WordPress Planet

April 27, 2015

WPTavern: Poll: How Often Do You Read a WordPress Plugin’s Changelog Before Updating?

As the debate on whether or not WordPress.org hosted themes should have changelogs continues, one line of thought is that regular users don’t read them. As a long time user of WordPress, I always read a plugin’s changelog before updating.

A good changelog tells me what bugs have been fixed, new features that have been added, and security issues that have been addressed. It also gives me a timeline of changes I can refer to for troubleshooting. Let us know how often you read a WordPress plugin’s changelog before updating by participating in the following poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

by Jeff Chandler at April 27, 2015 08:16 PM under updates

WPTavern: WordPress 4.2.1 Released to Patch Comment Exploit Vulnerability

photo credit: Will Montague - ccphoto credit: Will Montaguecc

This morning we reported on an XSS vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an attacker to compromise a site via its comments. The security team quickly patched the vulnerability and released 4.2.1 within hours of being notified.

WordPress’ official statement on the security issue:

The WordPress team was made aware of a XSS issue a few hours ago that we will release an update for shortly. It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run Akismet, which blocks this attack. When the fix is tested and ready in the coming hours WordPress users will receive an auto-update and should be safe and protected even if they don’t use Akismet.

That auto-update is now being rolled out to sites where updates have not been disabled. If you are unsure of whether or not your site can perform automatic background updates, Gary Pendergast linked to the Background Update Tester plugin in the security release. This is a core-supported plugin that will check your site for background update compatibility and explain any issues.

Since Akismet is active on more than a million websites, the number of affected users that were not protected is much smaller than it might have been otherwise.

WordPress 4.2.1 is a critical security release for a widely publicized vulnerability that you do not want to ignore. Users are advised to update immediately. The background update may already have hit your site. If not, you can update manually by navigating to Dashboard → Updates.

by Sarah Gooding at April 27, 2015 07:46 PM under security

Matt: Cell Phones & Cancer

The ability of radiation to cause cancer is dependent on whether or not the radiation is able to alter chemical bonds. This occurs when electrons involved in bonding in a molecule absorb radiation with enough energy to allow them to escape – this is called ionization. The thing is, whether or not radiation is ionizing is based solely on its energy, not on its number, and as we saw above, its energy is determined entirely from its frequency.

Cool article on WordPress.com about Why Cell Phones Can’t Cause Cancer, But Bananas Can, which I read while eating (and finishing) a banana. It covers dielectric heating too.

by Matt at April 27, 2015 04:29 PM under Asides

WPTavern: Do WordPress.org Themes Need a Changelog?

photo credit: time - (license)photo credit: time(license)

Over the weekend, Theme Review Team member Jose Castaneda posted a proposal to add change logs to themes hosted on WordPress.org. The discussion has been on the table for years, but renewed interest in change logs is surfacing for the upcoming 4.3 and 4.4 release cycles.

Adding changelogs to themes requires action on two related tickets: a meta ticket to add support for change logs on WordPress.org and a core ticket to expose the changelog file to users in the WordPress admin.

Castaneda’s proposal requests that the team select a standard format for theme authors to follow in either the readme.txt file or a new changelog.txt file. From there the team would follow the core development release cycle to complete whatever steps necessary to get changelog support added to WordPress.org themes.

Theme Review Team members are divided on whether or not change logs are beneficial to users, as they already have the ability to detect changes using a .diff file when authors submit updates. Others find change logs to be a more readable addition.

“Personally, I find change logs to be incredibly helpful, even when using a .diff,” Theme Review Team admin Chip Bennett said. “The changelog is the human-readable summary of changes, that can really help grok the diff changes.”

Justin Tadlock isn’t convinced that WordPress users would benefit from themes including change logs:

Honestly, I don’t see change logs as all that important from a user standpoint. While I don’t have any official stats, I’d wager that the vast majority of users don’t read change logs and, of those who do happen upon one, don’t understand most of what’s actually in the file.

Change logs are, by and large, a developer tool. It’s a nice-to-have feature. I don’t care one way or another. I never read them. I doubt we’ll get great change logs from the majority of theme authors. We can’t even manage to get some semantic versioning down or basic inline PHP docs. We’ll probably see a lot of Git commit logs copied/pasted or my personal favorite, “Changed a bunch of stuff. Too busy building awesome s*** to care about tracking changes”.

Active discussion on the topic is taking place on the make.wordpress.org/themes blog. If the team concludes that change logs are beneficial, the main question to answer is whether or not they should simply take up residence in the readme.txt file, like plugins do, or have their own separate file.

Ultimately, the issue boils down to whether or not WordPress users read and appreciate changelogs, or if they are more beneficial for developers. As the Theme Review Team is primarily made up of developers, it would be valuable if average users who desire theme change logs could chime in on situations where the file might be helpful.

by Sarah Gooding at April 27, 2015 03:36 PM under changelog

WPTavern: Zero Day XSS Vulnerability in WordPress 4.2 Currently Being Patched

Klikki Oy is reporting a new comment XSS exploit vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an unauthenticated attacker to inject JavaScript into comments.

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

This particular vulnerability is similar to one reported by Cedric Van Bockhaven in 2014, which was patched in the most recent WordPress 4.1.2 security release. That particular vulnerability was related to four-byte characters being inserted into comments, causing premature truncation by MySQL.

In this instance, an attacker posts an excessively long comment in order to trigger the MySQL TEXT type size limit, which truncates the comment as it is inserted into the database.

The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

In these two cases, the injected JavaScript apparently can’t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first.

A patch from the WordPress security team should be forthcoming. At this time the team could not provide an ETA, but in the meantime there are a few things users can do to mitigate the risk.

“Your best option is to install Akismet (which has already been configured to block this attack), or disable comments,” core contributor Gary Pendergast said in response to inquiries on the WordPress #core Slack channel. “JavaScript is blocked by wp_kses(). Akismet blocks this specific attack, which gets around wp_kses()’s protection.”

WordPress users can also temporarily disable comments in the meantime until the patch has been issued by the WordPress security team.

by Sarah Gooding at April 27, 2015 12:10 PM under security

April 26, 2015

Matt: Entanglement

If you’re curious about quantum entanglement (and a type of synesthesia) at all, check out this week’s Invisibilia show on NPR called Entanglement.

by Matt at April 26, 2015 03:19 PM under Asides

April 25, 2015

Matt: 100 Books

You can’t go wrong with Amazon’s 100 Books To Read In A Lifetime. I’ve only read a bit over a dozen of them, and some of those in school when I probably didn’t appreciate them. I’ve never had a time in my life when I thought, “You know, I’m reading too much.” It’s a weekend — read!

by Matt at April 25, 2015 11:38 PM under Asides

Matt: Atlantic Earth Day Pictures

The Atlantic has a set of 45 pictures that are both beautiful and shocking to commemorate Earth Day.

by Matt at April 25, 2015 04:41 AM under Asides

April 24, 2015

WPTavern: Automattic’s Dave Martin Publishes His 5 Step Remote Hiring Process

photo credit: Peter Slutskyphoto credit: Peter Slutsky

If you’re thinking about applying to work for Automattic, you might want to read this article first. Dave Martin, Creative Director at Automattic, published an in-depth look behind the scenes of the remote hiring process for the design and growth portion of the company. He explains the five step process in detail which gives future applicants a good idea of what to expect.

