WordPress Planet

February 24, 2017

WPTavern: Discourse Creates Encouragement Fund to Pay Contributors for Mission Critical Work

Discourse is free, open-source discussion software created by Jeff Atwood in 2013. In addition to celebrating its fourth birthday, the team announced the Discourse Encouragement Fund. The fund allows the development team to pay contributors for critical work.

In the course of a year, Discourse has paid 16 different developers a total of $17,000 to work on tasks. All of their work is open source and two of the contributors joined the team as full-time employees.

Discourse shared its 7-step process for rewarding contributors and the one that sticks out to me is number four: “We choose who, what and when.”

“At first we tried to put tasks ‘up for grabs’, but this method didn’t work too well,” Erlend Sogge Heggen, Community Advocate at Discourse said. “You end up with multiple takers and you have to pick one and let others down.”

“Instead, we approach developers individually, one at a time. Since we’re an open source project we know fairly well who’s capable of what, so we’ll tap our top prospect, present the task and ‘bounty’, and get a yes or no.

“If no, we move on to the next good prospect. If we run out of good prospects for a specific task, we’ll either do it ourselves or put it on hold.”

Heggen says the program has worked well thus far and will continue indefinitely. “As much as we’d like to, we can’t put every one of our contributors on a steady payroll,” he said.

“What we can do is remind them that the work they’re doing is valuable, in every sense of the word, and that there is money to be made from specializing in Discourse.”

The program is funded by customers who purchase hosting plans, “The general idea is that paying customers help improve Discourse, both for themselves, and for the greater open source community at large,” Atwood said.

Introducing money into an open source project can be risky but so far, Discourse has found a way to make it work.

by Jeff Chandler at February 24, 2017 07:20 PM under open-source

WPTavern: Cloudflare Memory Leak Exposes Private Data

Cloudflare, a content distribution network used by many popular sites, published detailed information about a security vulnerability that leaked user information, some of which was private, including passwords, private messages, etc. The vulnerability was discovered by security researcher Tavis Ormandy, a member of Google’s Project Zero team.

The issue stems from a memory leak in an HTML parser named cf-html that was created to replace an older parser based on Ragel.

“It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used,” John Graham-Cumming, Chief Technology Officer at Cloudflare said. “Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself.”

The earliest date information was leaked was September 22nd, 2016 when Automatic HTTP Rewrites were enabled. This was the first of three features introduced that used the parser. The other two are email obfuscation and Server-side Excludes.

The greatest period of impact was between February 13th and February 17th. The leaked information ended up in publicly available cached webpages. Cloudflare worked with major search engine providers to have the cached pages scrubbed before publicly announcing details of the bug.

“With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory,” Graham-Cumming said. “Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines. We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.”

1Password is Not Affected

Earlier reports indicated that 1Password was among the sites affected. Jeffrey Goldberg, a 1Password employee, assured users that the Cloudflare data leak does not affect 1Password.

“At the moment, we want to assure and remind everyone that we designed 1Password with the expectation that SSL/TLS can fail,” Goldberg said. “Indeed it is for incidents like this that we deliberately made this design.”

“No secrets are transmitted between 1Password clients and 1Password.com when you sign in and use the service. Our sign-in uses SRP, which means that server and client prove their identity to each other without transmitting any secrets. This means that users of 1Password do not need to change their Master Passwords.”

Change Your Passwords

Nick Sweeting has used a number of web scrapers to compile a list of sites that use Cloudflare. The list is available on GitHub and currently contains 4,287,625 domains that are possibly affected. Popular domains in the list include:

  • authy.com
  • coinbase.com
  • digitalocean.com
  • patreon.com
  • bitpay.com
  • news.ycombinator.com
  • producthunt.com
  • medium.com
  • 4chan.org
  • yelp.com
  • okcupid.com

The bug also affects mobile apps as HTTP header data for apps such as Discord, FitBit, and Uber have been discovered in search engine caches. NowSecure published a list that includes 200 iOS apps that use Cloudflare services.

Users are strongly encouraged to change their passwords regardless if a site uses Cloudflare or not. Those who use Cloudflare should generate new API keys and consider forcing a password change to users.

Two factor authentication should be enabled where possible so that the password is not the only credential needed to access an account. Mobile users should log out of mobile applications and log back in to create a new active token. To force all users on a WordPress site to logout and re-login, WPStudio recommends changing the salt keys in wp-config.php.

Although major search engines are actively scrubbing cached pages, the leaks have been occurring for at least four months. There’s no telling who may have already scraped those pages and archived the data. There’s also the possibility that someone discovered the vulnerability before Ormandy and has been parsing cached pages for months. This is why it’s important that at a minimum, you change your passwords.

by Jeff Chandler at February 24, 2017 07:03 PM under security

WPTavern: Google’s New Perspective Project Filters Online Comments Based on Toxicity

photo credit: Martino Pietropoli

Online harassment is a hot topic right now, as Twitter’s perennial battle with trolls heats up, forcing the company to develop new features to combat abuse. Technology companies are scrambling to create solutions that will make their communities safer for users and now Google is taking on the challenge of online harassment as part of its Jigsaw technology incubator. Jigsaw’s engineers and researchers tackle geopolitical problems like attacks on free speech, injustice, corruption, and violent extremism.

Perspective is Jigsaw’s latest project aimed at improving the comment sections of websites, which can become hotbeds of harassment when left unmoderated. It turns out that eliminating the darker aspects of human behavior, especially when combatting those operating under the cloak of online anonymity, has proven to be an exquisite challenge best suited to the bots.

The Perspective project uses machine learning to identify and filter comments for toxicity. Its API scores comments based on “the perceived impact a comment might have on a conversation.” Publishers can then use that information to offer real-time feedback to commenters and speed up moderation. The live demo allows readers to filter the comments based on a sliding scale of toxicity that they are willing to engage.

The Perspective site also includes a Writing Demo that delivers real-time feedback for the toxicity level as you type. The model defines toxic as “a rude, disrespectful, or unreasonable comment that is likely to make you leave a discussion.”

Developers Can Request Access to the Perspective API and Major Publications are Already Experimenting with It

Toxic commenting and trolls are especially rampant on news sites, requiring moderators to be constantly vigilant and ready to neutralize threats to civil discourse. This is why the New York Times employs 14 full-time moderators to manually review the 11,000 comments that come in each day. Despite the efforts of this dedicated team, commenting is only available on 10% of Times articles due to the moderation load.

As a partner on this project, the New York Times open sourced 10 years of moderated comment archives to help the Jigsaw team build the machine learning models that will improve conversations on the web. The publication is currently creating an open source moderation tool to expand community discussion to other areas of the Times.

The Wikimedia Foundation is also collaborating with Jigsaw to develop tools for automating detection of toxic comments and analyzing their impact in discussions at scale. These tools are aimed at mitigating the personal attacks levied at volunteer editors in an effort to improve overall community health.

The Perspective project is still in its early days of research and development, but developers can sign up to request an API key. Google will be open sourcing the experiments, models, and research data gained from testing machine learning as a tool for improving online discussion.

As WordPress powers more than 27% of all websites, a plugin built with the Perspective API could have a major impact on raising the standard of discourse for a large segment of comment-enabled sites. Many publications that might otherwise value thoughtful discussion, have resorted to turning comments off entirely because of the burden of moderation.

Those who rattle off the tired internet maxim that says “Never read the comments” speak to the pervasive toxicity that has invaded online discourse, but they also betray their own fragility in engaging commenters who sabotage discussions with incivility. Readers don’t always have the emotional energy to deal with rude comments that slipped through moderation. While some may find Reddit-style wild west commenting to be spirited and amusing, there are plenty of others who find it demoralizing.

One thing I appreciate about the Perspective project’s demo is that its aim isn’t to edit or change the comments to be less toxic but rather it offers the reader a way to filter based on the individual’s comfort level. With clear warnings in place and a default view set on the safer side, the publication is no longer obligated to overly-censor comments for the lowest threshold of offense.

The Perspective project is experimenting with using machine learning to wrangle the human factor of interacting online. It’s come to the point that moderating comments and weeding out toxicity has become overwhelming for those trying to run a publication. The most encouraging aspect of this experiment is that Google put engineers, designers, and researchers on this problem because comments still matter. This new technology affirms the importance of public discourse on the web and aims to preserve comments as a safe place for conversations. I’m interested to see what WordPress developers can build with the Perspective API once it is available.

by Sarah Gooding at February 24, 2017 04:17 AM under google

February 23, 2017

WPTavern: WordPress Community Summit 2017 Set for June 13-14 in Paris

WordPress contributor teams are getting ready for the next Community Summit, which will be held in Paris leading up to WordCamp Europe on June 13-14. This is the first time the event will be held outside the United States, making it more accessible to European community members who may have been unable to attend previous summits.

The summit provides an opportunity for those who contribute to WordPress and its surrounding community to tackle difficult topics that require in-person discussion or collaboration. This year the organizing team is trying a new selection process for attendees. Instead of the previous invitation-only system, contributor teams are identifying the challenging issues they want to discuss and then nominating attendees who will represent diverse viewpoints on these particular topics.

For example, a few proposed topics for the core team include discussions about the future of JavaScript in core, how to attract more JavaScript-first developers to build on WordPress, and technology version support policies (PHP, MySQL, browsers, etc.) Theme Review Team contributors have proposed discussion on how to allow for more experimentation and ways to improve the leadership of the team and the theme author and reviewer experiences.

Each of the 16 contributor teams tagged in the announcement has until March 3rd to create a list of topics and representatives, including contributors who are willing to help organize the event. An application form is open for those who represent other interests within the WordPress community but are not part of one of the contributor teams. The summit will be limited to 180 attendees (the capacity for the venue).

The call for sponsors will be published next week, but promotional activities will not be incorporated into the event. The organizing team is also working on finding sponsors to cover travel expenses for contributors who have financial barriers to attending.

“The idea of this event sponsorship is about supporting the project and the community,” summit organizer Rocio Valdivia said. “So, there aren’t levels of exposure associated with each price level other than the label that will show up in the make/summit p2 page for it and on the sidebar. We’ll add links to their sites, logos, and a huge thanks at event to all sponsors, regardless how much they’ve sponsored. The sponsorship levels are about the desire and financial ability of the companies to contribute to the summit, not about a marketing thing.”

The summit is closed to the public and the press, but there is a decent level of transparency around the topics attendees plan to discuss if you peruse the make.wordpress.org blogs. If contributor teams publish notes from the discussions as they have in previous years, the wider community will be able to follow along to see if the summit precipitates meaningful progress for the project.

by Sarah Gooding at February 23, 2017 10:05 PM under community summit

Akismet: Akismet WordPress Plugin 3.3 Now Available

Version 3.3 of the Akismet plugin for WordPress is available.

In addition to a handful of bug fixes, version 3.3 refreshes the Akismet settings page design and adds an improved first-run experience. Now, when you activate Akismet for the first time, it will offer to check your current Pending queue for spam, and for especially large pending queues, it will show a progress indicator.

For full details on all of the changes since version 3.2, see the changelog.

To upgrade, visit the Updates page of your WordPress dashboard and follow the instructions. If you need to download the plugin zip file directly, links to all versions are available in the WordPress plugins directory.

by Christopher Finke at February 23, 2017 06:08 PM under WordPress

February 22, 2017

WPTavern: WPWeekly Episode 264 – REST API, Disqus, and Happy Birthday Discourse

In this episode, Marcus Couch and I discuss the news of the week. We introduce a new segment of the show called “What’s on WordPress.tv?” where we highlight three videos to check out. We also share details of upcoming WordCamps in the month of March.

