articles, so that readers can start to see multiple stories at a time from their favorite news organizations.” Facebook is currently testing this feature with BILD, BuzzFeed, El Pais, Fox News, Hindustan Times, The Sun, The Washington Post, and other publishers.

In April 2016, Automattic partnered with Facebook and VIP-Featured-Partner agency Dekode to develop Instant Articles for WP, a plugin that outputs a compliant feed of posts wrapped in the required markup for Facebook. The plugin passed 10K active installs at the end of 2016, but its star rating continues to plummet due to numerous errors with updates and a lack of support. Only 1 of 42 support threads has been marked resolved in the last two months. Publishers who depend on the plugin may need to have a developer on staff to handle issues with the plugin or select another solution.

Facebook is also planning to collaborate with publishers on subscription business models for their content. Participation in this feature will require the publisher to make its content available through Instant Articles.

“Many of our partners have placed a renewed emphasis on growing their subscription funnel, and we’ve already begun exploring ways we can support these efforts,” Simo said. “This month our engineering team in collaboration with the engineering team of the German news organization BILD will launch a test to explore offering free trials to engaged readers, right from within Instant Articles.” Simo also said they are working on other monetization options for publishing partners, including advertising breaks in regular videos.

by Sarah Gooding at January 11, 2017 09:49 PM under facebook instant articles

HeroPress: Blogging, Solopreneurship, & Terrorism

Pull Quote: We will survive this, and this too will pass. You have my word.

This story involves me as a blogger, the Prime Minister, me again as a web developer, an Islamic cult attempting a coup d’état, and me again as a solopreneur. Oh, and WordPress. And ISIS.

WordPress: My First Encounter

In the beginning of 2006, everyone in Turkey was talking about blogs. It was the hot new thing on the web. Forums were “out” and blogs were “in”. Anyways, I was getting ready for the ÖSS and studying to get into a university but I was psyched enough to register a blog on WordPress.com, on January 2006. (I moved the blog into a free hosting space the next month, and opened up beyn.org in July 2006.) I was in Kocaeli, the city right next to İstanbul.

After the registration, I realized that I had nothing to write about. So I wrote about the day I had. The next day, I did the same thing. And the next day. And the next seven and a half years. Of course, I skipped four or five days. But that kind of dedication earned me a reputation and an award for “Best Personal Blogger of 2008”.

But I didn’t just write about my days. After getting accepted into Ankara University in September 2006, I began to read and think about politics, as nearly all young Turks do in university. Eventually, I started writing about politics as well. Because you know what they say: If you want to learn something, write about it.

Oh, I learned it pretty well, and I learned it the (somewhat) hard way.

Facing Jail Time with a Blog Post

2010 was probably my darkest year in my entire life. (2016 is the next candidate.) I was 22 years old, blogging daily, learning about web design and WordPress (more on that later), and keeping up with what’s going on with the country. Things were crazy back then: A very big prosecution was going on called the Ergenekon Case about military people allegedly planning a coup (Hint: This is not the coup I mentioned in the intro! These guys were all acquitted later.) and a big campaign for a constitutional referandum was more than enough to keep the whole country busy.

In December 2010, Recep Tayyip Erdoğan, the Prime Minister of the time (and the President since 2014) sued me for one of my blog posts. It was about one of the slogans he used in his referandum rallies (“The terrorists and the opposition parties are soul mates!”) and me using the same sentence against him. Like, the exact same sentence. He didn’t like the way that the slogan was used against him, so he reported me and the state brought charges against me. I was 22 and I was being sued by the most powerful man in the country, because I used his words against him.

When the Prime Minister sues you, you go to jail. There were little to no instances of winning a case against the government, especially when they were the one suing you. Thankfully, I was one of the few instances: I won the case in my third trial, February 14, 2012. (“Lovely” day, isn’t it?)

There were one downside though: With the fear of the government suing me, I stopped writing about politics in 2011 and 2012, and even a few months after I won. And to this day, even though that fear is long gone, and even though I’m writing about politics again on Beyn, I still can’t write regularly like I did back then.

Anyways. Moving on with the “web development” phase of my life.

Learning to Develop WordPress, and Teaching It at the Same Time

When I started Beyn, I immediately loved WordPress. I had some experience on HTML and CSS on Dreamweaver (never was a FrontPage guy), and I happily retired DW because I won’t be able to work on it while I was learning WordPress.

I don’t remember trying to learn something with such passion. I loved the idea of plugins and themes extending the core. Beyn became my playground for new tricks, my laboratory for new experiments about WordPress. I installed plugins, edited themes, learned what’s right and what’s wrong with what I did… I probably crashed the website more than a hundred times!

By 2012, I’d already started making websites for other people and getting paid. I had developed a few plugins, made a couple of themes from scratch. While still learning what awesome things I’m able to do with WordPress, I applied for a small writing gig at Wptuts+, which was later renamed Tuts+ Code. Because you know what they say: If you want to learn something, write about it.

That “small writing gig” was in fact my biggest source of education. I wasn’t a WordPress expert, but that gig was the ultimate reason to learn more and more about WordPress. I remember constantly feeling that “I’ve finished telling about everything I know about WordPress, so now I have to learn more!” and doing research on things to write about.