It’s a fascinating read and I learned that every part of the process has a purpose. For instance, every trial project consists of work that would normally be completed by existing exmployees. Every question asked by Martin in the interview process has a purpose, whether it’s to glean information or get a feel for how the applicant communicates.

The one area of the hiring process I’ve routinely seen scrutinized by those who don’t make the cut is the lack of specific feedback on why they’re not a good fit for a position. Dave Clements, who almost made it to the final stage of the hiring process, criticized the lack of detail from Automattic on why he wasn’t a good fit.

My only criticism of my whole process from start to finish is that I wish they would have gone into more detail into on why I was not a good fit for them. They had been so verbose and open up to that point about any question that I asked of them, but when I asked why they had come to the decision to not move forward, I was given a fairly generic response as they ‘couldn’t go into too much detail’.

Martin tries to do his best to highlight why someone is not a good fit, but the process is not easy and the number one goal is to hire the best people.

If things don’t end up working out, I’ll do my best to highlight why. At this point the applicant has invested quite a bit of time. I try to be as specific as possible as to why they are not going to proceed to a final interview.

Telling people no is hard, but mistakenly bringing on the wrong people can be much worse. While you want to always be kind, and helpful to all applicants, your primary responsibility when hiring is to ensure that only the best people get hired. That is priority number one.

Whether you’re a distributed company or someone who’s interested in working for one, there is plenty to learn from the post. I also encourage you to read this Harvard Business Review article from 2014 featuring Matt Mullenweg, on holding auditions to build a strong team. If you’ve gone through the Automattic hiring process, let us know what it’s like in the comments.

by Jeff Chandler at April 24, 2015 11:12 PM under remote

WPTavern: Story.am Relaunches, Now 100% Free


Nick Haskins launched Story.am earlier this year as a hosted storytelling platform that offers all the features of Aesop Story Engine. Initially, the platform was only available to paying customers, but this week Haskins announced that Story.am is now available to everyone for free.

The platform had not received much feedback in the several months it has been open to customers, so Haskins decided to remove all barriers to account creation.

“We really want feedback on Lasso, our visual web editor on Story.AM,” he said. “By making it free, we hope to garner a lot of feedback, even if that feedback isn’t good. Often times, that type of feedback is the best.”

In our recent review of Lasso, Jeff Chandler found that the product wasn’t quite polished enough for prime time but that it has potential. Haskins is hoping to build a broader network of Lasso users who will offer the feedback he needs to improve the editing experience.

Immediately following his announcement that Story.am accounts are now available for free, Haskins was averaging one signup a minute.

“Since the announcement yesterday evening there have been about 130 signups, so we’ve calmed down to about 5-7 signups an hour,” he said.

Story.am is a multisite installation that was built to be elastic and ready to scale. In the future, Haskins will open up a Pro level that will offer additional features such as the ability to sell story subscriptions with Stripe and use your own domain.

“The domain mapping and ability to sell story subscriptions are all in place and ready to go,” he said. “But rather than just releasing a Pro level straight away, I’m interested to see if what I THINK users want, is actually inline with what they REALLY want.”

Haskins is taking notes of trends while monitoring the signups to get a better picture of how people plan to use Story.am.

“I’m seeing a lot of what I would describe as ‘people who aren’t necessarily writers but want to tell stories,'” he said. “The domains that are coming across include terms like comic, pastor, fish, school, etc. It’s quite interesting to see. We are tracking everything in great detail, so as time goes on we’ll begin to have some solid metrics.”

Many Story.am users are using the platform in the education space, a trend which has continued since opening up the site to free accounts. The platform is also open to bloggers, but Haskins is not aiming to compete with WordPress.com.

“I’d like to see folks use stories in their own unique ways, with their own flair, and I think this will be tough to come by on a ‘generalized’ network. i.e, one that basically treats everyone as the same,” he said. “One thing I don’t want to purposefully do is compete with WordPress.com. I’d much rather work with them to bring our ideas and tools to their platform, in some way, shape, or form.”

Story.am has no current ETA for launching Pro level features, but Haskins said that he will be gauging the demand and gathering feedback before moving on monetizing the platform. If you’re curious about how Aesop Story Engine components work with WordPress and want to try the new Lasso frontend editor, it’s now as easy as signing up for a free account on Story.am.

by Sarah Gooding at April 24, 2015 10:18 PM under story.am

WPTavern: New Plugin Adds Quick Access to the “Press This” Posting Form


One of the highlights of the recent WordPress 4.2 release is the completely revamped Press This interface. The feature’s intended purpose is to make it easy to share text, images, and videos from around the web in a quick post, but many users are newly captivated by Press This’ new minimalist design for post creation.

Once you try Press This for publishing, you may become some so partial to the posting form that you don’t want to go back to the standard post editor. It includes only the most essential formatting buttons and a button to add media, with all other extraneous selections for post formats, categories, and tags collapsed.

Press This New Post is a new plugin, created by Drew Jaynes, that gives you quick access to the Press This posting form from the ‘+ New’ drop-down in the toolbar.


The link takes you to the Press This editor where you can scan a URL or simply start writing a new post.

In the plugin’s description, Jaynes refers to the easy access as “Quick Draft on steroids,” but it may also become a real substitute for WordPress’ dearly-departed zen mode. Many users are distracted by the sliding side menu and the fading of non-essential parts of the editor that was introduced in WordPress 4.1 when the Focus Project was merged into core. These animations are guaranteed not to happen to you in Press This mode.


Jaynes is a regular user of the Press This post editor, which was one of his motivations for creating the quick access plugin.

“I’ve already drafted three blog posts using it instead of the standard editor,” he said. “Obviously in most cases I finish up in the standard editor, but I really like the posting interface.

“I think if we get to the point where Press This supports other post types and/or even other sites in a multisite network, it could really save a lot of time.”

The Press This team is actively working on continuing to iterate the feature along those lines and both Michael Arestad and Stephane Daury have stepped up as core component maintainers.

“I know for a fact that they both have future plans for improving and iterating it,” Jaynes said. “It’s actually really cool to see a continuation of the passion beyond a feature plugin getting merged.”