Stories Discussed:

A Case for REST API
BuddyPress 2.8 Boosts Minimum PHP Requirement, Adds Twenty Seventeen Companion Stylesheet
Disqus Hits Sites with Unwanted Advertising, Plans to Charge Large Publishers a Monthly Fee to Remove Ads
How to Check if Installed Plugins Are No Longer in the Plugin Directory
Happy Fourth Birthday Discourse

What’s On WordPress.TV?

WordCamp Manila 2016

Andrew dela Serna: How We Work in Automattic

Learn what it’s like to work at Automattic, the tools they use, our culture, the people, how to apply and what’s next for the company.

WordCamp Waukesha 2017

Ryan Erwin: Digital Marketing, Strategy and SEO

Ryan Erwin discussed digital marketing strategy for business as it relates to on and off page SEO, content marketing, and conversion optimization. He reviews how to plan, implement, and analyze your strategic initiatives.

WordPress Community Interview Series

WordPress Community Interview With Isabelle Garcia

Isabelle Garcia is a front-end web developer and social media geek. She is a “Digital Nomad” and travels the world working remotely. She has no fixed base, no office. Isabel likes to frequent local libraries, not to borrow books but to take advantage of the quiet atmosphere.

While other digital nomads meet at coffee shops or co-working spaces, she likes to spend entire days and even weekends in the common areas and desks of public libraries.

Plugins Picked By Marcus:

Really Simple Click To Call Bar adds a customizable click-to-call bar to the bottom of the browser window on mobile devices. It enables users to easily call you from their phone and automatically adds events if you’re using Google Analytics Universal. Perfect for small businesses like restaurants, retail stores, or any lead generation that relies on phone calls.

Responsive tables lets you create and display tables easily on your website with shortcodes. HTML tables can be used to display pricing, comparisons, DBMS tables and much more.

WP Demo Buddy instantly creates a dedicated expiring Demo/Trial instance of WordPress with any WordPress Plugin and Theme to each of your website visitors. Your website visitors can test drive your plugins securely before they buy or test drive the plugins you review/sell on your website.

WPWeekly Meta:

Next Episode: Wednesday, March 1st 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #264:

by Jeff Chandler at February 22, 2017 10:29 PM under security

WPTavern: Zerif Lite Returns to WordPress.org after 5-Month Suspension and 63% Decline in Revenue

In October 2016, Zerif Lite was suspended from the WordPress Themes Directory after failure to comply with the Theme Review Team’s guidelines. The suspension left 300,000 users (including those using Zerif Lite child themes) without maintenance and security updates.

After five months of fixes and several rounds of review, Zerif Lite has returned to the directory with the same functionality but a significantly altered user experience. Users are now required to install a plugin for the features that were previously deemed to be “faux custom post types,” violations of the content vs. presentation guideline for WordPress.org-hosted themes. These include small custom content blocks that appear on the homepage for things like team info and testimonials.

“We will work on making sure it is all clear for people, but I still don’t understand or agree with the requirement,” ThemeIsle CEO Ionut Neagu said. “I think Torsten phrased it better: ‘Why do the guidelines of the Theme Review Team forbid the usage of Shortcodes/CPTs/etc. due to problems when switching themes, if, in the meantime, the Plugin Review Team explicitly allows those plugins which only work for one theme, which brings the entire idea (function remains intact after switching themes) to absurdity?'”

At the time of suspension, Neagu estimated that Zerif Lite’s unavailability on WordPress.org would diminish the company’s revenue by 50%.

“What was interesting is that revenue continued to decrease for all those months and we are now at around $45k/month instead of $120k,” Neagu said. “That revenue won’t be back as the theme is live. A big part of success/sales before was that we had a great demo, a very easy-to-set-up theme, and ‘better’ upsells.”

Neagu said the company has seen no significant increase in revenue during the first few days the theme has been back in the directory. His team has considered releasing the theme under a completely different name but is committed to supporting the current version for at least the next two years. Meanwhile, they have built newer themes like Hestia to be capable of importing Zerif content seamlessly into its design to avoid the lock-in effect.

Neagu said the experience of losing so much revenue has not changed the company’s strategy for distribution. They will continue to add new themes to WordPress.org but Neagu said they would be lucky to add two per year, given the limitation of one theme per account and a 6-7 month waiting period in the queue.

Zerif Lite’s suspension was a controversial decision. Many who commented on our first post about the issue were pleased to see the Theme Review Team finally throw the book at ThemeIsle after the company had been allowed to skirt the requirements for more than a year without resolving the issues. Others saw the situation as an opportunity to re-examine the directory’s requirements.

“Perhaps the rules surrounding theme submission to the repo should be relaxed for everyone – limited only to security concerns perhaps, let the market sort out the rest,” Bradley Kirby, author of the Wallace theme, said. “Is it possible that absolute data portability isn’t an expectation or desire from most end users? That they expect to do some manual porting of data when they change themes? That they prize other features like site design and built-in functionality over something like data portability?”

Zerif Lite has been at the center of the Theme Review Team’s discussions regarding data portability for the past two years after the team began cracking down on violations of the Presentation vs. Functionality guideline. The spotlight shined on Zerif Lite during that discussion eventually culminated in its suspension, as Neagu was forced to comply or have his theme removed.

“I think our goal should just be to provide the best experience for the users, not just to comply without thinking about what users want,” Neagu said. “At least this is my goal – to build the best products that will help people to build their sites.”

The Risks of Using WordPress.org as a Primary Distribution Channel

WordPress.org is arguably the most effective way for a theme company to reach mass quantities of users with a freemium theme. The directory lends a great deal of credibility to its listings because of the stringent guidelines and rigorous review process. Failure to comply with these guidelines ultimately ended up sinking ThemeIsle’s flagship theme and Neagu is not optimistic that the previous revenue will return.

“During this whole time, a thing that caught me off guard was some of people’s comments wondering if it was even safe to use a theme that was removed from the repo in the first place,” Neagu said. “I mean, in the user’s mind, and understandably so, there must have been something wrong with the theme since it got removed, right?” He said this experience caused him to see things differently.

“Being listed in the official repository doesn’t only get you downloads and/or sales, but also trust and credibility in the eyes of your potential users,” Neagu said. “Unfortunately, most of the users who install themes directly via their WP dashboards are not very experienced, and they have no reason to research the web a bit more to find out what happened to the theme they heard about. In other words, if someone types ‘zerif’ into the search field in their dashboard and they find nothing, they just move on.”

Neagu said that in spite of differences Themeisle has had with the Theme Review Team, the company will continue to contribute and be part of the community. The theme’s suspension, re-working, and re-installment is an interesting case of what can happen when a company’s sales strategy is at odds with WordPress.org’s requirements.

“Our products are focused towards beginners, being super easy to setup with built-in demo content, so they are not niched products that we can distribute in different communities,” Neagu said.

“It is obvious that relying on a third-party marketplace is the worst scenario, but WordPress.org is the default solution: if you want to reach a large mass of people, you need to be there.”

by Sarah Gooding at February 22, 2017 09:47 PM under zerif lite

BuddyPress: BuddyPress 2.8.1 Maintenance Release

BuddyPress 2.8.1 is now available. This maintenance release fixes four bugs, including two regressions in BuddyPress 2.8.0. See the Trac milestone or the official changelog for more details.

Version 2.8.1 is a recommended update for all BP installations. Update via the WordPress Dashboard, or download manually from wordpress.org.

by Boone Gorges at February 22, 2017 07:41 PM under releases

WPTavern: WordPress Core Editor Team Publishes UI Prototype for “Gutenberg,” an Experimental Block Based Editor

In the past few weeks, the WordPress Core Editor team, led by Automattic employees Matías Ventura and Joen Asmussen, have been hard at work creating a new content creation experience. The team recently published a UI prototype for Gutenberg, an experimental block based editor. The editor displays content-specific toolbars when an element is selected and provides a way to move blocks up and down.

Block Based Editor UI Prototype

While the goal is to reinvent WordPress’ current editor, there’s no guarantee that the prototype will end up as the final product and is in a high state of flux.

“The UI prototype exists mostly to serve as a non-static mockup,” Asmussen said. “It’s like a sandbox we’re building to test some of our mockups and assumptions, to see if they hold water or not. To that extent, it’s already been successful in informing us of things that worked well, and not so well.” The code that powers the editor is made up of about 90% JavaScript.

One of the concerns in revamping the editor is accessibility. Joe Dolson highlighted this concern in a post on the Make WordPress Accessible site. Dolson notes that the accessibility team will work in tandem with the editor team to make the new editor as accessible as possible.

“From an accessibility perspective, this is both an incredible opportunity to build a powerful and flexible experience for all users and an enormous risk that we could end up reducing the effectiveness of the editor for users with disabilities, or require them to use a 2nd-class editor without these enhanced editing capabilities,” Dolson said.

“We in the WordPress accessibility community embrace the challenge of creating a great new experience, and want to assure the community that we are going to do everything we can to make sure that any new editor experience is as accessible as we can possibly make it.”

Although the prototype’s functionality is limited, the team is interested to hear about your experience and expectations with using the editor. Some questions to consider during testing include:

  • Talk through each step, what does this do?
  • What does this feel like?
  • As you use it, what is missing you feel should be there?

Many users have already shared their experiences, providing valuable insight that is fueling rapid improvements to the project on GitHub.

The best way to get involved and contribute to this project is to subscribe to the Make WordPress Design blog and provide feedback by commenting on posts. You can also submit pull requests or issues on GitHub. Weekly meetings dedicated to the Editor component are held on Wednesday at 19:00 CET on Slack in the #core-editor channel.

by Jeff Chandler at February 22, 2017 06:31 PM under prototype

HeroPress: A Sense Of True Freedom

Pull Quote: At any given time, I am who I want to be, & I'm right where I want to be.

It’s 7:30 in the morning in Rio de Janeiro, Brazil. The hostel’s cat just came to say “Good morning” and I just finished my night shift on the WPMU DEV forum. It’s my third day in Rio after spending the last 40 days in Bogota, Colombia. Traveling is in my blood or at least, it is now.

I’m a full-time digital nomad and I have been for over a year now.

I’m single, I’m female and because of WordPress, I can travel around the world and work at the same time.

I started using WordPress in 2009, but I like to think that everything started in 2011 when I attended my first WordCamp in Poland. I remember I was extremely shy, scared and bit lost on the first day of WordCamp.

It was a different world to me or at least in contrast to what I had at home – a small city in South East Poland. It was different because for the first time in a long time since college, I felt like I fit in with everyone there. They were a right fit for me and so was that place.

Since that first WordCamp, I also attended many more in Poland as well as in other countries. Later, I went on to be the lead organizer of WordPress meetups in Wrocław and two WordCamps in Poland. I was also a speaker for many Polish events and for one WordCamp Paris.

If not for the WordPress community and the friends I met on that very first WordCamp, I wouldn’t have been able to achieve any of those accomplishments.

But how could I have become a full-time digital nomad, you ask?

In 2015, I was stuck. I had a great, steady job in Wrocław. I was working with WordPress and everything was perfect, at least, that’s what I thought at the time.

I achieved almost everything that society around me was expecting: a partner, apartment, a great job and the next step would have been getting married and having kids. Suddenly, I was sinking.