I was aware that I don’t have any chance to write a sloppy tutorial, so I nagged my editors (first Japh Thomson, then Tom McFarlin) about my writing style, my choice of topics and of course, my English. They said my English was very good, and my topics are relevant and suitable for publishing on Tuts+. In almost exactly four years (from April 2012 to March 2016), I wrote 134 posts and I’m very proud of (almost) all my work there.

While it was sad to leave Tuts+, I had a project in my mind that I put off so long: Optimocha.

WordPress Speed Optimization with Terrorists, Bombs and Death

That title came out grimmer than I expected. Heh. Anyways.

2015 was the year when I first thought about a speed optimization service for WordPress-based websites. Then I thought that I would better use my energy on the upcoming general elections in June. I worked for an NGO called “Vote and Beyond” to ensure transparency in observering of ballot count in the elections.

2015 was also the year with a whole lot of terrorist attacks. PKK, a terrorist organization pretending to defend Kurds’ rights (while giving a bad name for all Kurds countrywide) and ISIS (you know them) were the most active terrorist organizations in 2015. They killed more than 250 people and injured more than 1000 in a series of shootings and bombings throughout the year.

Worst year ever, right? Not even close. Let me quickly summarize the hell we’ve been through:

  1. ISIS killed 116 people in 5 different attacks.
  2. PKK killed 176 people in 15 different attacks.
  3. TAK, PKK’s even uglier cousin, killed 43 people in 4 different attacks.
  4. FETO killed 248 people across the country in their coup d’état attempt on July 15.

583 people killed in terrorist attacks in 2016. So, just a few more than all those lovely celebrities.

What’s that FETO sticking out among the others, attempting a coup? That’s FEthullahist Terrorist Organization: The organization of Fethullah Gülen, an Islamic cult leader comfortably residing in Pennsylvania, plotting to take over the government for (I kid you not) over 40 years. Even I had made peace with the President because of the much needed “purges” to scrape his crypto-disciples in the government organizations. FETO is one of the enemies that can let you make peace with the ones against your values.

(By the way: While celebrating that we got rid off that horror show of 2016, ISIS killed 39 more people with an AK-47 in a New Year party on January 1, in the middle of the night.)

Still waiting for the part where I founded Optimocha, right? Sorry it took a bit long.

April 2016 was the month I registered my company by paying for the usual fees to register a sole proprietorship, accountant fees, rent for an office (because by law, you can’t register a company without an office), some paperwork. All my funds vanished, leaving me with nothing to spend on marketing.

PayPal halted operations in Turkey on June, because of conflicts with the government. 2CheckOut followed. I was going to use 2CO, so I was left with no payment gateway provider. Along with the terrorist attacks, I decided to spend Ramadan (the holy month for Muslims, passed on June 2016) sleeping, lying and moping around with depression.

At the beginning of July, I was ready to work again, amped up for success! Except the coup attempt happened. Bombs and sonic booms in my city. Back to depression.

By October, I was almost ready to go live with the website. I didn’t. I forced myself to finish it in November, before Black Friday. I did! People responded to my emails, said they’ll publish my deal on their blogs. People who saw the deal also responded and purchased my services. Yay.


Blogging is hard. Blogging with the most powerful man in your country trying to lock you up is the hardest.

Solopreneurship is hard. Solopreneurship with several, highly active terrorist organizations killing people next to you is the hardest.

Yet, and I’m sure this is going to sound cheesy, I have hope. This is the price we have to pay in order to get rid of the scum in the world. Turkey isn’t the worst country in the world suffering from terror–we’re just a country stuck between Europe, Russia, the Middle East and Africa. (Talk about a rock and a hard place…) We will survive this, and this too will pass.

Turkey may be viewed as “yet another Middle Eastern country”, but it was founded almost a hundred years ago with the heritage of the Ottoman Empire, but also with a Western, secular mindset. Even today, you can’t find a sensible person talking trash about Mustafa Kemal Atatürk, who declined the Ottoman monarchy to set the foundation of a democratic republic in a time of dictatorships across Europe and Asia. Emphasis on the words “even today”, because the principles of his vision of the Republic of Turkey is in danger, a very large portion of the country has the confidence and equipment to defend those principles.

Again: We will survive this, and this too will pass. You have my word.

The post Blogging, Solopreneurship, & Terrorism appeared first on HeroPress.

by Barış Ünver at January 11, 2017 12:00 PM

Dev Blog: WordPress 4.7.1 Security and Maintenance Release

WordPress 4.7 has been downloaded over 10 million times since its release on December 6, 2016 and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7 and earlier are affected by eight security issues:

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski and Paul Buonopane.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
  6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.