Michael Arestad recently posted his thoughts on the future of Press This and listed a host of features that the team is looking at adding:

  • Split button (gonna be awesome)
  • Some rearranging of components
  • Improved tags UI
  • Featured image
  • Browser extensions
  • Site switching
  • Image flow improvements are in the works, which should drastically improve the media experience in both editors
  • Improved NUX flow

With its committed maintainers, the Press This feature is well-positioned to evolve to support more diverse content types, which may attract even more users than the bookmarklet does in the long run. If you’re still thinking of Press This as just a simple bookmarklet for re-posting content, you may want to revisit it. The feature has the potential to influence future iterations of the standard post editor, which suddenly seems a little cluttered.

If you enjoy using Press This mode for creating new posts, the Press This New Post plugin might be a handy addition to your site. Download it for free on WordPress.org.

by Sarah Gooding at April 24, 2015 08:06 PM under press this

WPTavern: Insight into the Jamaican WordPress Community with Bianca Welds

bianca_edi1Last week, I met Bianca Welds who lives in Jamaica. She’s used WordPress for more than 10 years and has knowledge of the developing tech scene in Jamaica. In this interview, we learn how she discovered WordPress, the Jamaican WordPress community, and if the country will ever host a WordCamp.

How long have you used WordPress?

I just celebrated my 10th anniversary. I started using WordPress in 2005 and my first post was on April 2nd, 2005.

What is your WordPress origin story?

As seen on the WordPress profile pageAs seen on the WordPress profile page

I was working at IBM at the time and finally decided I liked the idea of having my own personal website. The more I thought about it, the more I realized I wanted to have a blog as well as a static site. I knew I could build an HTML site myself, so I researched this blogging thing, and I found Blogspot. Within a day of signing up, I became frustrated at not being able to customize it, so I looked for alternatives. I came across WordPress and fell in love, purchased a hosting account, installed it, and never looked back.

What is the tech scene like in Jamaica?

The tech scene is currently developing nicely. There has been a lot of slow foundation growth over the last decade, but in the last few years, we have seen some dramatic acceleration. The tech meetup, Kingston Beta, grew to hosting a regional conference called Caribbean Beta.

The Slash Roots Developer Community saw the formation of the Slash Roots Foundation which does a lot of work in the Open Data space. It expanded to organize the Developing the Caribbean conference, and was instrumental in the formation of Code for the Caribbean.

Startup events have been growing with our first Startup Weekend taking place in 2013. The Digital Jam Mobile Application competition was held for three years along with several other initiatives. The first Venture Capital Conference was held in 2013 where the first formal angel investor group, First Angels, was created. StartUpJamaica is our first accelerator and it launched last year with over 200 applications, where 36 teams participated in boot camps and training. This is a small sample of the things that are happening in our space.

Is there a vibrant WordPress community in Jamaica?

Vibrant on an individual level perhaps. There is no active WordPress community at present. There are a lot of WordPress sites being built and a lot of WordPress blogs being run, but they are more or less individual efforts with no real communication or collaboration to grow and develop a community.

I have recently started putting out feelers to see if there is enough interest in starting a regular WordPress meetup. In the last week, I’ve had interest from about two dozen people.

To date, there has not been a WordCamp in Jamaica. Do you think there will ever be one and will you help organize it?

I hope there will be and I definitely want to be a part of it. The first goal though would be to get the meetups going and gather a core community, so that’s my focus now.

Have you ever attended a WordCamp? If not, which one will be your first?

Unfortunately, I have never attended any WordCamps. I am working on changing that in the near future by going to WordCamp Miami which is the nearest one to Jamaica.

WordCamp Miami Featured ImageWordCamp Miami Swag

What do you like most about WordPress and what do you like the least?

My favorite thing about WordPress is its flexibility. While it may not be the perfect solution for every challenge, there are few things that cannot be done. My least favorite thing is how much there is to learn to truly take full advantage of its power.

If you wanted people to know something about Jamaica, what would it be?

The one thing I always try to share when I am the Jamaican in the crowd is that, Jamaica is so much more than beaches, weed and reggae. It definitely has those, but there are so many other aspects to our geography, our culture and our people who outsiders don’t yet fully grasp. But the world is learning.

Take the Jamaican WordPress Survey

Welds is trying to figure out the size and composition of the Jamaican WordPress community. Please help her out, especially if you’re a WordPress user living in Jamaica, by taking this short survey. Information will remain confidential and will help Welds develop a better picture of the size and skill level of her local community.

by Jeff Chandler at April 24, 2015 05:02 PM under wordcamp

WPTavern: WPWeekly Episode 189 – Drew Jaynes on What it’s Like to Lead a WordPress Development Cycle

On this episode of WordPress Weekly, Marcus Couch and I were joined by Drew Jaynes, web engineer for 10up, and release lead for WordPress 4.2. Jaynes explains how a release lead is chosen, their responsibilities, and what their role is. Release leads are shepherds who work with multiple teams to keep development on track.

Jaynes also explained how people can contribute to WordPress core through Trac. We discussed new features in WordPress 4.2 and what the benefits are to selecting release leads ahead of time. Last but not least, Jaynes helped us cover the week’s news.

Stories Discussed:

XSS Vulnerability Affects More Than a Dozen Popular WordPress Plugins
XSS Vulnerability: What to do if You Buy or Sell Items on Themeforest and CodeCanyon
WordPress 4.1.2 is a Critical Security Release, Immediate Update Recommended
Facebook Has Abandoned Its Official WordPress Plugin

Plugins Picked By Marcus:

Comstick Star Rating conforms to the Google structured data algorithm. It allows you to capture customer reviews with a simple shortcode on any page. By inserting a single function into your theme’s header or footer, your rating will be displayed in Google search.

Employee Spotlight displays employees, team members, founders, or just a single person in a four column circle grid. It comes with two sidebar widgets that display featured and recent employees selected in the editor.

Web Push Notifications allows you to send push notifications to visitors who use Safari and Chrome.

WPWeekly Meta:

Next Episode: Wednesday, April 29th 9:30 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #189:

by Jeff Chandler at April 24, 2015 06:30 AM under wordpress 4.2

WPTavern: Why Some Sites Automatically Updated to WordPress 4.1.3

Since WordPress 4.2 was released, some users are questioning why their sites have automatically updated to WordPress 4.1.3. There’s no information about the release on the Make WordPress Core site or the official WordPress news blog. However, this Codex article explains what’s in 4.1.3 and the reason it was released.

Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release. Neither UTF-8 nor latin1 were affected. For more information, see ticket #32051.