For a year, the only moments where I was truly happy was when I was attending WordCamps and WordPress meetups – when I was with my “tribe”, my friends.

Then, in May of 2015, something incredible happened: one of my friends sent me a link to a list of 70 companies which offered positions working remotely. Three of them were related to WordPress: Automattic, OnTheGoSystems and Incsub.

That same day, I feverishly filled out an application for a position as a Support Star at Incsub, the parent company to WPMU DEV.

After a wait full of agonizing anticipation, I finally got the job and six months later, I bought a one-way ticket to Japan, then one to Australia.

This was just the start of my life as a digital nomad.

Working at WPMU DEV remotely with partial dedicated hours and the rest being flexible allowed me to move and work while traveling.

The people I work with comprise the best team ever. My boss, Tim, is incredibly supportive and is willing to help when something bad happens. I didn’t need to be worried about my job when my plans suddenly made a turn for the worse, which did happen. When I had to fly back to Poland in the middle of the week due to family emergencies, it wasn’t a problem.

I always felt safe in the WordPress community and now I’m grateful to also feel safe with the people I work with even though we’re spread out across the globe and across many cultures.

Even though I’m confident in my choice of being a digital nomad now, that wasn’t always the case. This was especially true since I apparently managed to make quite the big scandal in my hometown because “good girls” don’t run away.

To my dismay, I was constantly told, “Study hard and you will get a nice, steady job in an office with insurance and a guaranteed retirement.”

How could I not want that? After all, that’s supposed to be the dream of every woman, right? That’s what I was constantly told, anyway.

Luckily, my best friend (who I had met at a WordCamp!) was there for me and said, “Don’t let them get to you. You are far away and they can’t hurt you.”

Since then, I stood with my decision to finally be free and happy.

Growing up in small city and being interested in computers and IT was not easy to say the least. Those aren’t traditionally considered subjects that interest girls. It also became all the more difficult when I realized this was something I wanted to do and nothing else.

There weren’t many people around me in my hometown who understood what I wanted to do and even fewer people who would support me. Unfortunately, this is still true. It became tougher when I was diagnosed with heavy bipolar disorder.

At that time, everything sucked. I was lost and hopeless.

Compounding my stress, it was around then that I realized I also suffered from the impostor syndrome – the belief that you don’t know enough about the industry you’re in to be capable of doing your job and that you never will despite anything you do.

There was an ugly feeling that crept in: I wanted to be somewhere else and I want to be different.

Fortunately, every time I attended a WordCamp or WordPress meetup, these thoughts would melt away because I felt completely supported.

It didn’t matter that I’m a girl or that I’m delightfully weird. What did matter was that I was knowledgeable about WordPress, my skills were growing quickly and that I could contribute to the community using my organizational skills.

During these meetings, I don’t ever remember someone assuming that I’m a graphic designer because I’m a girl and “girls know color.” There’s nothing wrong with being a graphic designer, but assuming someone is based solely on their gender – there’s definitely something wrong with that.

In reality, I’m a theme developer and in the WordPress community, that wasn’t unusual.

It helped me gain confidence in myself and my skills. With that confidence, I found courage to start a life where I’m no longer wanting to be somewhere else or be someone else.

At any given time, I am who I want to be and I’m right where I want to be.

Solo traveling isn’t always peaches and cream or sunshine, lollipops and rainbows everywhere, especially when I’m sick and inevitably alone. All things considered, I wouldn’t swap it out for what many would consider to be a “normal” life – whatever that is – and instead, I think it’s important for people to do what makes them happy and not just what others expect of them.

As a digital nomad, I was able to go to WordCamps in Tokyo, Belgrade, the US, Singapore and Vienna. I have met many new people and I have collected incredible memories along the way.

This year and in many more to come, while others may doubt my choices, I’ll be happy, traveling to more WordCamps and enjoying a sense of true freedom just because I can.

The post A Sense Of True Freedom appeared first on HeroPress.

by Kasia Świderska at February 22, 2017 12:00 PM

February 21, 2017

WPTavern: Solving the Mystery of How People Actually Use WordPress

I’m in favor of WordPress collecting more anonymized usage data that could help make informed decisions on changes or improvements to core, such as tracking changes to the WordPress user interface, which buttons or settings are used most often, etc.

A good example of when this data could have come in handy is the recent removal of the justify and underline buttons from the editor in WordPress 4.7. During the discussion on whether they should be removed or not, a number of people questioned if there was any user data available that would indicate how much they’re used and help gauge the impact of removing them.

The only data available to help make an informed decision was provided by Mel Choyce. Choyce shared statistics from WordPress.com and its variety of editor interfaces that indicated Bold, Italic, and Links are used the most while Lists and Blockquotes are the second most used buttons.

The Center and Left alignment buttons are used often, but the data doesn’t determine if people are using them to align text or images. Information on which headings are used most was not available. The team did not have any usage data specific to the WordPress core editor.

In the ticket, Andrew Ozz, who maintains the TinyMCE component, chimed in and agreed that good user data is needed.

In an effort to obtain usage data before removing the buttons, Ozz created a small plugin to perform testing with five existing and first-time users. Interestingly, he discovered that both types of users clicked on the kitchen sink button to display the second row of buttons and didn’t click the button to hide them again.

Ozz also shared other results from his limited testing.

I know these test results are extremely limited and cannot be used when making a decision, but they are an indication of what ‘real’ testing may reveal. In this case it shows that moving buttons to the bottom row will have no effect on the usage of these buttons as they will still be visible at all times.

This super limited testing also indicated another (much bigger) problem: somebody mentioned this some time ago (think it was @mor10), around 20% of the WordPress users don’t even know there is a second editor toolbar, and some feel ‘pretty stupid’ after discovering it. I think this is bad UX and something that can be fixed easily by having the second toolbar open by default, and fixing it is more important and will improve the UX for these 20% of users a lot.

Imagine how useful it would be for core developers or others if there was usage data like this on a grander scale that could fuel rapid improvements and help discover and eliminate pain points.

Matt Mullenweg, co-creator of the WordPress project, has closed the ticket with the Telemetry Proposal as it’s not within the three project focus areas for 2017.

“There is no part of current or potential WP development that is being held back by the lack of this existing, as there are easy and current ways to answer questions with data to the extent it would inform our decisions,” Mullenweg said.

Morten Rand-Hendriksen responded to the closure saying that the quantitative user testing falls squarely within the Customizer focus area.

“I would argue since the release of the Customizer some years back, it has gone through a multi-year large-scale quantitative user test with incremental tweaks and improvements,” Rand-Hendriksen said.

“This is in line with standard agile development. At this juncture, the Customizer can be considered mature, and moving a mature solution forward requires hard data on usage, use cases, and user needs. This goes beyond standard user testing to large-scale data collection, which is what this ticket aims at addressing.”

Perspective From a WordPress Release Lead

There are WordPress core developers who have shown interest in a similar system. At the start of the WordPress 4.7 development cycle, Drew Jaynes, who led the WordPress 4.2 release cycle, expressed interest in creating an opt-in data collection system.

The idea received positive feedback that included people offering to help. I asked Jaynes what his thoughts are on such a system and how it could benefit core development.

“There’s some discussion about what form that collection should take initially, but I think there’s consensus that it should be opt-in, and take one of two forms (or a hybrid of the two): active (surveys in the admin) or passive (anonymized usage) data collection,” Jaynes said.

“Either way, I think having this data available would benefit the entire community, regardless of the obvious practicable application within core development.

“All of that data can and should be used to inform decision-making in WordPress going forward. The core team really needs to hit the reset button on the concept of the 80/20 rule, including what and whom it represents.

“We should be building modern WordPress for the modern WordPress user, and resting on Matt’s instincts coupled with the core team’s experience is no longer enough to maintain positive forward momentum.”

Jaynes cites the editor as an example of where having the data would be helpful and that without it, pursuing an idealized ‘modern editor’ in WordPress is premature. The data could also help provide insight into improving the new user experience.

“A common complaint is that the WordPress admin can be really overwhelming to new users,” Jaynes said. “Having real data about how frequently the various core screens are used could really inform decisions about maybe paring it down, or hiding some things over time that are used less and less.”

While collecting data could help with making informed decisions, he doesn’t think it should stop the core team from experimentation.

“I think having real, citable data could really reduce the amount of backlash we’ve seen with a few releases in the last couple of years,” Jaynes said. “Areas where core team decisions left some group of users feeling jilted.”

“It’s worth mentioning that there’s absolutely value in allowing the core team to experiment, as long as we’re careful not to latch onto something that got merged as the only way we’ll ever need to solve that problem; that’s where we get into trouble.”

Who Are The 80/20 Users of WordPress?

The most striking statement in Rand-Hendriksen’s proposal is that WordPress development is occurring without having any idea who the 80% or 20% of users are.

“During the development of WordPress 4.7, I was involved in several conversations centered around assumed use of features,” Rand-Hendriksen said.

“The general argument was that based on the 80/20 rule, certain features should be added while others should be removed. I kept bringing up the well-known fact we don’t have a clue what features 80%, or even 20%, of WordPress users actually use so any claim of validity in the 80/20 rule is guesswork at best.”

Collecting usage data is standard practice. Microsoft Windows, Mozilla Firefox, Chrome, iOS, and a number of other software projects have opt-in data collection systems that are used to improve the product. They also provide insight into how customers are using their products.

WordPress development on the other hand relies on the support forums, data collected from WordPress.com, limited user testing, verbal feedback at WordCamps, and other small data points. Collecting usage data from WordPress could show trends and provide evidence for changes related to the decisions not options philosophy of WordPress development.

Collecting usage data isn’t going to solve all of WordPress’ woes but having it available to make more informed decisions is better than not having any data at all. Although an opt-in data collection system in WordPress won’t be a core focus any time soon, it’s encouraging to see the idea has merit and is something some core developers are interested in seeing become a reality.

I’d gladly opt-in and share my usage data with WordPress.org as long as it was anonymized and displayed publicly in aggregate. Would you?

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

by Jeff Chandler at February 21, 2017 02:07 AM under telemetry

WPTavern: BuddyPress 2.8 Boosts Minimum PHP Requirement, Adds Twenty Seventeen Companion Stylesheet

BuddyPress 2.8 “San Matteo,” was released last week, led by long-time BuddyPress contributor Slava Abakumov. The release was named for San Matteo Panuozzo, an NYC pizza restaurant that specializes in panuozzo, a more portable pizza-sandwich hybrid. Following suit with the previous release, 2.8 focuses on improvements for developers and site builders, the project’s new target audience as of 2016.

As part of an effort to modernize the plugin’s codebase and prepare it for better integration with the BP REST API project, this release boosts the minimum PHP requirement to 5.3. In BuddyPress versions 2.7+, the plugin will display a notice in the dashboard if it detects that the server doesn’t meet the minimum requirements for running 2.8. The change is not likely to affect many BuddyPress sites as only a small sliver (5.7%) of WordPress sites are running on PHP 5.2.

This release also adds a companion stylesheet for Twenty Seventeen. This stylesheet is important for providing a good first impression of BuddyPress for those who are trying try out the plugin with WordPress’ latest default theme. A new BP codex page gives sample code for changing Twenty Seventeen’s default two-column layout to be a full-width layout.

The 2.8 release brings improvements to the “Activate Pending Accounts” screen, making it easier for site managers to confirm or reject new registrants. Clicking on the username of a pending account will now display profile data that the user entered at signup.