Thanks to everyone who contributed to 4.7.1: Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, bonger, Boone Gorges, Chandra Patel, Christian Chung, David Herrera, David Shanske, Dion Hulse, Dominik Schilling (ocean90), DreamOn11, Edwin Cromley, Ella van Dorpe, Gary Pendergast, Hristo Pandjarov, James Nylen, Jeff Bowen, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, Keanan Koppenhaver, Konstantin Obenland, laurelfulford, Marin Atanasov, mattyrob, monikarao, Nate Reist, Nick Halsey, Nikhil Chavan, nullvariable, Payton Swick, Peter Wilson, Presskopp, Rachel Baker, Ryan McCue, Sanket Parmar, Sebastian Pisula, sfpt, shazahm1, Stanimir Stoyanov, Steven Word, szaqal21, timph, voldemortensen, vortfu, and Weston Ruter.

by Aaron D. Campbell at January 11, 2017 03:53 AM under 4.7

Matt: Rebirth and Yellow Arrows

My friend Kamal Ravikant has a new book out, Rebirth, which I highly recommend. I had the good fortune to read it a few months ago and the story of the Camino de Santiago touched and inspired me.

Because of the impact of the book, I ended up adopting a few New Year’s intentions long before January 1st — things to ruminate on and keep in mind as the year wound down. The outlook of the world seemed uncertain, and I’m learning to navigate the world without my father.

Yellow Arrows

The Camino de Santiago is a pilgrimage path in Spain that people have walked since the 9th century AD. The 500 mile path winds through mountains, fields, and sometimes cities, and many pilgrims take a month or more on it. In some ways it is similar to the Kumano Kodo walk I did with Dan and Craig last year.

There are places where the path isn’t exactly clear, either because the trail isn’t strong, there’s been growth, or you might be in a crowded urban area like a city. Over the years pilgrims and people who live on the trail have marked it with yellow arrows pointing the way. If someone gets lost or confused, it’s an opportunity for an additional sign to bring them back on track.

When you know the path, is it clear where someone else walking it should go next? It’s an interesting concept that applies across life. In your relationships, does your friend, loved one, or partner know what to expect, and where you’re headed together? Even in WordPress I feel like there are too many places where we bring someone to a fork in the road and there is no clear indication which way they should take.

Give some thought to the yellow arrows in your life, and I’ll write more about the other two things I’ve been thinking about tomorrow. Also don’t forget to pick up a copy of Kamal’s book. I loved it and I think it will be one I’m recommending to many friends.

(Image from Camino Travel Center.)

by Matt at January 11, 2017 03:48 AM under Essays

January 10, 2017

WPTavern: Year in WP Creates a Personalized Review of WordPress Contributions in 2016

Year In WP is a new site by Jesper van Engelen that creates a personalized review of a user’s contributions to WordPress in 2016. Entering the WordPress.org username of a plugin or theme author or a WordPress core contributor into the field generates a list of statistics that includes:

  • Profile information
  • Number of times their plugins and themes were downloaded
  • Most downloaded plugins and themes
  • Average number of downloads per week
  • Plugin and theme review rating average
  • Percentage of five-star ratings
  • A selection of five-star reviews
  • Number of commits, changes, and comments to WordPress core
  • Number of WordPress releases contributed to

Engelen got the idea to create the site in 2014 after Spotify launched its ‘Year in Music‘ that highlighted trends based on what 50 million users listened too.

“I’d been active in the WordPress plugin market for about four years at that point, and I figured it would be really cool to get some year-over-year insight into your WordPress plugins,” Engelen said.

“Having become a partner at Admin Columns (a freemium WordPress plugin) in 2014, I found out that I really liked analyzing statistics of downloads, sales and other data, and that, properly grouped and reported, they could have a pretty big influence on decision-making from a business perspective.”

Engelen started the site by experimenting with fetching data from WordPress.org through its API that would show the change in the number of downloads to a user’s plugins.

“That is basically what lead to the ‘Your most popular plugins’ overview page,” Engelen said. “Spending some free hours each week on working on the project, more and more ideas of data to include popped up.”

The site displays a lot of data, but it doesn’t include everything. Engelen would like to eventually display sections for contributions to WordPress translations, plugins, themes, core, design, etc.

The Technical Details

The data displayed on Year in WordPress is gathered using the WordPress.org API, subversion, and web scraping. Engelen would have used the WordPress REST API but it was not available at the time, “Fetching the reviews and support topics yielded quite a bit of annoyance, as they’re done by scraping,” he said.

He uses a Python framework to fetch relevant data in parallel. The data is stored in an SQL database, which is accessed by a front-end tool. The front-end of the site features a design that was reused from AdminColumns.com.

“jQuery, combined with Chart.js and Fullpage.js power the interactive portion of Year in WordPress. I’ve also written some simple sentiment analysis code for filtering out the most popular reviews to show for each plugin/theme developer,” Engelen said.

Fun Facts about Year in WordPress

Engelen provided the Tavern with these fun facts related to Year in WordPress:

  • There’s a Year in Review for about 100,000 users on WordPress.org — or all users who have contributed to a plugin or theme, created a review or a support ticket, or contributed to WordPress core.
  • The full database takes about 500MB of space.
  • There were 364,763,308 plugin/theme downloads in 2015, and 434,865,745 in 2016. That’s 19.2% growth!
  • 2016 was the first year where the number of new core Trac tickets shrunk (4,044 in 2014; 4,392 in 2015; 4,028 in 2016)
  • 73% of all plugins received zero reviews in 2016

Year in WordPress 2017 Is Not Guaranteed

Engelen is not making any promises for continued development in 2017 as it’s contingent on his free time. However, the main thing he would like to change is to include a wider spectrum of data.