The ticket contains a lengthy technical discussion of a critical bug and what was done to fix it. In addition to 4.1.3, the patch was merged into the following versions:

  • 3.7.7
  • 3.8.7
  • 3.9.5
  • 4.0.3

Since these are point releases, sites running WordPress 3.7 and higher will automatically update unless the server doesn’t support it or they’re disabled. If you’re running an old version of WordPress, I highly encourage you to update to 4.2. Not only does it have some nifty new features, but it also fixes 231 defects.

by Jeff Chandler at April 24, 2015 04:25 AM under wordpress 4.1.3

Post Status: WordPress 4.2, “Powell”, released

The consistency of WordPress

WordPress 4.2, Powell, marks the impressive sixth major version in a row on a four month average development cycle.

  • WordPress 3.7: October 24th, 2013
  • WordPress 3.8: December 12th, 2013
  • WordPress 3.9: April 16th, 2014
  • WordPress 4.0: September 4th, 2014
  • WordPress 4.1: December 18th, 2014
  • WordPress 4.2: April 23rd, 2015

This streak of consistency in WordPress releases is not accidental. Groundwork was put in place organizationally, technically, and philosophically to help ensure consistent, iterative improvements for WordPress.

The project has always been quite good at updates, if compared to competition. However, a few releases prior to 3.7 got sidetracked, distracted, or thrown off schedule if held to our own high standard.

Concepts such as the introduction of feature plugins have helped put sanity and routine into the release schedule, even without repeat release leads these last six versions (and none will repeat at least through 4.4).

Features of WordPress 4.2

Press This


It’s quite possible even long term WordPress users have never heard of, much less used, Press This. However, the bookmarklet makes sharing and publishing others’ articles on your own blog quite simple.

It was long overdue to either be cut from core or completely revamped. It was completely revamped under the “feature as plugin” model, led by Michael Arestad.

I’ve been using the new Press This or a while now on my personal blog, and it’s really great. If your goal is to blog more regularly, and you like to curate or share what you’re reading/watching, you’ll love Press This. You can find the bookmarklet in the admin and primary Tools page.

The editor is modern and honestly a great prototype for what could be a future full WordPress editor. The bookmarklet sits in my bookmarks, and it’s encouraged me to more often blog my thoughts on what I read — versus leave my thoughts with a single Tweet.

I was at first on the fence as to whether Press This made sense to get a revamp. I’m now convinced it was a great decision, and the team that worked on most of the features was outstanding.

There are more features coming to Press This. You can check some of them out on Michael’s blog post celebrating its inclusion in 4.2. If you’ve never pressed anything with Press This, definitely give it a shot.

Customizer Theme Switcher

Another feature plugin that made it into 4.2 is the Customizer Theme Switcher. Relatively self-explanatory, this feature brings the theme choosing experience to the customizer.

The project was lead by Nick Halsey, and you can find the core proposal for the feature on the Make WordPress blog. Not many folks using WordPress as a full CMS will change themes that often, but for those that do, the move for selecting and testing themes to the customizer makes sense.

Shiny Updates


Shiny Updates allows for inline updates directly in the plugins admin screen, without a redirect to the funky plugin update progression page you’re probably quite familiar with.

Shiny Updates is part of a larger effort for making both updates and installs better. Due to some potential UX issues and in order to stick with the release schedule, shiny installs was postponed. However, in a future release, the install and activation process for plugins will be a simpler process as well.

Utf8mb4 support to enable special characters and emoji


WordPress can now handle all sorts of special characters by default, including Chinese, but also various glyphs and other symbols. And yes, emoji.

Perhaps the most discussed and also misunderstood feature of WordPress 4.2, Utf8mb4 makes WordPress more accessible in more languages, and that is awesome.

Also, don’t kid yourself: everyone loves emoji. As WordPress is used more as a mobile app backend, this change will be especially welcome. Can you imagine an app that didn’t support emoji? Of course not. 🎉

By the way, there is a handy Codex article that details how to enable the emoji keyboard on various operating systems.

Notes on developer features

There are some great developer features in WordPress 4.2 as well. I highly recommend reading Aaron Jorbin’s field notes post that details some of the key features for developers and also has links to detailed posts to cover each one.

An excellent release

WordPress 4.2 is an excellent release that has a nice balance of new features, fixes, and developer enhancements.

Congratulations to the core team and everyone that was involved in the release of WordPress 4.2, “Powell”.

by Brian Krogsgard at April 24, 2015 03:12 AM under Everyone

Alex King: Setting the wp_remote_get() User Agent

I was recently trying to make some API requests from within WordPress using `wp_remote_get()`, but the site I was asking for data from was rejecting requests from the default WordPress User Agent. I tried to set the user agent to something different, but it still wasn’t working:

$response = wp_remote_get($url, array(
  'timeout' => 20,
  'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0'

Thankfully, Otto spotted my problem. The `user-agent` key needs to be lowercase so that it is picked up properly by the WordPress core code. This works:

$response = wp_remote_get($url, array(
  'timeout' => 20,
  'user-agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0'

And there you have it. It’s always nice to have an extra set of eyes on some code.

by Alex at April 24, 2015 12:19 AM under WordPress

April 23, 2015

WPTavern: Jetpack 3.5 Introduces Menu Management on WordPress.com

Jetpack 3.5 was released today, coinciding with WordPress 4.2. This release expands the capabilities of Jetpack’s centralized site management to include menus. If you have Jetpack Manage activated, you can now log into WordPress.com to manage menus for any of your sites that have opted in.


The benefit of going to WordPress.com to manage menus for self-hosted sites was not immediately evident for those who don’t make use of the centralized site management feature. The interface is different and the dashboard contains a limited set of site management controls.

For those who manage just one or two sites, it isn’t clear why you would opt to log into WordPress.com instead of your site’s admin panel, which is essentially the command center, where everything is at your disposal.

Jetpack representative Jeremy Herve explained that the primary benefits of the menu management feature are applicable “when working on multiple sites, when on mobile, and when you don’t want to log into the self-hosted site.

“I must also admit than I’m not the biggest fan of the Menus interface in WordPress.org,” he said. “It’s confusing for new users.”

If you prefer WordPress.com’s menu manager and posting interface but want to retain the freedom of self-hosting your site, then Jetpack Manage may be a good fit for you. If the disconnected, dissimilar interfaces don’t make sense for managing your sites, then there’s no need to activate it. Currently, bulk plugin management across multiple sites seems to be the most popular use of Jetpack Manage.