Other improvements for developers include the following:

  • New filters and actions for the Messages component
  • Support for List-Unsubscribe header in emails
  • More flexible Group search
  • New filter enables choice of which PHPMailer should be used when sending BuddyPress emails

BuddyPress 2.8 was made possible by 44 volunteer contributors. For a full list of all the changes in this release, check out the official 2.8.0 changelog.

by Sarah Gooding at February 21, 2017 12:33 AM under twenty seventeen

February 20, 2017

WPTavern: Composing a WordPress Development Environment with Docker

This post was contributed by guest author Peter Suhm. Peter is a web developer from the Land of the Danes. He is the creator of WP Pusher and a huge travel addict, bringing his work along with him as he goes.

In the last few years, a wave of virtualization technologies have swept through our WordPress development environments. The one that’s sounded the most promising to me has been Docker: lightweight and flexible. Yet, until recently, getting Docker up and running was an overwhelming task – especially on a non-Linux machine. If you managed to get it up and running in a virtual machine (using Vagrant or similar), getting port-forwarding to work would make you give up and just use Vagrant instead.

Now it’s different.

With (a stable) Docker for Mac and Windows and Docker Compose at hand, getting Docker up and running is easy and pain-free. With Docker Compose you can tell Docker exactly what you want your WordPress development environment to look like and it will take care of it.

What is Docker?

Docker is a technology that makes it really simple to create isolated containers for your applications and websites to run in. These containers can be combined and modified to fit the needs of your applications. Docker is utilizing the Linux Containers technology (LXC) where multiple isolated environments can share the same Linux kernel – making it very lightweight compared to something like Vagrant.

The Docker ecosystem is built around containers. In the Docker Hub, you can find an endless number of containers that other people have built or you can build your own using a Dockerfile. When building your own, you can start from scratch using the base Ubuntu image or extend someone else’s image.

You can share local directories with your containers and link the networks, so they can talk to each other – just like you know it from other virtualization technologies. However, this is where it gets complicated which leads me to Docker Compose:

What is Docker Compose?

Docker Compose is what makes Docker available to mortals like you and me. As the name implies, Docker Compose is a tool for composing Docker containers. That means defining your services (containers), setting up the network between them, sharing local directories with them, and a few more things.

With Docker Compose you create a simple file in the root of your project that describes the setup required by your application/website. For a WordPress theme that might mean a container to run WordPress, a container to run MySQL and a container to run Gulp or Grunt. This can very easily be defined in a docker-compose.yml file that can then be shared with your team members. This means that you can now share your WordPress theme, including an isolated WordPress environment to run it in. Hurray for virtualization!

Why use Docker?

There are a few reasons why Docker is an attractive technology for me. Here are the most important requirements I have for my development environment and how Docker solves them:

  • Clean Mac: In an ideal world, I prefer not to install anything related to my development environment directly on my Mac. I work on so many different projects that this gets unmanageable. When one thing works, another doesn’t. I also travel a lot and should something happen to my computer, I want to be able to set up a new machine in minutes.
  • Shareable: I often work in teams, so sharing my development environment with teammates is crucial. This is possible with Vagrant, but it’s still very tricky to keep environments in sync across teams.
  • Lightweight: This is important, especially when on the road. Try running a few Vagrant boxes compared to a few Docker containers and see what I mean.
  • Extendable: Extending Docker is very easy. For example, I could extend the official WordPress container and build it with WP Pusher pre-installed, since I (obviously) always use it.
  • Mirror production: My development environment needs to be as close to production as possible. With Docker this is easy, since Docker can be used in production as well.

My Docker development environment

This is the very simple Docker setup I use for development of my WP Pusher plugin: A WordPress and a MySQL container. Both of them use the official Docker Hub images, so setting it up is very easy.

My docker-compose.yml file looks like this:

It describes two services: a MySQL 5.7 database and WordPress running on PHP 5.6 and Apache. The database is using a volume on my local machine, so data will be persisted every time I shut off the container. My current directory (in this case a plugin) is mounted into the wp-content/plugins directory. This allows me to work on my plugin in a completely isolated WordPress environment – without installing anything, besides Docker, on my Mac. The WordPress container forwards port 80 to my local machine, so I can access it as “localhost” in my browser.

If you want to try it for yourself, and have Docker installed on your machine, just add the file to your plugin (or theme) and run:

$ docker-compose up -d

In order to see which containers are running, just run:

$ docker ps

This a very simple setup that is easy to extend and build upon.

I hope this post made you curious about Docker and WordPress. Thanks for reading along!


by Sarah Gooding at February 20, 2017 06:23 PM under docker

February 18, 2017

WPTavern: Disqus Hits Sites with Unwanted Advertising, Plans to Charge Large Publishers a Monthly Fee to Remove Ads

When Disqus announced it would be releasing new, subscription-based versions later this year, users didn’t expect to have the new advertising model injected into their sites without notice. Disqus CEO Daniel Ha said the company would release finalized pricing and provide more details well in advance of its planned March release, but users are reporting that the advertising has already been forced into their comments without warning.

“We are one of the lucky 5% who now has to pay if we don’t want really irrelevant and horribly spammy links just plopped on our site with zero warning,” BabyCenter Social Media Manager Dina Vernon Freeman said. “Unless our users (mainly millennial parents) should care about overpaying for dentures! We’re looking for other platforms ASAP.”

Brian O’Neill, who manages Slugger O’Toole, a site with more than 70,000 readers, was also hit with unwanted advertising on his site.

“Disqus has started to put ads into our comments section of our site without even telling us,” O’Neill said in a post explaining the new ads to the site’s readers. “As you can imagine I am extremely annoyed at this – I hate crappy online ads as much as you do. Supposedly we can remove the ads if we pay them $10 a month, but as yet there is no mechanism on their site to do this.” O’Neill said he is also exploring alternative commenting systems if he is unable to remove the advertising.

Disqus responded to user complaints with a post to clarify that advertising will remain optional for more than 95% of the sites on Disqus.

“Larger, commercial, sites that elect to use the free version of Disqus will be supported by configurable advertising and have the option to earn revenue through the Reveal program,” Disqus Marketing Manager Mario Paganini said. “For small, non-commercial sites, advertising will be optional. These sites will be able to use Disqus’ ads-optional subscription, free of charge.”

Publishers asked in the comments when the option to pay to remove ads will become available, as an option to pay isn’t currently in place.

“Larger sites will be able to run a paid subscription version of Disqus that includes the ability to remove ads along with additional features,” Paganini said. “We are aiming to have this available in the next couple of months. We will be making periodic updates on our blog and talking to publishers in the meantime.”

Disqus is moving to focus on its larger publishers but has already attracted angry criticism from publishers that were not properly informed of the changes. Over the years the company has experimented with different ways of monetizing the commenting platform, often frustrating users in the process of making important changes.

In 2014, Disqus began experimenting with advertising in the form of “Sponsored Comments” that users could not turn off without contacting support. This move drew criticism from WordPress co-founder Matt Mullenweg who essentially called out the ads as little more than comment spam. After a negative reaction from its community, Disqus quietly discontinued the Sponsored Comments and scrubbed the announcement post from the internet.

Disqus Delivers Low-Quality Ads

Disqus has struggled to land on an effective advertising model that will convince users to get on board. Its Reveal advertising program is notorious for serving low-quality ads and has inspired little confidence in users who have tried it. The following is one of the tamer examples:

“I think if you had somewhat decent advertising you might convince people that it’s worth it, but I had to yank it from one of my sites because it was all ‘Ron Paul wants you to buy gold!’ and ’22 times the photos showed too much!'” Paul King, an author who writes for multiple publications, commented on Disqus’ most recent advertising announcement. “Just put in a tier of non-spam advertising that’s actually relevant or charge based on comments or something.”

Twitter is filled with complaints from users who are dissatisfied with the questionable quality of Disqus’ advertising. Many are searching for alternatives.

This recent move to turn on advertising without publishers’ permission is another communication blunder in the same vein as the previous attempt at Sponsored Comments. Disqus has failed to find a communication strategy that respects users’ content while leading the company towards its goals at the same time. With spam-quality ads deploying network-wide, the company can certainly expect that some users will be willing to pay the $10/month to turn them off. Sadly, the experience of paying to turn off offensive ads feels more like getting mugged on your way to work than upgrading your service.

The Disqus Comment System plugin has been hovering around 200,000 active sites for the past two years and its ratings continue to plummet on WordPress.org. Unless Disqus is able to dramatically improve its advertising network before its official March release, we may see a mass exodus to other commenting systems.

by Sarah Gooding at February 18, 2017 12:16 AM under disqus

February 17, 2017

WPTavern: How to Check if Installed Plugins Are No Longer in the Plugin Directory

When we wrote about why plugins sometimes disappear from the WordPress plugin directory, it generated a healthy discussion in the comments. One of the topics of discussion brought up is whether or not users should be notified when a plugin disappears and if so, how?

Currently, when a plugin is hidden on the directory, users are not notified. If it’s removed due to a security vulnerability and the author chooses not to fix it or move the plugin somewhere else such as GitHub, users are left in the dark.

Donna Cavalier shared a recent example of why users should be notified. Contact Form DB is a popular plugin that saves contact form submissions from many popular Contact Forms plugins to the database. As of October 30th, 2016, it was actively installed on more than 400K sites.

Approximately one month ago, the plugin was hidden due to a security vulnerability. Instead of releasing a patch, Michael Simpson, creator of Contact Form DB, moved the plugin to GitHub and subsequently released a new version that patched the vulnerability. Simpson says the person on the plugin review team that he spoke with was condescending, unprofessional, and rubbed him the wrong way.

“I’m happy to address any issues and meet any standards, but I’m at the limit of my patience,” Simpson said.

“I try to be a good citizen and give back to the community. I’ve put in countless hours for close to seven years now. When I’m treated like this, it seems WordPress doesn’t value me or my contribution to its community.

“Anyway, I put the code on GitHub and I will continue to support it. But at this point I’m not sure I want to deal with people like this to re-list the plugin on this site. I don’t need the frustration.”

If you use Contact Form DB, please update to 2.10.30 as soon as possible as it contains the aforementioned security fix.

It’s impossible for Contact Form DB users to automatically install updates from GitHub without installing an updater plugin. This leaves thousands of sites at risk.

How to Know When Installed Plugins Are No Longer in the Directory

In the comments of our article, Tavern reader Central Geek shared links to a couple of plugins aimed at providing useful information such as, whether a plugin has been abandoned and better plugin compatibility information.

One of the plugins he mentions is called No Longer in Directory, developed by White Fir Design. The plugin adds a page to the WordPress backend that informs users if any of the plugins that are installed are available in the plugin directory. It also separately lists installed plugins that haven’t been updated in two years or more.

The check is performed using the plugin directory’s folder name. The author notes that this could lead to plugins that have never been in the plugin directory to be flagged if they use the same name as a plugin that was in the directory in the past. If you encounter this situation, you’re encouraged to create a new thread on the plugin’s support forum.

So far, No Longer in Directory is actively installed on more than 1K sites. Out of a total of six reviews, its average rating is 4.8 out of 5 stars. I tested the plugin with WordPress 4.8 alpha and didn’t encounter any issues.

If this is a feature you’d like to see implemented in WordPress, consider voting for it. So far, the idea has 43 votes with a five-star average rating. Mika Epstein, Plugin Directory Representative, responded to the idea four years ago noting that it was being worked on.

As Epstein mentioned in our previous article, explaining WHY a plugin has been closed is complex.