“When I pitched the idea of Year in WordPress to a core committer and showed the beta version, he said ‘there’s so much more than core itself’ and that stuck with me,” he said.

“The perfect ‘Year in WordPress’ would feature cool statistics about all types of contributions people make to WordPress — whether it’s creating plugins and themes, writing code for core, translating or testing. Furthermore, I’m really looking forward to making use of all of the REST API’s that I can use this time around.”

by Jeff Chandler at January 10, 2017 10:11 PM under year in wordpress

WPTavern: Say What Plugin Passes 10K Active Installs

WordPress core doesn’t make it easy to edit text strings, but a little plugin called Say What? has been quietly gaining a solid user base by providing this functionality. It allows users to edit text strings without editing WordPress core or plugin code. Lee Willis released Say What in 2013, but the plugin had a significant jump in users in 2016, doubling the number of active installs from 5,000 to 10,000 sites.

Willis, who is the author of 22 plugins hosted on WordPress.org and many more commercial extensions, created Say What while working as a Drupal developer.

“One of our must-install Drupal modules was called String Overrides, which inspired Say What?” he said. “At the agency I was working at we used it regularly on virtually every site build to override plugin, theme, and core strings in a ‘non-hacky’ way. Given that, I knew that the problem was there to be solved on WordPress, and that something that worked well would be useful to people.”

Say What adds a new screen for editing text under Tools > Text changes for configuring string replacements. Users enter the current string, text domain, and replacement text.

This plugin is a good option for those who are not comfortable sifting through PHP files and adding a filter to change the text. If you just have a handful of strings to replace, it’s more convenient than using a translation tool like POEDIT to edit the language files. All of the text changes are listed together in the Say What admin panel, so they can be easily changed at any time without editing any files.

Willis said users don’t often experience conflicts with themes and plugins, as there is so little frontend functionality included in the plugin.

“The main areas of support tend to be around locating particular strings, or issues where broken custom code is breaking the filters that Say What uses,” Willis said. After speaking with friends at a WordCamp in March 2015, he decided to create a commercial version to address this issue and a number of other feature requests.

“The free version was out for about two years before I launched the Pro version,” Willis said. “The only issue people tended to have with the free version was around finding the information they needed for the ‘original string,’ so I decided to build out the String Discovery feature as the first feature of the Pro version. This lets users search for the string using autocomplete functionality, making it much easier to set up replacements without delving through theme or plugin code.”

Say What increased in popularity in 2016 and has maintained a 4.6-star rating on WordPress.org. It is becoming more frequently recommended by support teams of other plugins when customers ask about how to change text strings.

“It’s great to know that it’s being used to help people build more future-proof sites without resorting to hacking plugin or core code just to change strings,” Willis said. “Even for people familiar with plugin and theme code, the String Discovery feature makes it a lot easier and quicker to set up replacements. It’s had a few new features over the last year, including support for multi-line, and single/plural style replacements.”

Willis said his Pro version proved to be fairly popular during 2016 and became one of his highest selling plugins. He recently added support for multilingual sites, the most often requested feature, allowing users to set up different replacements for different languages.

Willis does not have an extensive roadmap for the plugin, as he prefers to keep it uncomplicated and free of clutter. “I’m a big believer in plugins that do one thing, and do it well,” he said.

Say What is another successful instance of a developer solving one of his own problems and striking upon a successful commercial product. Willis said he didn’t fully anticipate how popular the plugin would become.

“As with most of my plugins it was also built to solve a problem that I personally was having at the time,” he said. “That said, I’m always (pleasantly) surprised when something does get popular.”

After testing Say What I found that Willis’ implementation is the simplest way for non-technical users to make a few simple string changes without the risk of breaking their websites. He is also very responsive on the support forums. The success of the Pro version is a good indication that Willis will be able to continue support and maintenance on the free plugin for the foreseeable future.

by Sarah Gooding at January 10, 2017 09:26 PM under Plugins

January 09, 2017

WPTavern: How Laravel Forge Can Help You Run WordPress in the Cloud

petersuhmThis opinion piece was contributed by guest author Peter Suhm. Peter is a web developer from the Land of the Danes. He is the creator of WP Pusher and a huge travel addict, bringing his work along with him as he goes.

Laravel Forge is a server and application provisioning tool that was originally built to serve the Laravel PHP crowd. Recently, it has been made available to WordPress developers too, with the introduction of 1-click installs of WordPress on Digital Ocean, Linode and AWS cloud servers. In this post, I’ll give you a brief introduction to Laravel Forge and show you how you can use it to manage all of your WordPress installations in the cloud.

Laravel Forge is good news for WordPress developers

Because so many WordPress developers are used to managed hosting, the thought of running their own servers seem quite intimidating. That’s a shame with so many great cloud server companies offering virtual servers for very low costs. Unless your traffic is very heavy, a small ($5 to $10 per month) server can run quite a few WordPress websites. Laravel Forge takes care of provisioning your servers and can even setup your database and install WordPress for you. This makes cloud hosting much more available to WordPress developers at a low cost (Laravel Forge is $15 per month for unlimited servers), compared to many of the existing options.