The 3.5 release also includes a dozen bug fixes and a few small enhancements. View Jetpack’s changelog for details.

by Sarah Gooding at April 23, 2015 11:48 PM under jetpack manage

Matt: Big Announcement Day

Two big releases today: WordPress 4.2 with lots of interface improvements and emoji support, and the 3.5 release of Jetpack with a new menu editor.

by Matt at April 23, 2015 07:55 PM under Asides

WPTavern: WordPress 4.2 “Powell” is Now Available for Download

WordPress 4.2 “Powell” has arrived and is now ready for download. It is named for Earl Rudolph “Bud” Powell, an American jazz pianist. This release, led by 10up engineer Drew Jaynes, offers a balanced mix of front-facing features that users will enjoy, as well as improvements for developers. Here is a tour of the highlights.

Press This Overhauled


WordPress 4.2 contributors have brought the Press This feature back to life with a completely revamped interface that makes it easy to share content from any website. It allows you to grab text, images, and videos, quickly add your thoughts, and publish. Any media is automatically added to your media library during the process. Add the bookmarklet from the Tools screen to your browser’s bookmark bar or your mobile desktop to jump start your publishing.

Switch Themes in the Customizer


WordPress 4.2 makes it possible to switch themes in the customizer. Users can now browse through themes that have already been installed and activate a new one without ever leaving the frontend. This further streamlines the UI for customizing your site and paves the way for the theme installation process to be added to the customizer in the future.

Expanded 4-Byte Unicode Character Support, Including Emoji


This release changes database character encoding from utf8mb3 to utf8mb4, which makes it possible for WordPress to natively support Chinese, Japanese, and Korean characters. The character encoding update also opens up a whole new world for using musical and mathematical symbols, hieroglyphs, and emoji. Emoji support has been added everywhere, and you can even use them in URLs, if you’re adventurous.

Enhanced Plugin Updates


After you update to 4.2, you will be able to update plugins on the plugins screen without refreshing the page and without being whisked away to a new update screen. This makes it a more intuitive process and cuts down on the clicking required to manage your site in the admin. It is also the first stepping stone toward improving the plugin installation process to provide the same convenient experience.

Improvements Under the Hood

In addition to all the front-facing improvements, WordPress 4.2 includes some equally exciting updates for developers.

  • Taxonomy Term Splitting – terms shared across multiple taxonomies will now be split when one of them is updated.
  • Complex Query Ordering – WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.
  • JavaScript Accessibility – Send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.
  • TinyMCE views API improvements – this API is not yet ready for production but developers are welcome to test and experiment with it.

Check out Aaron Jorbin’s WordPress 4.2 Field Notes post for a more comprehensive overview of what’s new for developers.

Many More Small Improvements

WordPress 4.2 is also packed full of subtle refinements that make it more beautiful and easier to use. The default admin color scheme has been updated every so slightly to be more harmonious to the eyes and more consistent with WordPress’ branding.

Pretty permalinks are now automatically enabled for new sites on installation. In most cases, administrators on new sites will never be greeted with ugly permalinks again, saving a step in the setup process.

The oEmbed white list has been updated to include Tumblr.com and Kickstarter, so you can easily paste links into the post editor and have the content instantly appear.

WordPress 4.2 fixes 231 defects, thanks to the volunteer efforts of 283 contributors. A complete list of all the changes in this release is available in the 4.2 codex page. For a quick tour of all the highlights in 4.2, check out the video created for this release:

by Sarah Gooding at April 23, 2015 06:39 PM under wordpress 4.2

Matt: What we can learn from Japan

I travel back and forth between Japan and the United States, mostly Tokyo and New York and a few other American cities, several times a year. The contrast is jarring. Arriving in the US can feel like rolling back a decade or more, returning to a time when information was scarce, infrastructure was creaky and basic services such as ground transportation were chaotic and unreliable.

Roland Kelts on What the west can learn from Japan’s “lost decades.” This echoes a lot of my experience there recently, and I had the good fortune of meeting Roland as well.

by Matt at April 23, 2015 12:25 AM under Asides

WPTavern: Wapuunk T-Shirts Now Available in the WordPress Swag Store

WAPUUNK_ADULT_1024x1024The fame of wapuunk has spread far and wide and now fans of the creature can purchase t-shirts in the WordPress Swag Store.

The punk Wapuu was created for WordCamp London 2015 by Scott Evans with collaboration from the event’s organizing team. The mascot was so well-received that Evans’ colleagues urged him to see if it could land in the swag store.

“I supplied the vector artwork and some guidance and passed it on to Hello Merch which did the rest,” he said. Within approximately three weeks the t-shirt was made available for sale.

It’s unusual to see new items added to the WordPress Swag Store, but the iconic Wapuunk mascot seems to be an instant hit with swag collectors.

“After all the buzz of WordCamp London it seemed worth a go,” Evans said. “After all, they are different from the official WordCamp t-shirts we made. I think lots of folk were keen to see Wapuunk on a t-shirt.”

In contrast to the simple WordPress logo-branded items, Wapuunk and other variations of the mascot have a unique way of linking the local culture and/or an event experience with the logo. Wapuu variations illustrate the variety of WordPress communities around the globe. They evoke a strong connection between the software and the local community.

WordCamp Belgrade featured Wapuujlo at its first event, and WordCamp Philly will also debut a new Wapuu collection in June. With WordPress’ increased focus on internationalization in 2015, Wapuu variations are a fitting compliment to the many diverse communities this software brings together.

by Sarah Gooding at April 23, 2015 12:16 AM under wordpress swag store

April 22, 2015

WPTavern: WordPress.org Now Requires Theme Authors to Use the Customizer to Build Theme Options


The WordPress Theme Review team made a major decision this week to enforce the use of the native customizer on new themes submitted to the directory. Theme authors who want to include customization options will no longer be able to create their own settings panels but will be required to follow the new customizer standard, effective immediately.

Existing themes in the directory will have six months to comply before the Theme Review Team starts to enforce the new requirement. To facilitate this process the team is preparing a series of posts and better documentation on how to use the customizer.

Theme Review Team member Justin Tadlock brought the matter to a vote during the last meeting:

I’m proposing that we do an outright ban on custom settings screens in the admin. The plan was to allow theme authors to naturally move over to the customizer given time. This hasn’t worked.

As attempts to standardize the use of the customizer in new themes have not been successful, the Theme Review Team has opted to draw a hard line, as gatekeepers to the official directory. For the most part, reactions to the new guidelines have been positive, but theme authors who incorporate other options frameworks are not thrilled about having to rewrite their options for the customizer.

Will the Customizer Requirement Stifle Innovation for Theme Developers?

While many developers agree that the customizer is WordPress’ strongest option right now for providing live previews on design customizations, some are worried that the new requirement will limit creativity and innovation that might spring up from different solutions.

Dovy Paukstys, lead developer of the Redux Framework, commented on the announcement to express a common concern among developers who utilize more specialized controls than the customizer can currently provide.

So essentially what you’re mandating is for Frameworks, like Redux, to port all of their special controls to the Customizer because if a theme uses any form of a custom control and doesn’t display it in the customizer, in 6 months time you will boot from WP.org. Correct?