“Obviously the last thing we want are people getting hacked, but it presents us with a few options and they all have flaws,” she said.

“We’ve not been able to determine a way to tell people ‘This plugin is gone, don’t use it’ and ‘This plugin is gone, but use it if you want.’ without putting users at risk.”

If a Plugin Is Permanently Removed From the Directory, Users Should Be Notified

I believe users should be informed if a plugin is permanently removed from the directory. It doesn’t make sense to notify users if it’s temporarily hidden due to violating a guideline or a security issue. Plus, between upgrade and admin notices, users are receiving enough notifications as it is.

I’m unsure if the notification should be an admin notice as we’ve already documented how plugin authors are using them to advertise. Users are increasingly getting annoyed by them and they’re usefulness is in decline.

There’s also the question as to who is responsible for informing users. This responsibility should fall squarely on the plugin author. If I was a plugin author and not interested in someone adopting my plugin and wanted it removed from the directory, I’d do so by pushing out one last update.

I’d explain in the plugin’s description and changelog that support and updates would no longer occur and that users should seek alternatives. I might even suggest a few that come to mind. Then, after about a month, I’d submit a request to the plugin review team to permanently remove it.

This would give users a heads up and plenty of time to seek out an alternative. The Post Template plugin is a good example of this idea in action. Here is the notice it displayed on all of its settings pages before it disappeared.

Since version 4.0.0, the plugin has been released under a commercial license. New features such as addition of custom fields to the templates have been added. Furthermore, this version is discontinued, which means that no further bug fixes, new features and compatibility fixes for new WordPress versions will be implemented. If you want to buy the latest version of Post Template, please visit the plugin web page.

By notifying users ahead of time, the responsibility shifts to the user to find an alternative.

Simpon said he’ll work to get the plugin re-listed but it may take some time as he’s swamped with work. At the time of publishing, the plugin is not available on WordPress.org.

An Unfortunate Situation for Users of Contact Form DB

While users sympathized with Simpson over his decision, I think it’s partly irresponsible. If a plugin has a security vulnerability, patching it and making it available as soon as possible should take precedence over how one feels about a situation.

Instead of putting aside differences and pushing out an update to patch a security vulnerability, Simpson chose to move the plugin and the patched version to GitHub. The decision not to work with the plugin review team has put thousands of sites at risk with no easy way for users to update.

Hopefully, Simpson will work with the team to get a patched version of Contact Form DB back onto the directory as soon as possible. Until then, if you use Contact Form DB, please update to 2.10.30 manually as it patches the security vulnerability.

by Jeff Chandler at February 17, 2017 08:52 AM under security

February 16, 2017

WPTavern: WPWeekly Episode 263 – Plugins Disappearing, WordCamp Miami, and OSTraining

In this episode, Marcus Couch and I discuss the news making headlines including, WordCamp Miami in its 9th year, OSTraining partnering with GoDaddy to release training videos, and why plugins sometimes disappear from the WordPress plugin directory. We also provide an update on the REST API vulnerability that is actively being exploited to deface webpages.

Stories Discussed:

WordPress REST API Vulnerability Exploits Continue
Google Webmaster Tools Fixes Confusing Messages About Updating WordPress
WordCamp Miami 2017 to Host JavaScript Track, AMA Spots, and 2-Day Kids’ Camp
OSTraining Partners with GoDaddy to Launch Free WordPress Beginner Course on YouTube
Why Plugins Sometimes Disappear From the WordPress Plugin Directory

Plugins Picked By Marcus:

Mobile Featured Image allows users to add a featured image specifically for mobile devices. The new image can be a resized version of your featured image or an entirely new image targeted especially at mobile viewers.

FB Messenger Bot for WooCommerce automatically messages clients from your Facebook page, WooCommerce, or Gravity Forms. The plugin creates a ‘send to Facebook’ button at the end of the WooCommerce Sales process or on the Gravity Forms thank you page.

Restrict New Users by Domain makes it easy to whitelist or blacklist email domains that new users can use when registering. If using the whitelist, only new users who enter an email domain on the whitelist will be allowed to create an account. If using the blacklist, a user who enters an email domain on the blacklist will be unable to register.

WPWeekly Meta:

Next Episode: Wednesday, February 22nd 3:00 P.M. Eastern

Subscribe To WPWeekly Via Itunes: Click here to subscribe

Subscribe To WPWeekly Via RSS: Click here to subscribe

Subscribe To WPWeekly Via Stitcher Radio: Click here to subscribe

Listen To Episode #263:

by Jeff Chandler at February 16, 2017 11:01 PM under wordcamp miami

Post Status: LoopConf in review

LoopConf is a developer centric conference, and LoopConf “2.1” took place in Salt Lake City in early February. This second iteration of the event was a great one, with informative, diverse talks, a laid back atmosphere, and it was very well organized — which is especially impressive considering the challenges that mother nature caused. As an added bonus, you can now watch all the talks for free.

Originally planned for Miami last year, LoopConf was postponed due to a hurricane in southern Florida — hence the “.1” above — and rescheduled closer to organizer Ryan Sullivan’s home in Salt Lake City. Despite the postponement, most attendees were still able to make it, and some folks (like me) could only go to the newly scheduled event.

Salt Lake City was unseasonably warm, making it a pleasant few days, mixed with great food and company. It was also a pleasure to be able to meet more people from local companies, including the newly minted BlueHost and MOJO headquarters downtown.

Post Status was at LoopConf as a media partner, and Brian Richards and I took a lot of pictures, as well as several video interviews.

What to know about LoopConf

In our first video interview, Ryan talked about the origins of LoopConf, and described what he hoped attendees would get out of the event:

I hope to see a future LoopConf 3, and I think the venue and atmosphere worked really well in Salt Lake City.

A small sampling of valuable talks

There were many great talks. I didn’t attend them all, as I was working on other stuff for much of the two days, but the feedback was pretty universally positive, and every talk I did attend, I found valuable.

The competitive landscape for WordPress

The first day kicked off with a great talk by Pantheon co-founder Josh Koenig, who spoke on the competitive landscape for WordPress, including opportunities and risks. It was a really excellent start to the event.

Empathetic communication

I met Sharon Steed prior to her talk, and she spoke about empathetic communication. And due to her own journey as a communicator, going through life with a stutter, it has impacted how she thinks about communication and how she advises her clients.

There were two quotes I loved: “Technology cannot replace the social aspect of face-to-face communication.” And, “Silence kills collaboration.” I think greater empathy in our ecosystem and society in general is pivotal.

Put an “S” on it

I don’t know anyone who knows more about HTTPS than Zack Tollman, who directed the effort to make WIRED’s website fully HTTPS. They learned many lessons, and he shares them in his outstanding talk.

Bootstrapping a WordPress business

The most recent podcast episode featured a video interview and extended audio interview with WP Engine founder and LoopConf keynote speaker Jason Cohen, which I highly recommend you check out. Jason is full of knowledge, and my interview with him pairs well with his keynote talk.

Jason’s talk will certainly get you thinking about whether you should raise your prices, that’s for sure.

Watch them all!

Don’t take my word for which talks to see. I just feature these because I got a lot out of them in the moment. However, in general I found this lineup to be one of the most proficient groups of speakers I’ve seen yet at a WordPress event.

Check out the whole playlist.


Here are pictures from the three days of workshops and talks.

You are welcome to use these pictures however you wish. If you’d like to credit Brian Richards or myself, or Post Status, we’d appreciate it — but it’s not required. Pictures he took show Canon 6D in the meta description, and pictures I took show Canon 70D in the description.

More interviews from LoopConf

I’ll have more interviews from LoopConf over the coming days and weeks. I chatted with several core contributors and developers about specific experiences they’ve had with WordPress. Keep an eye out for those!

A fun, niche event with a lot of value

LoopConf was pretty laid back, and did a lot of things really well.

For one, I’m super jealous of how quickly they got the videos uploaded, and they’ve generously made them available for free for everyone. Also, there were no noticeable event hiccups, and the team was always available to help with whatever attendees may need.

The venue itself was really nice, as you can hopefully see in the pictures, and the whole place was laid out in a way that made both the talks and the hallway track highly accessible. And sponsors were in the center of the whole event, which was great.

I found that the size of the event (I’d guess around 200 people) made it so that conversations were easy to have, and we were able to go in-depth. And because everything from breakfast to dinner to the after party were at the venue, it made everything super convenient.

If and when there’s a LoopConf 3, you should go! I’ve also found this general theme to be true at other niche WordPress events — including A Day of REST (specific to the REST API in WordPress, which you should go to next month!) and PressNomics (a WordPress business event, which you should go to in April!), and even my own Publish event (which may have a second iteration later this year).

To learn more about LoopConf, check out the website. And definitely take advantage of all of those free videos!

by Brian Krogsgard at February 16, 2017 08:00 PM under Everyone

February 15, 2017

WPTavern: Matt Mullenweg Responds to Security Rant: Digital Signatures for WordPress Updates Are Important but Not a Priority

Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, who is most widely known for his cryptography engineering work, published a post on Medium criticizing Matt Mullenweg, co-creator of the WordPress open-source software project, for not caring enough about security. Arciszewski has since retracted the post but you can read it via the Wayback Machine.

Arciszewski is working on a project known as libsodium, a core extension to PHP 7.2 which allows for encryption, decryption, signatures, password hashing and more. Its goal is to enable developers to build higher-level cryptographic tools.

WordPress’ automatic update system is handled through api.wordpress.org. Since updates do not have a digital signature, if api.wordpress.org were compromised, attackers could send malicious updates to thousands or millions of sites. This scenario was at the forefront of people’s minds late last year after Wordfence published details of a complex security vulnerability that could have compromised the update servers.

Arciszewski suggests offline code signing and elliptic curve cryptography as solutions, “The key that can produce a valid signature for a file isn’t stored on the server (only the file itself and a valid signature are), so even if the server gets hacked, attackers can’t just add trojan horse malware to the file,” he said.

OpenSSL is an extension of PHP and is commonly used as public-key cryptography but it only supports RSA which Arciszewski deems inadequate. Since WordPress is written in PHP and supports versions 5.2-7+, Arciszewski needed to create a solution that was as compatible. This inspired him to create sodium_compat that adds Ed25519 signature verification to WordPress’ automatic updater.

Arciszewski submitted a number of patches to WordPress but was told by Dion Hulse, WordPress core developer, that the sodium_compat library could not be merged into core until it passed a security audit by a third-party. Audits can cost a lot of money so Arciszewski’s plan was to see if Automattic could take on some of the cost or crowd-source the funds. However, his project was put on hold after Mullenweg informed Hulse to stop working on the feature as it’s not related to the three core focus areas of the Editor, Customizer, and the REST API.

Arciszewski described the decision as irresponsible and that every user has a reason to be alarmed, “The WordPress team has shown that they are not responsible enough to govern their impressive ownership of the Internet (with the exception of some folks powerless to correct the organization’s course),” he said. “This act of negligence will put the rest of the web in harm’s way.”

Update Signing is Important but Not a Priority

Mullenweg responded to the post on Medium.com with one of his own and reiterated the WordPress development team’s commitment to security.

“Everyone involved takes their responsibility very seriously, and the growth of WordPress has meant many thoughtful, hard-working people have gotten involved and think of the security of WP sites holistically, from every angle,” he said.

Mullenweg also clarified what attacks would be stopped by implementing digital signatures to WordPress updates.