Here are a few reasons why I think Laravel Forge is great for WordPress hosting:

  • Your servers are configured in a secure way by default, with SSH authentication, firewalls, automatic security updates and free SSL certificates from Let’s Encrypt
  • Your servers are going to be really fast with PHP 7
  • You can run a lot of WordPress installs on 1 single server *
  • You can scale your servers if you need more horse power *

* Goes for the cloud in general

Creating a new server

Here is how the “Create Server” screen looks in Forge:

If you use Digital Ocean, Forge can also create your servers. If you use another provider like Linode or AWS, Forge can only do the provisioning part.

For Digital Ocean servers, here are the options you can configure:

  • Which credentials to use, if you are managing multiple Digital Ocean accounts
  • The server name
  • The server size
  • The server region
  • The PHP version
  • The default database name

You can then choose to:

  • Configure the server as a load balancer (if you have really heavy traffic and is running WordPress across multiple servers)
  • Install MariaDB instead of MySQL, which is a drop-in, faster replacement
  • Enable weekly backups on Digital Ocean

When Laravel Forge is done with the provisioning, your server is ready to go.

Setting up a database

Once your server has been created, setting up a database for your WordPress installation is very easy. You can create the user at the same time you’re creating the database, or you can create the user afterwards.

Installing WordPress

Before you install WordPress, you need to create a new “site” on your server. You can just stick with the defaults:

For the “Root Domain”, you need to add the domain name of the site you are setting up. Remember that you need to add a DNS record for your domain that points to the IP address of your newly created server. If you are just testing, you can always add a record in your computer’s hosts file with a test domain that points to your server. Something like this:

# /etc/hosts

# Replace xx.xx.xx.xx with your server's IP address
xx.xx.xx.xx wordpress-forge.test

Once you click the “Add Site” button, you will see a spinning wheel while Forge is setting up your site’s nginx configuration.

When the installation is done, you need to click the “Manage” icon next to your site in order to install WordPress. The first screen you will be presented with gives you the option to install an “App” on your site. Click the “WordPress” button, select your database and user from the previous step and relax while Laravel Forge completes the installation. Fun fact: Laravel Forge is actually using WP-CLI to install WordPress on your server.

When the installation has completed, visit your site in a browser and you’ll be met with something familiar:

Setting up a free SSL certificate

Finally, you should set up SSL for your WordPress site. It’s more secure and Google likes it!

Head over on the “SSL” tab and click the “LetsEncrypt (Beta)” button. Click the “Obtain Certificate” button and wait while Forge creates and installs the certificate. Once the certificate is installed, click the “Activate” icon and voila! Your site is now all set up and secured with SSL.

That’s how easy it is to setup WordPress on a cloud server with Laravel Forge. I hope to see a lot of more products and tools like this that can help us building better, faster, and more secure WordPress websites. In fact, Laravel Forge was the original inspiration for my own product WP Pusher. I wanted to create a similar experience, but for WordPress plugins and themes instead.

Note on backups and security

Please note that even though Laravel Forge makes for a great starting point, ultimately you are the one in charge of the security of your servers. You should always try to educate yourself about security and have a backup strategy for your data.

by Sarah Gooding at January 09, 2017 06:44 PM under laravel forge

January 07, 2017

Post Status: Contributing to Twenty Seventeen

Editor’s Note: This is a guest post by Sami Keijonen. Sami is a developer, the owner of the Foxland theme and plugin shop, and hails from Finland.

Every year since 2010, WordPress has shipped with a new default theme, breaking the cycle of Kubrick being the primary default theme for years before that.

In 2010, the default theme was called Twenty Ten. In 2011, the default theme was called Twenty Eleven. You get the idea.

While every default theme has been unique in its own way, Twenty Seventeen was particularly compelling in a way we haven’t seen in a default theme since Twenty Fourteen.

Twenty Fourteen was the first theme that really made people think WordPress could be used for more than “just a blog” on a mass scale. It is a magazine theme.

Twenty Seventeen — released with WordPress 4.7 — is the first theme that really made people think WordPress could be used for more than “just publishing content” on a mass scale. It is a business theme.

Prior to WordPress 4.7, I contributed by helping out in the support forums and building accessible themes. But I had never contributed to core before.

When I saw the previews, I knew I wanted to contribute, and began to follow development on GitHub to see if there was anything that I could lend my talents to and eventually make my first core contributions.

When I saw Morten Rand-Hendriksen open an issue about replacing icon fonts with SVG icons, I knew I had found the perfect “in” to start contributing to core.

Contributing SVG icons system to Twenty Seventeen

I had already switched from icon fonts to SVG icons in my public themes, so this was something I immediately felt confident in contributing to core.

Development started in GitHub, where fellow contributors would create issues and submit pull requests.

Then, everything moved to WordPress SVN, where new patches were submitted.

I’ll summarize what I learned in the process.