Doesn’t that seem a little narrow sighted? The customizer is great for live reload, but it doesn’t have the real-estate for advanced fields that developers make.

Resistance to the new guideline is frequently met with the suggestion that developers instead work on improving the customizer to be better for all users, as it is now WordPress’ core-supported method of providing theme options. Paukstys finds it to be too limited in its current state for anything other than simple style changes.

My personal motivation to improve the customizer is low since I personally do not see it as a viable option outside of styling. There’s simply not enough real-estate from a design perspective. It also doesn’t have things like visual validation, warnings, etc. It doesn’t offer field visibility linking, etc. It serves a powerful purpose, but I do not feel it is a complete replacement for the settings API.

Paukstys further contends that the community was not represented in the decision process that followed the official proposal and that the new mandate unfairly promotes a single, narrow approach.

Why do you wish to limit developers so much? Isn’t the point of open source for people to make things in different ways and improve the whole? Why are you limiting your devs? Could it be that the customizer hasn’t had the adoption that you think it deserves? This just seems like a mandate by your team and not a desire of the community as a whole.

According to Emil Uzelac, theme authors using Redux or another framework are still at liberty to use the TGM Plugin Activation library to notify users of a theme being “Redux-Ready,” for example, but will not be able to fully package those options as part of the theme submitted to WordPress.org.

Tadlock is currently preparing a more comprehensive reply to these concerns but maintains that he will always support more innovative ways of approaching customization, should a new solution surpass that of the customizer in the future.

The Theme Review guidelines have continued to evolve with WordPress over the years and the team meetings are open to all who wish to have a voice in the decision-making process.

Tadlock is aiming to produce more education for theme authors within a day or two. He has also committed to helping developers build controls that are not readily available.

Make me a list of controls you’d like to see. Core added a lot more options in 4.0, but I’m open to building any control classes that could be utilized by theme authors. If there’s a control that the customizer doesn’t support out of the box, it should be built by extending the core WP_Customize_Control class. I’ll at least attempt to build any controls that people need help with.

Theme developers who are worried about working with a limited set of customizer options will have help from the Theme Review Team. Those with themes that need updating have a six-month head start before the guidelines will be enforced on themes that submit an update.

by Sarah Gooding at April 22, 2015 09:00 PM under wordpress theme review team

Post Status: Theme Review Team to require using the Customizer for all theme options

The Theme Review Team announced that all themes hosted on WordPress.org will be required to use the Customizer for theme options moving forward. The new requirement will be phased in over 6 months, which gives existing theme authors some time to make the updates and new theme authors some time to adjust themes that might already be in progress.

This is a huge change. Although the Customizer has been available since WordPress 3.4 — which was released in June of 2012 — adoption has been slow on themes submitted to the official WordPress theme repository.

Official stats aren’t available, but of the ten most recent themes submitted to the theme repo I looked at, 20% had a custom options page. Of the ten most recent updates, 40% had a custom options page. This is a very small sample, but there’s no doubt this change will effect a huge amount of submissions.

From a theme review perspective this makes a lot of sense. Verifying proper sanitization and proper use of the Settings API can take a huge amount of time for reviewers.

Many theme authors use frameworks like the Options Framework, Redux, Titan, Options Tree, and UpThemes — but reviewers still need to check for potentially malicious alterations, proper text domains, and function prefixing. Standardizing this by requiring the Customizer will make the job of theme review simpler.

From a user interface perspective, it also seems like a good move. Users can always expect options to be available in the Customizer tab if they exist and they won’t need to navigate unfamiliar custom screen layouts — though users of specific themes might be confused when the options page disappears on an update and moves into the Customizer bar.

For theme authors it is probably a mixed bag. Many authors rely on WordPress.org to drive sales of commercial theme upsells, and the theme options page is a common place to promote such upsells. It can also take quite a bit of time to migrate options from a custom page to the Customizer and ensure perfect backwards compatibility.

Certain frameworks also provide features that aren’t native to the Customizer, like repeater fields, multiselect, image radio buttons, datepickers, editor instances, and custom typography options — though Customizer libraries like Kirki can also bridge those gaps.

The Customizer has evolved quite a bit since it was first introduced. WordPress 4.0 brought a number of enhancements like contextual controls, panels and additional field types. Core features like custom headers, custom backgrounds and widget editing have migrated to the Customizer and then been improved over successive releases. In the upcoming WordPress 4.2 release users will be able to switch themes directly from the Customizer.

It could be argued that space constraints in the Customizer could make organization a bit more difficult for themes that ship with hundreds of different options, but there are many examples of WordPress themes already handling this well.

The Make theme by the Theme Foundry is one such example. It has six custom panels and over three hundred individual customization options — but is still a very usable and popular product. Obox also went all in on the Customizer with their Layers page builder theme. Examples like these help prove that the Customizer can scale fairly well, even with a lot of options.

Personally, I think the standardization of options is a great move forward. I originally started developing the Options Framework (an easy way for developers to build custom options pages) over five years ago because there was not a good solution in core. I’m now happy to report that the code I helped develop is nearly obsolete as better tools have become available.

Photo: TRT member Emil Uzelac, by Sheri Bigelow

by Devin Price at April 22, 2015 03:21 PM under Developers

April 21, 2015

WPTavern: XSS Vulnerability: What to do if You Buy or Sell Items on Themeforest and CodeCanyon

Important Featured Imagephoto credit: What’s important?(license)

Earlier this week, one of the largest coordinated efforts between WordPress plugin authors, Sucuri, and the WordPress security team resulted in a number of popular plugins receiving security updates. Due to inaccurate information within the WordPress codex, a number of developers improperly assumed the add_query_arg() and remove_query_arg() functions would properly escape user input.

When combined, Themeforest and CodeCanyon sell nearly 8.8K WordPress items. Stephen Cronin, Quality Team Leader for Themeforest and CodeCanyon, has published an official forum post that describes the vulnerability and how sellers can check for it within their items. If items you sell use the following code, it is likely affected.

  • add_query_arg()
  • remove_query_arg()
  • TGM Plugin Activation class

TGM Plugin Activation is a PHP library created and maintained by Thomas Griffin and Gary Jones that allows developers to require or recommend plugins for themes or for plugins. It allows users to install and even automatically activate plugins in singular or bulk fashion using native WordPress classes, functions, and interfaces. Sellers should review their code and follow the guidelines published on the Make WordPress plugins site.

While auditing the TGM Plugin Activation class, a XSS vulnerability was discovered. The TGM Plugin Activation class has since been updated despite the version number not being changed. If you’re a seller and use this class, you’ll need to update to the latest version of TGM Plugin Activation and update your item to include the latest version.