“It could stop a man in the middle attack, where someone modifies the update files on the network in between your blog and WordPress.org, or it could stop a situation where the part of .org that serves the update is compromised but the signing part isn’t, and someone decided to send out updates even though they know they’ll be rejected,” he said.

The team is unaware of any WordPress sites that have been attacked this way. While the possibility exists, the extent of the damage would likely be limited. The update servers are monitored around the clock and since many large webhosting companies automatically scan their customer’s sites for malware, the malicious update would likely be discovered quickly.

Mullenweg describes what would happen if an update server was compromised.

“We would turn it off really quickly, notify the world there was an issue, fix the problem, turn it back on, and notify the specific sites or hosts as able,” he said. Although WordPress powers 27.5% of the top 10 million sites tracked by Alexa, it’s highly unlikely that number of sites would be compromised.

He goes on to say that there are easier ways to compromise a WordPress site and listed the biggest issues to WordPress security based on impact.

  1. Sites not updating core.
  2. Sites not updating plugins.
  3. Sites not updating themes.
  4. Weak passwords, without brute-force protection or two-factor authentication.
  5. Hosts (professional or ad-hoc) not scanning and fixing sites.
  6. Hypothetical issues not seen in practice, which distract from the above existing priorities.

Mullenweg confirms that he offered to donate to the audit of sodium_compat a day before Arciszewski published his post. Even if the library passed an audit, the code couldn’t immediately be added to core, “You would also need to do some significant work on the server-side to isolate the signing from the update server, so it’s worthwhile in the first place,” he said.

And if the code were added to core, only the sites that updated to the version that has the cryptographic library and the update checking would be able to take advantage of it. WordPress.org would still need to send updates to older versions that don’t have update checking. These sites would still be vulnerable to receiving a malicious update.

Mullenweg says that digital signatures and update signing will end up in WordPress eventually but it’s not a priority as there are other security issues in front of it, “We are prioritizing those issues above a nice-to-have, defense in-depth effort,” he said.

“A good approach would be to build the server-side first, because doing that properly, say with an HSM, is the difficult and important part; then get the packages signed; then test out verification in a plugin because we don’t want to break auto-updates; and then finally merge into core and set the client to reject non-signed updates. On the client side we need to pick a cryptography library, and get it audited.”

Mullenweg ended his post explaining why he published his response on Medium instead of his personal site. “Seems to be the most popular place for rants like this. I also wanted to try out the famous Medium editor,” he said.

What’s Next For sodium_compat

While the prospects don’t look good for his library being added to WordPress in 2017, Arciszewski says there are plenty of other PHP projects that could benefit from it, “For their sake, I’m still strongly inclined to pursue an independent third-party cryptography audit, and attempt to crowd-fund the cost,” he said.

by Jeff Chandler at February 15, 2017 11:48 PM under update signing

BuddyPress: BuddyPress 2.8.0 – “San Matteo”

BuddyPress 2.8.0 “San Matteo” is now available for download from the WordPress.org plugin repository, or right from your WordPress Dashboard. “San Matteo” focuses on various improvement for developers, site builders and site managers.

For Developers & Site Builders

Modernizing the Codebase

To continue the migration of legacy code to modern standards and techniques necessary for the BP REST API project and other new features moving forward, BuddyPress 2.8 requires at least PHP 5.3. This will allow us to build better, robust, and secure code, benefiting developers and users now and in the future.

More helpful “Activate Pending Accounts” screen

When you click on the username on the “Users > Manage Signups” page, you can now view profile data entered by the user at the time of registration.

Support for List-Unsubscribe header in emails

Allow users to unsubscribe from BuddyPress email notifications in some email clients such as Gmail (web), when properly configured.

Twenty Seventeen Companion Style sheet

BuddyPress looks great in WordPress’s latest default theme with the new Twenty Seventeen companion style sheet.

To change the default two-column page layout to a full-width layout as seen in the image, add the following code to the functions.php file of your Twenty Seventeen child theme.

More hooks for Messages

We’ve added new filters and actions for different methods throughout the Messages component.

A more flexible Group search

The new search_column parameter allows developers to specify which columns should be matched, as well as where wildcard characters should be placed, when searching via BP_Groups_Group::get().

Alphabetical sorting for Groups widget

The groups widget can now be sorted alphabetically, in addition to sorting the results by recently active, popular, and newest groups.

Enable choice of PHPMailer

Developers can specify which PHPMailer should be used when sending BuddyPress with a new filter.

Localization Improvements

We continue to improve our localization internals, making it easier for translation editors to ensure that BuddyPress will be available for everyone in their own language.

Developer Reference

Regular updates to inline code documentation make it easier for developers to understand how BuddyPress works.

Accessibility Upgrades

Continued improvements for universal access help make BuddyPress back- and front-end screens usable for everyone (and on more devices).

…and much more!

Read about all the bug fixes and feature enhancements introduced in BuddyPress 2.8.0 at our official 2.8.0 changelog.

Thank You to Our Contributors

Many, many thanks to all those who contributed during this development cycle. This is a volunteer-run project, and these contributors freely gave of their time and expertise to make BuddyPress better than ever:

Andrea Tarantini (dontdream), Ankit K Gupta (ankit-k-gupta), angeljs, Boone B Gorges (boonebgorges), Brandon Allen (thebrandonallen), Bunty (bhargavbhandari90),chetansatasiya (ketuchetan), Chirag Patel (chiragpatel), danbp, David Cavins (dcavins), Dennis (wpdennis), Diana K. Cury (Dianakc), finzend, Hugo (hnla),J.D. Grimes (jdgrimes), John James Jacoby (johnjamesjacoby), Jonas Lundman (jonas-lundman), jonieske, jreeve, lakrisgubben, Laurens Offereins (Offereins), lgreenwoo,maccast, Mathieu Viet (imath), mchansy, mercime, Michael Beckwith (tw2113), modemlooper, Mustafa Uysal (m_uysl), Nick Momrik (nickmomrik), Paul Gibbs (DJPaul),paresh.radadiya (pareshradadiya), Petya Raykovska, r-a-y, rekmla, Renato Alves (espellcaste), Roger Coathup (rogercoathup), Salvatore (DarkWolf),Sanket Parmar (sanket.parmar), Slava Abakumov (slaffik), Stagger Lee (stagger-lee), Stephen Edgar (netweb), Sven Wagener (mahype), wordpressrene.


BuddyPress 2.8 is called “San Matteo” after a great pizza restaurant in New York City. San Matteo specializes in the “panuozzo”, a pizza-sandwich hybrid native to Salerno, Italy. The proprietor of San Matteo is a friendly fellow who insists on speaking Italian even to customers who don’t understand a word of it. If you find yourself in the neighborhood, be sure to stop by for a great pizza.

Time to Go Get 2.8.0!

Grab BuddyPress 2.8.0 “San Matteo” from the wordpress.org plugin repository, or right from your WordPress Dashboard.

Questions, comments, feature requests, or bug reports? Please use our support forums or our development tracker.

by Slava Abakumov at February 15, 2017 10:38 PM under releases

HeroPress: Not every hero wears a cape

Pull Quote: Sometimes the biggest heroes are the people who notice that someone else feels out of place, extend their hand, and welcome them in.

I almost didn’t go to my first WordCamp

I started working with WordPress in 2010. A client requested I use WordPress and a Revolution theme they’d purchased to build their new site. When I was done, I submitted it to the theme showcase, and Brian Gardner reached out to tell me how much he’d liked it.

I continued working with Brian and his themes as Revolution became Revolution 2, and then StudioPress and Genesis. That led to me designing and developing Family Tree, one of the first commercial themes targeted at women entrepreneurs. It was released in May of 2011.

Right around the release of my first theme, Brian asked if I was going to be at WordCamp San Francisco. There was going to be a Genesis Connect event there, and he wanted me to be there. I really wanted to go, but didn’t know how I was going to pull it off.

See, after a years long struggle I had recently been diagnosed with bipolar disorder.

I was trying to rebuild my design career with WordPress, but I was really struggling.

I felt like flying to San Francisco to see my internet friends was a luxury I couldn’t afford.

But when I mentioned it to my wife, she told me we’d find a way. She started hitting travel sites and found a cheap airline ticket. Then she went on AirBnB and booked me a couch in the lobby of an art gallery in the Tenderloin–it was the cheapest thing we could find. I left on August 11, 2011, three days before my 40th birthday.

My first day of WordCamp SF was a nightmare

I have pretty severe social anxiety, so my plan was to maintain a low profile and keep to myself until I could meet up with some of my Genesis friends. About 20 minutes into the first talk I went to I was totally lost, so I thought I’d sneak out and hit lunch early. It seemed like a solid plan.

My foot had fallen asleep during the presentation, though, and as I stood up to sneak out my ankle buckled and I fell. Every head in the auditorium whipped around to stare at me slowly rolling down the aisle. It was painfully obvious to me that not only did I not belong, but I had just made a very public ass of myself and was mortified.

Then the WordPress Community stepped in

There was already a huge crowd in the courtyard when I managed to slink out of the auditorium. I felt like someone had dropped me back into my junior high cafeteria. I stood in the massive line, wanting nothing more than to find a quiet corner to nurse my wounded pride, call my wife, maybe cry a little, and tell her that coming had been a huge waste of time and money.

If that’s how my day had panned out, my WordPress story might have been a lot different. Instead, I ran into my first ambassador of the WordPress community.

This kind of goofy guy in front of me started chatting me up.

I told him it was my first WordCamp. He asked me where I was from, and we discovered we lived maybe an hour away from each other: me in San Diego, him in Orange County. He invited me to eat lunch with his group. And that’s how I wound up sitting at a table eating lunch with Steve Zehngut and his crew.

These people were more like me: marketers and designers, theme authors and SEO specialists, food bloggers and digital nomads. I started to feel like I might belong there, after all. The phone call I made to my wife after lunch was about how much fun I was having, and how many cool people I was meeting.

Later that day I went to dinner with the crew from Genesis and met even more amazing people I’d only known online. After that, there was a huge Genesis Connect happy hour. The more people I met and talked to, the more friends I made. On Sunday, before one of the final presentations, an auditorium of my new friends sang “Happy Birthday” to me. (I won’t lie–it was cool but also almost as embarrassing as falling down the first day, lol!)

One person can make a difference

If Steve hadn’t asked me to eat lunch with his group that day, I might have never gone to another WordCamp. Instead, when WordCamp San Diego 2012 came around Dre Armeda encouraged me to submit a speaker application, and I gave my first talk. For six years now I’ve spoken at every local WordCamp that’s accepted my speaker application, trying to inspire other people to get and stay involved in our community.

I spent some time looking at the 2011 WCSF attendees list when I was writing this essay. Some of my best friends (and best WordCamp stories) can be directly linked to that list. Even the people I may not have met at that event came into my life because of that event.

Six degrees of a lunch invitation

I don’t remember whether or not I met Alex Vasquez in San Francisco, but he’s one of the people who actually wants an honest answer when he asks how I’ve been. I’m pretty sure I didn’t meet Andy Stratton there, but I eventually travelled to Baltimore to speak at the WordCamp he and Drew Poland organized. I’m positive I didn’t cross paths with Karim Marucchi, but he eventually became my boss, mentor, and go-to puppy picture friend. And those are just the connections from one event that happened 6 years ago.

WordCamp San Francisco taught me that being a hero doesn’t have to be a huge, dramatic thing.