What I learned about contributing

I regret not keeping a diary. Not necessarily to keep track of what I contributed, since that’s all documented in the open.

But rather things like my emotional state. My feelings ranged from despair to overwhelming joy throughout my contribution experience.

I learned new things about code and collaborating with others in GitHub and SVN. Again, something not necessarily documented in patches and the like.

Git workflow

I’m not good with Git, and still don’t fully understand how rebasing works. I messed up my commits a couple of times. Not a big deal, but I got different error messages no matter which workflow I tried. I realized that I need to know more about Git, and be more patient.

Eventually I understood enough to get my contributions through the door, but I’m still confused about how to rebase a pull request.

Follow the development through to the end, and beyond

I started out by replacing only the social link icon fonts to SVG icons. Soon, I realized that a step-by-step process was not going to work because of new related commits coming in all the time that potentially conflicted with my code.

It was better to replace all icon fonts, not just the social ones, with SVGs, and then work from there. I was also keeping track of style changes in RTL languages and IE8.

At this point, the work was just getting started.

Once you start contributing, you shouldn’t just disappear with no explanation. If you’re running low on time or have other obligations, it’s totally understandable, but be sure to politely inform others you can’t continue anymore, so they can pick up where you left off.

As the o2 slogan states: “Communication is oxygen.”

Coding standards and automated tests

After several commits and iterations, my first pull request was accepted.

As you can see in my first commits, I didn’t pass the WordPress coding standards. I needed to be more precise and follow the coding standards to the tee. With enough practice, I’m sure it’s possible to write standards-compliant code “naturally” but I was looking for a way to automate the code checks.

I tried to get Atom to evaluate my code on the fly, but I just couldn’t get it to work. Like my Git experience, I got different error messages no matter what I tried.

Eventually, I was able to use PHPCS via the command line, and fixed any issues discovered manually. But it would’ve been nice to have those checks automated.

Working with batches in SVN

Once the development moved to SVN, I began to get a little worried. As I described earlier, not too long ago, I was struggling just to use Git. However, thanks to the following tutorials I quickly got up to speed.

Turns out, it wasn’t much to be worried about. Although I didn’t quite understand the concept of branches and tags in my local environments, and jumping between them like I know how to do with Git.

Anyway, I eventually got my first props with the help of others.

Technical overview of the SVG icons system

I adapted this contribution from the code and concepts first presented by others.

  1. WebDevStudios has their own starter theme called wd_s. I really like how they set up SVG icons and we fine-tuned them in Twenty Seventeen. Perhaps they will integrate those improvements back into their own project. Again, open source rocks.
  2. Justin Tadlock invented the social links menu concept. I just took that concept and applied it to SVG icons rather than icon fonts.

All the main SVG-related functions can be found in the inc/icon-functions.php file. It’s well-documented in the code, but here’s a summary:

  • Include the SVG sprite file via the wp_footer hook.
  • twentyseventeen_get_svg() function returns the SVG icon markup. In most cases, the SVG icon is injected in template files or via hooks and filters. In some cases, the SVG icon is injected via JavaScript.
  • Default markup looks like this: <svg class="icon icon-name" aria-hidden="true" role="img"> <use href="#icon-name" xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#icon-name"></use> </svg>.
  • Note that we could use the absolute path to the SVG file in the href attribute of the use element. In that case:
    • there is no need to inject icons via the wp_footer hook.
    • The svgxuse JS polyfill must be used, because Internet Explorer doesn’t support external files referenced in the <use> element.
    • This method helps caching the SVG sprite file.
  • By default, all icons are decorative, but I insisted we show how to use non-decorative icons in an accessible way. Check the examples in the aforementioned twentyseventeen_get_svg() function.
  • We replace the default icon for supported social media links by using the walker_nav_menu_start_el filter.

Open source rocks

WordPress default themes are one of the best themes out there and they set an example how to use new WordPress features. The reason for this is simple.

  • Default themes gets lots of love and attention.
  • Many talented people contribute to default themes. Twenty Seventeen had over 100 contributors and we thank you all!
  • Default themes are tested before release in many platforms and browsers. And default themes are used on so many sites that any remaining bugs will be found after the release.

Building default themes really is a community driven project. I’d like to say extra thanks for couple of people.

Special thank you

Any web project needs good leadership, design, and code. Those were all covered in Twenty Seventeen.

  • David A. Kennedy was leading the project and kept everything rolling. He had a really friendly touch and he was open to ideas. At the same time he wasn’t afraid to make decisions; for example, a flexbox layout was rejected for this theme.
  • Mel Choyce created the modern, business looking design. She wrote a great article with her behind the scenes take.
  • Laurel Fulford was the primary coding lead. She seem to have a solution for every new feature and brought Mel’s design to life with detailed code.

Last but not least, remember Morten Rand-Hendriksen, the one that opened the SVG icon issue that caught my eye?

He was pretty happy with the end result.