If you use OptionTree, the marketplace review team is confident that all instances of add_query_arg and remove_query_arg have been escaped properly. There will be an update in the future that escapes these functions you should include in your item, but you shouldn’t delay updating your items while waiting for the update.

Redux Framework

The Redux framework also uses add_query_arg and remove_query_arg, but most are escaped appropriately. There are a few questionable areas within the theme that the review team will provide updates on once they receive clarification.

Theme Authors

Theme authors who have bundled affected third-party plugins will be contacted by Envato in the next few days to update your theme. You’re encouraged to check bundled plugins before this time to see if they’re affected.


According to Cronin, all WordPress specific items are being evaluated. Once the evaluation is complete, buyers who purchased an affected item will be notified. There’s no time frame on when the evaluation will be completed, however, Cronin says it is a priority and progress reports will be published in this forum thread.

All Hands on Deck

Cronin says, “When submitting an update that addresses these issues, please include a note mentioning it’s related to the XSS vulnerability. This will allow us to prioritize the review of updates.”

Unlike the WordPress.org plugin directory, Themeforest and CodeCanyon only provide and notify buyers of updates if they register with the update system. It’s not an optimal upgrade routine and one that requires buyers to opt-in instead of opt-out.

It’s important that sellers on Envato’s marketplaces do their part to check and patch any XSS vulnerabilities discovered. It’s also important the lines of communication remain open between the marketplaces and buyers so they can update purchased items as soon as possible. If you do business with Themeforest or CodeCanyon, be on the lookout for updates to items you’ve purchased.

by Jeff Chandler at April 21, 2015 08:42 PM under themeforest

WPTavern: Facebook Has Abandoned Its Official WordPress Plugin


The official Facebook plugin for WordPress launched in 2012 with the help of engineers from Automattic and currently lists 14 contributing authors. The plugin is active on more than 200,000 websites, but Facebook has not updated the plugin description page to let users know that it has been abandoned.

The Facebook plugin has received no updates since March 2014, and support questions have gone unanswered for approximately a year. The plugin’s star ratings have plummeted to 2.2 out of 5.


The official word on the plugin is that Facebook has abandoned it and it is now supported by the community:

The Facebook for WordPress was an officially supported tool to help WordPress developers integrate Social Plugins and publish Open Graph stories.

The plugin is no longer officially supported by Facebook but is maintained by the developer community.

WordPress.com VIP still uses the plugin and has it listed among its plugins and partners but has developed a version tailored to VIP customers. If the plugin is similar enough to the official one listed on WordPress.org, it would be helpful to have some of the changes ported back to the community version.

I spoke with Sara Rosso from the VIP team to inquire about Automattic’s plans for the Facebook plugin. Automattic’s official response indicates that they will not be part of the community support effort:

We’re currently supporting the Facebook plugin for use on the WordPress.com VIP platform, and we’ve made some modifications to it to work with our infrastructure. Automattic was a contributor to the initial version of the plugin (we provided some consultation and support), but there aren’t any plans to officially adopt ongoing development of the plugin as of today.

The plugin provides a complex assortment of features that utilize Facebook’s ever-changing APIs. As such, it’s not easy to support and requires regular updates to keep it current with changes at Facebook. The one-year old version is now riddled with bugs.

Until a new maintainer steps up to adopt the plugin, WordPress users have no choice but to use alternative community plugins, which are linked on the documentation for the official plugin on Facebook.com.

by Sarah Gooding at April 21, 2015 08:00 PM under wordpress facebook plugin

Matt: Apple Loyalty Program

So I finally got my hands on a the new Macbook, finally resorting to Craigslist to find someone who had pre-ordered and pay them a small premium. I was going to write a review, and still will, but ended up writing a bunch on the process of buying things from Apple as a loyal customer.

I have done the second-market Craigslist dance with probably 90% of new Apple tablets and phones before, but never for a laptop. I’m sure every ounce of effort has been expended to capitalize on the hype of the announcements and ship as many of these as possible, but this Macbook/Watch roll-out still seems especially rough with the stores having zero inventory or knowledge of if/when they’re getting anything in, and ship dates now slipping into the summer. There’s a deeper issue though: it speaks to a lack of Apple’s knowledge and connection to their customers, even though they have all the data.

A great restaurant will track every time you’ve eaten there, how much you spent, your preferences, and use that to prioritize reservations and tailor service on subsequent visits. Airlines, for their terrible reputation, actually are decent at this too with their loyalty programs. On United I’m a Global Services level flyer and get some really nice perks as a result, with the knowledge that if I don’t fly a certain amount of miles and spend a certain amount of dollars with them in a calendar year I’ll lose those perks (as I did for a few months earlier this year) and so when choosing between two flights to somewhere I’m more likely to pick the United one. (Also I think some of airlines bad rep is undeserved, they are flying human beings miles in the air inside tin cans where the cost of an error is catastrophic, everything is highly regulated, and many service factors are literally dependent on the weather.)

I am an unapologetic, unrepentant Apple customer ever since I could afford it. One of the first things I did when I got my job at CNET in 2005 was upgrade my Mom from the inexpensive Linux box I built for her (all I could afford) to a Mac Mini. I get almost every new version of everything, including usually 4-6 phones a year (myself and family), at least a dozen laptops, iPads, Thunderbolt displays, iMacs, Mac Pros… at this point I’m probably a cumulative $100k customer of Apple, in addition to the millions we spend on Apple hardware at Automattic (everyone gets a new computer when they join, and we refresh them every 18-24 months, and a special W version at after 4 years of tenure). And I’m late to the game! There are Apple customers today who bought their first product decades ago.

However when pre-orders creak open at midnight, or people start queueing, the order of access to the latest and greatest from Apple is by whoever shows up first, or now online it’s essentially random depending on how lucky you are to load and complete the checkout process. In some ways there’s a beautiful equality to that, but for example when I went with Om in London for the 2013 iPhone release, 95% of the line was people just there to buy and flip it, either locally or ship overseas — the very front of the line was Apple lovers, but in the rest of the line I saw people using Android.

There is some sort of rank ordering inside Apple — Karl Lagerfied and Beyonce have Apple Watches already, reviewers from Gruber to Pogue get devices a few weeks early to test — but imagine if there was an Apple Loyalty program for the rest of us? More than almost any other company Apple has been sustained through tough times by the belief and devotion of their best customers. It would be great if you could earn status with monetary (dollars spent) and non-monetary (impact on the world) points that give you priority ordering access, faster Genius bar appointments, maybe even access to events.