Sometimes the biggest heroes are the people who notice that someone else feels out of place, extend their hand, and welcome them in. Of all of the lessons I’ve learned in WordPress, that’s the most important one. Thanks, Steve!

(P.S. If anyone knows where I can find some adult Superman Underoos in stock, LMK. WordCamp San Diego is coming up at the end of March, and I never got Steve a proper thank you gift.)

The post Not every hero wears a cape appeared first on HeroPress.

by Chris Ford at February 15, 2017 12:00 PM

February 14, 2017

WPTavern: Open Source Leadership Summit to Live Stream Keynote Sessions February 14-16

The Linux Foundation’s Open Source Leadership Summit is happening in Lake Tahoe, CA, February 14-16, 2017. The invitation-only event brings together open source technology leaders to collaborate across different projects and share best practices.

The organizers will be live streaming all of the keynote sessions for free throughout the three-day event for a total of 17 presentations. A few sample topics and speakers include:

  • State of the Union – Jim Zemlin, Executive Director of the Linux Foundation
  • A Conversation with Linus Torvalds (with Jim Zemlin)
  • State of Blockchain – Christopher Ferris, CTO of Open Technology, IBM
  • Security and Privacy in a Hyper-connected World – Bruce Schneier, Security Expert
  • Building and Motivating Engineering Teams – Camille Fournier, Senior Thinker and Raconteur
  • How Cross-Foundation Collaboration is a Win for Open Source – Abby Kearns, Executive Director, Cloud Foundry Foundation

Anyone who wants to join the keynote sessions via live stream will need to sign up ahead of the event. The keynotes will be broadcast in Pacific Daylight Time and viewers can return to the signup page to watch live. Viewers are encouraged to use the event’s official #lfosls hashtag to tweet about the sessions as they are watching.

by Sarah Gooding at February 14, 2017 06:32 AM under News

WPTavern: Why Plugins Sometimes Disappear From the WordPress Plugin Directory

Nearly 50K publicly available plugins call the WordPress plugin directory home but once in awhile a few of them seem to disappear. There is usually a good reason for why this happens but the only information available to the public is a page that says the plugin cannot be found. If the plugin is popular enough, concerned users will contact us and ask to investigate what happened.

Mika Epstein, Plugin Directory Representative, says there are a number of reasons for why a plugin can end up hidden from view, “The most well-known, but not the most common, is security issues,” Epstein said.

“Plugins are removed and, by default, hidden mostly because we’re on bbPress 1.0 and there is not as granular a control with post statuses when compared to WordPress itself.”

The plugin review team has three options to choose from when altering a plugin’s visibility, active, closed, and disabled. Although rarely used, when a plugin is disabled, it is hidden from view but updates are able to be pushed out.

I asked Epstein why there’s not more detailed information when a plugin is hidden and the answer is complex, “The lack of information is partly technical as bbPress 1.0 is limited and partly because we can’t all agree on the right way to disclose, when to disclose, and when not to disclose,” she said.

“Obviously the last thing we want are people getting hacked, but it presents us with a few options and they all have flaws. We’ve not been able to determine a way to tell people ‘This plugin is gone, don’t use it’ and ‘This plugin is gone, but use it if you want.’ without putting users at risk.”

Epstein uses WooCommerce and Jetpack as examples, “Let’s say I close Jetpack today and tell people ‘WordPress decided not to support it anymore.’ But tomorrow I close WooCommerce and tell people ‘I can’t tell you why.’ That means an intelligent person knows that WooCommerce is probably vulnerable.”

It’s a conundrum without an easy solution. The team typically closes plugins which makes the plugin’s page disappear. This has the added benefit of making it more difficult to determine if the plugin ever existed. Then the team contacts and works with the developer directly.

Most closures are done with the knowledge of the plugin author as they are often the ones who request that their plugins be closed.

The New WordPress Plugin Directory Will Modernize Plugin Administration

Announced at WordCamp Europe 2016, the WordPress plugin directory redesign has been in open beta for about eight months.

WordPress Plugin Directory Redesign

In addition to bringing a fresh new look to plugin pages, the migration away from bbPress to WordPress will help make the plugin review team’s job easier, “Like far too many things in Plugin Land, everything depends on modernizing the backend to something that is functional.” Epstein said.

“Once the new directory is out and I have some more people trained to do reviews properly, then we’ll have the bandwidth to sit down and really figure out a best solution.

“A stopgap might be making the page say ‘This plugin is no longer available.’ But I’m personally not sure if that would make FUD better or worse.”

If you discover that a plugin you rely on has suddenly vanished from the directory, don’t panic. Depending on the issue, plugins usually reappear within a week unless the author has requested that it be closed.

To learn what’s involved and how the plugin review team does its job, listen to episode 231 of WordPress Weekly. I also encourage you to read our detailed interview with Epstein published in 2014, in which most of the information is still accurate.

by Jeff Chandler at February 14, 2017 03:37 AM under wordpress plugin directory

February 13, 2017

WPTavern: WordPress REST API Vulnerability Exploits Continue

photo credit: Code & Martini by Ivana Vasilj – cc license

It has been nearly two weeks since the WordPress security team disclosed an unauthenticated privilege escalation vulnerability in a REST API endpoint in 4.7 and 4.7.1. The vulnerability was patched silently and disclosure was delayed for a week to give WordPress site owners a head start on updating to 4.7.2. Last week hundreds of thousands of vulnerable sites had already been defaced and the damage reports are still rolling in.

Over the weekend the attacks increased and WordPress security firms have seen more attempts blocked by their firewalls. Sucuri, the website security firm that reported the vulnerability to WordPress, was tracking the “Hacked by w4l3XzY3” campaign last week and estimated 66,000 defacements. That particular campaign has now passed 260,000 pages indexed by Google. It is one of nearly two dozen defacement campaigns targeting the vulnerability.

“During the past 24 hours we have seen an average growth in defaced pages per campaign of 44%,” Wordfence CEO Mark Maunder said on Friday. “The total number of defaced pages for all these campaigns, as indexed by Google has grown from 1,496,020 to 1,893,690. That is a 26% increase in total defaced pages in just 24 hours.”

Maunder referenced a Google Trends chart which he said demonstrates the success the defacement campaigns have had over the past week. The spike began on the day WordPress disclosed the vulnerability.


However, White Fir Design, another company that offers security services, disputes Wordfence’s claims that 1.8 million pages were hacked. The ~2 million pages figure is cited in reports from BBC, The Enquirer, Ars Technica, CIO.com, and other publications. White Fir Design contends that the hacked pages that have been indexed by Google are not an accurate representation.

Sucuri CTO Daniel Cid also does not fully agree with Wordfence’s assessment of the situation. After doing some research over the weekend, Sucuri estimates more than 50,000 sites hacked with 20-30 pages per site defaced. This would be roughly a million on the lower end of the estimate and ranges up to 1.5 million.

Sucuri is also starting to see more serious attempts on the REST API vulnerability in the form of remote code execution (RCE) attacks on sites using plugins that allow for PHP execution from within posts and pages. One such campaign attempts to inject a PHP include to add content from a compromised site and then inject a backdoor hidden in /wp-content/uploads.

“Defacements don’t offer economic returns, so that will likely die soon,” Cid said. “What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetize – and SPAM SEO / affiliate link / ad injections. We are starting to see them being attempted on a few sites, and that will likely be the direction this vulnerability will be misused in the coming days, weeks and possibly months.”

Hackers are targeting any sites that haven’t updated to 4.7.2 – there doesn’t seem to be any pattern among them. A quick look at the Google results for the most active campaigns shows that compromised sites include blogs, media, government, education, sports, medical, and technology websites.

Why the REST API is Enabled by Default

The WordPress REST API is enabled by default, as the plan is for more admin and plugin functionality to rely on the REST API in the future. After the recent attacks, several users commented on the vulnerability disclosure to ask why it is enabled by default.

“The security issue is in a feature I do not use on any of my sites (REST API) and yet still, this feature is first enabled by default and second since WordPress 4.7 you even need a plugin – which could introduce further security issues – to disable the feature?” one user (@helios2121) commented on the post. “Please rethink your approach to security. Make features that not everyone needs opt-in. Or at least give a way to opt out without requiring additional plugins.”

Morten Rand-Hendriksen opened a trac ticket to discuss disabling the REST API by default and only enabling it when the site admin requests it, or a theme or plugin is dependent on it.

Core Committer Sergey Biryukov confirmed that the plan is to introduce more core functionality that relies on REST API. “Turning off the REST API is like turning off admin-ajax.php — both will break your site,” Biryukov said.

Rand-Hendriksen asked why the content endpoints cannot be protected by default while allowing the REST API to be on by default for admin purposes. Another user asked why the Users endpoint isn’t protected by default (i.e. https://news.microsoft.com/wp-json/wp/v2/users or https://www.obama.org/wp-json/wp/v2/users), which “makes it easier than ever to get all the usernames” on any site using 4.7+.

“If you really want to disable the REST API on your site(s), this is our current recommendation: restrict it to authenticated users,” Core Committer James Nylen said. “However, we want to continue to increase adoption and usage of the REST API, and I expect that even this modification will break more and more WP functionality as time goes on, such as API-driven themes and embeds.”

Nylen recommends the Disable JSON API plugin for those who want to follow that recommendation on sites using WordPress 4.7+. The plugin currently has more than 10,000 active installs.

The WordPress security team worked diligently to mitigate the attacks by helping hosts and security firms put protections in place before the issue was made public. However, the full disclosure of the vulnerability was buried on the Make/Core blog, a site that is not widely read among regular WordPress site owners. The link to the disclosure was published as an addendum to the previous post on the WordPress news blog a week later.

“While I appreciate the responsible disclosure of this issue and the effort to resolve it, I hope you consider making future announcements via a new post on the WordPress News site, rather than just appending an update to a previous post,” user @johnrork commented on the official disclosure. “I am probably not the only one who could have avoided being compromised had this shown up as a new item in my RSS reader on Wednesday.”

Those who read the Make blogs had a head start on fixing their own sites and/or their clients’ sites. Those who depend on the WordPress news blog for information on security updates probably read the post when it was initially published and never returned to see the update a week later. An issue this severe warranted WordPress’ transparency in a new post on its news blog. This would have also automatically sent out a tweet to more than half a million followers on the official WordPress account and the Facebook account which has more than a million likes.

Fortunately, the number of vulnerable sites that also have plugins that could allow attackers to piggyback on this vulnerability is a much smaller number. Defaced sites are embarrassing but easy to fix. In most cases administrators need only update to 4.7.2 and roll back the defaced posts to the most recent revision. Most site owners have no idea how fast exploits begin to pop up after public disclosure, but this situation provided a gentle reminder of the importance of updating WordPress and the benefit of leaving automatic updates on.

by Sarah Gooding at February 13, 2017 10:59 PM under wordfence

February 11, 2017

WPTavern: 10up Unveils ElasticPress.io: Elasticsearch as a Service for WordPress Sites

10up launched ElasticPress.io this week, its new Elasticsearch SaaS product with plans starting at $299/month. Elasticsearch is an open source, distributed search engine that speeds up searching by using JSON documents to store data in indices. The indices store mapping fields to the corresponding documents and the engine searches the index instead of a site’s entire database.

Elasticsearch can perform near-real-time searches and is highly scalable, but the setup is technically demanding. It is used by many large companies, such as GitHub, Soundcloud, Etsy, Netflix, Cisco, and Samsung. It is also one of the most popular enterprise search engines for WordPress sites, as searching WordPress tables with thousands or even millions of records is simply not going to be fast.