Who knows if I would’ve contributed if it wasn’t for him posting that. Remember, reporting issues and bugs is contributing too, and can inspire first-time contributors like me to stop sitting on the sidelines and finally get started with core contributions.

by Sami Keijonen at January 07, 2017 10:42 PM under Developers

WPTavern: Let’s Encrypt Passes 20 Million Active Certificates in 2016

Let’s Encrypt has just closed out its first full year as a certificate authority with more than 20 million active certificates. The free and open certificate authority focuses on lowering the complexity of setting up TLS encryption by making the process more automated. It came out of beta in April 2016 and the number of certificates issued per day has grown steadily since then.

“At the start of 2016, Let’s Encrypt certificates had been available to the public for less than a month and we were supporting approximately 240,000 active (unexpired) certificates,” said Josh Aas, Executive Director of the non-profit Internet Security Research Group (ISRG). “Now we’re frequently issuing that many new certificates in a single day while supporting more than 20,000,000 active certificates in total. We’ve issued more than a million certificates in a single day a few times recently.”

Let’s Encrypt operates as a 501(c)(3) nonprofit and has received more than three dozen corporate sponsorships and grants, but funds for the coming year have fallen short. In November, Let’s Encrypt launched a crowdfunding campaign to cover the cost of one month of operating expenses. So far, the campaign has raised more than $100K towards its $200K fundraising goal.

Let’s Encrypt is Growing Fastest with Smaller, Previously-Unencrypted Sites

Let’s Encrypt is used with some larger organizations, such as WordPress.com, OVH, Shopify, Akamai, and Dreamhost, but the vast majority of users are smaller entities that were not previously encrypted. According to the Electronic Frontier Foundation (EFF), a founding sponsor of the certificate authority, most of Let’s Encrypt’s growth has not come from taking customers away from competitors:

One of the ways Let’s Encrypt has been helping to secure the web is by making it easy and affordable for sites that have never had certs before to turn on secure HTTPS connections, and for software systems to start enabling HTTPS automatically and by default. Our free certificates may be more likely to be left unused than expensive certificates, and less expert webmasters may accidentally duplicate certificates—but that’s part of making HTTPS integration available to more webmasters across a range of resource and skill levels. Statistics suggest that most of our growth has come not at the expense of other CAs, but from giving previously unencrypted sites their first-ever certificates.

EFF analyzed various sources of usage statistics and estimates that Let’s Encrypt is now the largest certificate authority on the web. Its rapid adoption has spurred impressive progress towards getting the entire web encrypted. Let’s Encrypt tracks progress by measuring the percentage of page loads using HTTPS, as seen by browsers.

“According to Firefox Telemetry, the Web has gone from approximately 39% of page loads using HTTPS each day to just about 49% during the past year,” Aas said in Let’s Encrypt’s 2016 in Review report. “We’re incredibly close to a Web that is more encrypted than not.”

The proliferation of Let’s Encrypt client options in 2016 puts the certificate authority in an even better position to continue driving web encryption in 2017. Aas attributes last year’s progress to many organizations advocating for HTTPS and working to get their sites encrypted. His team has grown from four full-time employees to nine, and he anticipates that 2017 will be a year of even greater growth.

“Much of the infrastructure and many of the plans necessary for a 100% encrypted Web came into being or solidified in 2016,” Aas said. “More and more hosting providers and CDNs are supporting HTTPS with one click or by default, often without additional fees. It has never been easier for people and organizations running their own sites to find the tools, services, and information they need to move to HTTPS.”

by Sarah Gooding at January 07, 2017 09:42 PM under let's encrypt

January 06, 2017

WPTavern: How Do You Educate People New to WordPress?

When a friend of mine asked for suggestions on what he should use to create a new site, I suggested WordPress. It is well supported, has an amazing community, and a ton of free themes and plugins to choose from. After getting WordPress installed on a new webhosting account, I left him be to see what issues he would run into and how he would configure the site.

After noticing the site was loading slowly three weeks later, I obtained admin access to try to determine what the problem was. The first thing I did was check which plugins he installed. One of the plugins added the ability to embed YouTube videos on the site using shortcodes. My friend was unaware that WordPress has oEmbed support which allows users to easily embed videos by pasting the URL into the editor.

He also installed a couple of other plugins that mimicked core functionality. He was unaware that WordPress does most of the things he wants without the need for plugins.

Page Builder Shenanigans

After activating a theme that was compatible with the SportsPress plugin, he installed the MotoPress Content Editor. MotoPress Content Editor is a front-end page builder that enables users to visually construct pages. The front page of the site was a long vertical column filled with information that mimicked blog posts.

Because he didn’t understand how WordPress works, he forgot to configure the site to display the latest posts instead of using a front page. What he ended up doing is recreating the blog post layout on the static front page using the MotoPress Content Editor. He also added a lot of page builder elements such as YouTube videos to the page which was a contributing factor to the site’s poor loading times.

Page builders are a tool that can make building sites and pages more convenient, but in the wrong hands, they can help users ruin their sites. I replaced the video elements with a text widget that displays the latest video from a YouTube channel. Since he was mimicking the blog post layout on a static page, I configured the site to display the latest blog posts first.

Once I fixed these issues, I removed the page builder and explained to my friend why it was unnecessary. He was recreating WordPress functionality and doing unnecessary work without realizing it.