Maybe the truth is Apple doesn’t need to do that, I’m going to keep using them because they make the best products, and when things are rough in the early days (like with the new Macbook, a few recent versions of OS X and iOS) I stick it out because I know it’ll get better. To my knowledge no other tech product maker has done a great loyalty program before, though there are hints in Asian players like Xiaomi and OnePlus. Most luxury brands from Hermes to Patek are also bad at this, because they don’t understand technology and data. But how cool would it be if Apple did reward, or even just recognize, their most loyal customers?

by Matt at April 21, 2015 05:55 PM under Apple

WPTavern: Gateway: A Free WordPress Theme Built on the Foundation Framework

Gateway is an elegant and eye-catching new theme that recently landed on WordPress.org. Since its release less than a week ago, the theme has already been downloaded more than 1400 times. It’s easy to see why it’s an instant hit – the versatile design is perfect for writers, businesses, or personal sites.


The homepage design for Gateway includes a full-width header background image, a spot for featured posts, and a featured video. All of the theme options can be found in the customizer, including logo upload, accent color and background settings.

Gateway includes a custom page template for the home page as well as a full-width template. 404 pages also have a unique design. The theme includes support for one primary navigation menu and four optional widget areas.


Support for Jetpack Users

Gateway has built-in support for nine different Jetpack features, including contact form, infinite scrolling, post sharing, related posts, site icon, shortcode embeds, carousel, and tiled galleries. If you use any of these features on your site, the theme’s design will integrate theme seamlessly.

Check out a live demo to see Gateway in action with all of the supported Jetpack features activated.

Gateway is Rescue Themes‘ debut on WordPress.org. The theme and plugin shop was founded by Jami Gibbs in May of 2014. Rescue Themes builds products that are specialized for niches and organizations with a particular focus on humanitarian efforts.

Gateway was created using Underscores, Devin Price’s Customizer Library, and Zurb’s Foundation Framework.

“I find Foundation to be easier to selectively include components, keeping the theme lean,” Gibbs said. “I also like the different grid options available, centering columns, offsets, etc. Last but not least, it’s developed in Sass.”

Rescue Themes’ primary avenue of distribution is currently through Themeforest. Gibbs is one of a handful of WordPress theme authors who are trying to make a difference by selling themes that conform to WordPress.org Theme Review standards.

“I know Themeforest hasn’t always been the greatest place to find quality products,” she said. “A few of us are trying though.

“I think a lot of theme devs think they’ve always developed to WP standards and I was among that crowd until I enlisted the help of Emil and Justin’s Themereview.co for the Merch, which I released earlier in the year,” Gibbs said. “Since then, I’ve release another premium theme, Brewery, and now Gateway – all built with those standards in mind.”

To reinforce her knowledge of best practices, Gibbs also volunteers as a reviewer on the WordPress.org Theme Review team. The rigorous process of getting her theme approved took months, but she finds it to be worthwhile both for brand exposure and for giving back to the community.

So far Gateway has been successful at attracting downloads on WordPress.org, and Gibbs plans to release more free themes as time allows. If you want to use the theme and need help getting started, you’ll find solid documentation and demo content available for Gateway on the Rescue Themes website.

by Sarah Gooding at April 21, 2015 04:35 PM under themeforest

WPTavern: WordPress 4.1.2 is a Critical Security Release, Immediate Update Recommended

WordPress 4.1.2 is available and is a critical security update for all previous versions of WordPress. The release has eight security fixes, one of which is high risk, three are medium-low risk, and the last four added to harden WordPress. This is the first major security update to WordPress core since WordPress 4.0.1 released in late 2014. Three of the security issues addressed include:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

The team is aware of two update prompts being shown and is expected behavior. Users are encouraged to click the colored update button. The color of the button will be different depending upon the admin color scheme you use.

Red Update ButtonRed Update Button

WordPress 4.1.2 is not affiliated with the cross site scripting vulnerability discovered in a number of plugins reported yesterday. You’re encouraged to update as soon as possible if you’ve disabled automatic updates for point releases. Auto updates are being pushed out, but if you don’t want to wait, you can manually update WordPress by browsing to Dashboard – Updates.

by Jeff Chandler at April 21, 2015 03:27 PM under vulnerability

Matt: Intermittent Fasting

I’m going to try out intermittent fasting for a few weeks, after hearing about it for several years from fit-minded friends. It’s tough to find a link on it that doesn’t have some sort of newsletter popup or sell an ebook, but Tim had a good guest post on it in 2008 which ends on a skeptical note, and this beginner’s guide to intermittent fasting by James Clear is awesome for its graphics and straightforward way of introducing the concept and ways to approach it. I’m going to aim for a late lunch and a normal-timed dinner, since like James dinner is often my most social meal.

Update: I also forgot that I wrote about this with a few more links and some good comments in January.

by Matt at April 21, 2015 04:24 AM under Asides

April 20, 2015

WPTavern: Applications to Host WordCamp Europe 2016 Closing Soon


WordCamp Europe 2015 will be held at the end of June in Seville, Spain, but organizers are already finalizing host city applications for the 2016 event. A final call for host cities went out today and organizers announced that applications will close on Friday, April 24.

This highly anticipated WordPress event is expected to bring in roughly 1,000 attendees from around the world. Such a massive undertaking requires a revolving planning process that prepares for the next year’s event while simultaneously planning the current year.

Organizers for 2016 will be required to attend and assist in organizing the 2015 event as part of the new organizer mentoring program the team is piloting this year. Candidates must demonstrate excellent communication skills and become a reliable point of contact before being selected to the learn the ropes for the 2016 event.

“We think it’s important for next year’s team to get involved in this year’s organization,” co-organizer Petya Raykovska said. “That’s why we started early and one of the requirements for the applying teams is to be available to join the team in Seville if chosen.”

WordPress representatives in cities vying for the chance to host WCEU 2016 are required to complete a budget for each proposed venue and a detailed application form, which includes a team member summary, transportation and hotel information, and several other aspects of the event.

“Compiling the application takes time and it’s understandable they’ll all come in the last week,” Raykovska said. She and other members of the organization team have been in contact with several local WordPress communities that will be applying, as the prospect can be somewhat daunting given the level of detail required.

“Some teams need a bit of a nudge to feel confident enough to apply, even if they’ve done exceptional work organizing their local events,” she said.

The host city for WCEU 2016 will be selected by mid-May, which will give the new organizers enough time to get involved in the most active and important stages of the 2015 event. A sample budget and application form are available on the WordCamp Europe website. Local European WordPress communities have five remaining days to apply.

by Sarah Gooding at April 20, 2015 10:18 PM under WordCamp Europe

WordPress Planet

This is an aggregation of blogs talking about WordPress from around the world. If you think your blog should be part of this send an email to Matt.

Official Blog

For official WP news, check out the WordPress Dev Blog.


Last updated:

April 28, 2015 02:15 PM
All times are UTC.