This experience makes me wonder how many other newer WordPress users end up in a similar situation. They don’t know what WordPress is capable of out-of-the-box and they end up installing a myriad of plugins with descriptions that sound similar to the features they want. I spent about a week undoing all of the work my friend did in three. Had I not stepped in, the site would likely not scale and its performance would decrease further.

Getting New Users Started on the Right Track

In early 2015, a community initiative dubbed NUX Working Group was created to brainstorm ideas on how to improve the new user experiences throughout the WordPress admin. While the group initially had a head of steam, it lost a lot of momentum last year. I’d like to see it re-emerge and work in concert with the focus-based approach to developing WordPress this year.

How can WordPress explain to new users what its capable of without drowning them in technical information? Is it feasible to create something that caters to the majority without explaining every feature in detail? Admin Pointers were introduced in WordPress 3.3 and while they’re typically used to introduce new features in a release, they don’t act as a guided tour to what WordPress can do.

Education is likely a key component to improving the new user experience. WordPress.com has a 12-step beginner’s guide that walks people through the process of configuring and customizing their sites. For self-hosted WordPress users, there’s a New to WordPress – Where to Start guide that covers what WordPress is, choosing a host, and considerations to keep in mind. However, much of the information is technical in nature.

If you’re a consultant or coach who works with people new to WordPress, how do you handle the educational part of your projects? What are the most common roadblocks that they encounter? Do you have a custom-made getting started guide or do you forward them to a site with video tutorials like WordPress.TV or WP101?

by Jeff Chandler at January 06, 2017 07:19 PM under page builders

WPTavern: Incubator WordCamp Denpasar a Success

This post was contributed by guest author Taylor Lovett. Lovett is based in the Washington DC area, is the Director of Web Engineering at 10up, creator of ElasticPress, and general open source enthusiast.

In February 2016, the WordPress Foundation announced the WordCamp incubator program, focused on spreading WordPress and open source values to remote areas of the world through extra hands-on support to first time WordCamps. WordCamp Denpasar, which took place in Bali’s capital city, is the first of three camps to be supported as a part of the program — other WordCamps include Harare and Medellín. As Director of Web Engineering at 10up, I was sent to attend and speak at the inaugural event. Our company values open source projects and the WordPress community, so we’re proud to support emerging communities by attending events like this.

The incubator program supports WordCamps by providing them with an experienced organizer. In Denpasar’s case, Rocio Valdivia, a Community Wrangler for Automattic, was the WordCamp Incubator sponsored organizer. According to Ivan Kristianto, the lead organizer for WordCamp Denpasar, “Rocio was a hands-on consultant provided by the WordPress Foundation to help incubate the camp. She helped [us] in budgeting, managing the organizers, submission timelines, and more”.

WordCamp Denpasar attracted 180 attendees, twice the initial goal. Many attendees came from other parts of Indonesia to attend the Camp, which bubbled with an aura of excitement as Indonesia has not had a WordCamp in over three years. The venue, the Royal Beach Seminyak Hotel, was of ample size and served the crowd well. There was a single session track, mixed with user, business, and developer topics. Lunch included a nice buffet featuring local Balinese cuisine. Overall, the WordCamp attendance, venue, and amenities were quite impressive.

The speaker lineup was diverse, with speakers from Indonesia, Australia, Europe, Japan, and the United States. Attendees were extremely enthusiastic throughout the sessions and actively engaged in questions. I was last to speak, presenting on NodeifyWP and Twenty Sixteen React. WordCamp Denpasar was the debut presentation of our new isomorphic JavaScript framework. The crowd was extremely excited to hear my presentation and attendees were grateful 10up choose Bali as a first occasion to show the framework. After my talk, I received more questions than could fit in the allotted time slot.

In the weeks after the Camp, I talked with Rocio about the overall success of the event and Incubator program as a whole. Rocio believed the WordCamp went extremely well. She cited some key events that followed the inaugural camp:

  1. The local Indonesian meetup group has grown to more than 50 new members across different groups.
  2. The existing WP Meetup Bekasi group in Indonesia has applied to join the Meetup chapter program.
  3. The non-active WP Meetup of Jakarta has now two members interested in re-activating the group and have applied to join the chapter program. They are also interested in organizing WordCamp Jakarta 2017.
  4. The WordPress Foundation has received an application for organizing WordCamp Ubud in 2017 (one hour from Denpasar) which is in pre-planning now.
  5. A WP Indonesia Slack channel is being created to connect the whole community in the country.

Clearly, WordCamp Denpasar has had a positive effect on the Indonesian WordPress community. As more areas of the world getting involved contributing to and using WordPress, the project’s internationalization and diversity improves. If Denpasar is any indication, expanding the incubator program to more areas of the world will have long-lasting benefits within the entire WordPress community.

by Sarah Gooding at January 06, 2017 06:59 PM under wordcamp incubator program

Follow our RSS feed: 

WordPress Planet

This is an aggregation of blogs talking about WordPress from around the world. If you think your blog should be part of this site, send an email to Matt.

Official Blog

For official WordPress development news, check out the WordPress Core Blog.


Last updated:

January 22, 2017 02:15 PM
All times are UTC.