The WordPress plugin directory has a dozen plugins for using and extending Elasticsearch but 10up’s ElasticPress is by far the most popular with more than a thousand installs. After supporting the plugin for several years, along with many enterprise clients using Elasticsearch, 10up decided to create a hosted service that integrates with ElasticPress.

“The reason we created this solution for our clients, and that we’re now making this public, is that we don’t think anyone has provided a super easy, end-to-end (plugin to hosted service) that offers all of the benefits of Elasticsearch and our ElasticPress plugin, while being completely agnostic to your site hosting,” 10up founder Jake Goldman said.

ElasticPress.io is an end-to-end solution that is specifically tailored for those using the ElasticPress plugin. This is one of the key differences between managing your own Elasticsearch infrastructure with a service like AWS. ElasticPress.io controls both the hosting and the plugin, allowing the service to optimize performance for both.

“There are a number of really neat use cases for ElasticPress on our roadmap that add either risk (security) or headaches (complicated setup and management procedures) if you can’t control both ends,” Goldman said. “For instance, there are optional Elasticsearch modules (just like there are optional Apache and Nginx modules) for features like indexing media that many hosted Elastic services don’t enable by default or support. We also want to be able to index and handle content that isn’t public, and many hosted Elastic services aren’t locked down / secured end-to-end with the website by default.”

How ElasticPress.io’s Pricing Compares to Competitors

Elastic, the creators of Elasticsearch were one of the first companies to launch Elasticsearch as a service in 2012. Two years later the company raised $70 million in a Series C funding round. Dozens of other Elasticsearch as a service companies have sprouted up since then, with pricing ranging from under $20 to tens of thousands of dollars depending on the resources offered.

The ElasticPress.io service is the first of its kind in the WordPress ecosystem. Most hosting companies do not have it built into their enterprise level plans. WordPress.com VIP is one of the few that offers Elasticsearch for sites on its plans which range from $5,000 – $25,000 per month. WP Engine has an Elasticsearch solution as part of its Labs program, which is based on a fork of ElasticPress. However, the solution has not yet been officially added to the company’s enterprise plans.

For the most part, developers who have to implement Elasticsearch for a WordPress site are faced with hosting their own instance and managing it themselves. This is the most cost effective option but comes with a great deal more responsibility.

“Elasticsearch is a quickly evolving platform, and they don’t exactly have the same commitment to infinite backwards compatibility that WordPress has these days,” Goldman said. “Major Elasticsearch upgrades can break old integrations. That means the site owner needs to either worry about automatic version upgrades breaking their site, or has to manage their upgrades carefully. By controlling the integration with Elastic on the website site and controlling the hosting, we can carefully handle version upgrades for customers while making sure nothing breaks.”

10up is aiming at the higher end of the market where customers are looking for convenience and access to the creators of ElasticPress for support. Goldman anticipates many of those customers will be similar to the product’s existing customers who simply need a robust keyword search or related content engine that will “just work.” ElasticPress.io is also targeting smaller and mid-tier businesses that are experiencing performance bottlenecks with WordPress’ native query engine.

“Those customers are typically relying on rather complicated faceting / filtering of content, the classic use-case being a WooCommerce store where customers are constantly filtering on a handful of unique (unique = hard to cache) meta data all the time,” Goldman said. “That’s where ElasticPress really shines: our native WooCommerce support and optimization take those very taxing queries and makes them lightning fast.”

As the service is fairly unique in the WordPress space, ElasticPress.io’s pricing has room to evolve as 10up learns from its customers. The plans currently range from $299 – $999 per month with increasing storage space and tiered support response times. Goldman said they haven’t ruled out other pricing points and may explore more pricing options in the future.

by Sarah Gooding at February 11, 2017 06:33 AM under elasticsearch

Post Status: Jason Cohen, founder of WP Engine, on growing your company well — Draft Podcast

Welcome to the Post Status Draft podcast, which you can find on iTunes, Google Play, Stitcher, and via RSS for your favorite podcatcher. In this episode, I interview Jason Cohen, the founder of WP Engine and current CTO.

I talked to Jason about a whole lot of things, mostly to do with growing well. Whether you’re growing revenue, company size, or personal development — this is a conversation about growth, and how to do it well.

Unlike many entrepreneurs in the WordPress space, WP Engine isn’t Jason’s first business. He’s done this before, and made plenty of mistakes. He talks about what he’s done differently at WP Engine and how its made him a happier person.

This interview took place at LoopConf, and Jason was a keynote presenter. His LoopConf talk pairs well with our discussion.

You can catch the first segment on video, and the entire conversation is on the audio podcast.


Direct Download


Sponsor: iThemes

This episode is sponsored by iThemes. The team at iThemes offers WordPress plugins, themes and training to help take the guesswork out of building, maintaining and securing WordPress websites. For more information, check out their website and thank you to iThemes for being a Post Status partner.

Photo by Brian Richards for Post Status

by Brian Krogsgard at February 11, 2017 04:31 AM under Business owners

February 10, 2017

WPTavern: In Case You Missed It – Issue 17

photo credit: Night Moves(license)There’s a lot of great WordPress content published in the community but not all of it is featured on the Tavern. This post is an assortment of items related to WordPress that caught my eye but didn’t make it into a full post.

Interviewed for WordPress.tv

A few weeks ago, Marcus Couch and I were interviewed by John Parkinson. Parkinson is a volunteer moderator and performs community outreach for WordPress.tv. In the interview, we discuss the benefits of WordPress.tv, the WordPress community, WordCamps, and more. I encourage you to check out his other community interviews as well.

WooCommerce and WordPress Used to Sell Stress Cubes

CNBC has an interesting story that features a 24-year-old who made $345K in two months selling Stress Cubes, a knock-off of the Fidget Cube. The Fidget Cube raised nearly 6.5M dollars in crowdfunding money.

The Fidget Cube experienced significant delays in shipping due to manufacturing issues. The 24-year-old contacted suppliers in China, purchased 1,000 plastic cubes, created a similar product, and shipped it to market before the Fidget Cube had a chance to reach backers. He used WordPress and WooCommerce to sell Stress Cubes grossing him nearly $350K in two months.

Why WordPress in Education

Jared Bennett explains how the Hamilton Wentworth District School Board uses WordPress. “We run over 100 individual school websites on a WordPress Multisite Network, and back in May of 2011, we launched the HWDSB Commons: a second Multisite Network which now hosts over 8,000 blogs for over 30,000 users,” Bennett said.

Bennett shares links to plugins the team created to solve specific issues such as comment moderation in BuddyPress and blocking specific modules in Jetpack. Since WordPress is free as in beer, it allows his school board to spend public money in a more responsible way.

“In the WordPress ecosystem we operate in, I pay for functionality to be developed, and I share it openly on platforms like the WordPress plugin repository, or on sites like Github,” Bennett said.

“The money you would have spent to enable the previously developed functionality, you can now spend on something else, something that I might benefit from. Think about how much more responsible this model is, particularly when we are talking about spending public money.

“We are all contributing; and the community benefits from those contributions; and our money — and the functionality of our platforms — improves exponentially faster than if we were all spending our money paying the private company over and over for code that has already been paid for by previous customers.”

To learn more about WordPress in education, listen to episode 261 of WordPress Weekly where we interview Cameron Barrett, founder of SchoolPresser, LLC. Barrett explains how he negotiated and helped migrate Newark New Jersey’s public school system from a proprietary CMS to WordPress.

WP101 Plugin Now Has WooCommerce and Jetpack Videos

The WP101 plugin has added Jetpack and WooCommerce training videos. This is in addition to the Yoast SEO and WordPress training videos.

Adding Meta Fields to a Widget Sidebar Section

WP Sessions Developer Survey

WP Sessions is conducting a developer survey to find out about the tools developers use. Results will be anonymized and shared in aggregate in a few weeks.

Widget Logic Has a New Maintainer

Widget Logic, a popular plugin actively installed on more than 300K sites, has a new maintainer named WPChef. The plugin was created nine years ago by Alanft. Prior to WPChef gaining commit access, the last time Widget Logic was updated was two years ago.

After gaining access, WPChef released Widget Logic 5.7.0. This version fixed a PHP 7 compatibility issue, a conflict with WPML, added a new default load logic point, and a Ukrainian translation. In addition to bug fixes, a global admin notice to install Limit Login Attempts Reloaded was also added. Limit Login Attempts Reloaded is a separate plugin owned and maintained by WPChef.

Limit Login Attempts Reloaded Admin NoticeThe wording of the notice and appearing globally caused some users to be concerned or upset. Some users responded to the update by writing 1-star reviews. After a user described the notice as sounding like fake news, WPChef changed it.

From SupportPress to Help Scout!

The WordPress.org community team is moving away from SupportPress to Help Scout. The move opens up a number of possibilities as Help Scout offers a lot of features that are non-existent in SupportPress.

Moving from SupportPress to Help Scout

Plush Wapuu!

In what is a traditional part of this series, I end each issue by featuring a Wapuu design. For those who don’t know, Wapuu is the unofficial mascot of the WordPress project.

This plush Wapuu which was given away at WordCamp US 2016 as part of the event’s swag was a huge hit with attendees and their children. I have one myself and the quality is superb.

That’s it for issue seventeen. If you recently discovered a cool resource or post related to WordPress, please share it with us in the comments.

by Jeff Chandler at February 10, 2017 10:16 PM under wpsessions

BuddyPress: BuddyPress 2.8.0 Release Candidate 1

BuddyPress 2.8.0 Release Candidate 1 is now available for testing. Please download the 2.8.0-RC1 zip or get a copy via our Subversion repository.

This is our last chance to find any bugs that slipped through the beta process. So please test with your themes and plugins. We plan to release BuddyPress 2.8.0 next Wednesday, February 15.

A detailed changelog will be part of our official release notes, but you can get a quick overview by reading the post about the 2.8.0 Beta 1 release.

Release Candidate means we are in string freeze, so translators should feel confident in finishing their BuddyPress translations in GlotPress.

Let us know of any issues you find in the support forums and/or on our development tracker.

Thanks in advance for giving the release candidate a test drive!

by Slava Abakumov at February 10, 2017 08:51 PM under releases

WPTavern: Creative Commons’ New Search Tool is Now in Beta, Pulls CC Images from Multiple Sources

If you’ve been wearing out Unsplash images on your blog, it’s time to take another look at Creative Commons. The site has just launched the beta of its new multi-source search interface. Unlike the current search tool, which will only search one source by sending the visitor offsite, CC Search loads the results from multiple sources onsite.

The Commons includes approximately 1.1 billion works in various formats – literary works, videos, photos, audio, scientific research, and other formats. As half of these works are estimated to be images, the prototype for the new search tool focuses on this format.

“Our goal is to cover the whole commons, but we wanted to develop something people could test and react to that would be useful at launch,” Creative Commons CEO Ryan Merkley said. “To build our beta, we settled on a goal to represent one percent of the known Commons, or about 10 million works, and we chose a vertical slice of images only, to fully explore a purpose-built interface that represented one type but many providers.”

CC Search currently pulls CC-licensed images from Rijksmuseum, Flickr, 500px, the New York Public Library, and the Metropolitan Museum of Art. This includes 200,000 new images from the collection of 375,000 digital works that the Met released under CC0 this week.

In addition to the new search interface, the beta includes social tools that allow users to curate and share their own lists, add tags and favorites, and save searches. One-click attribution is built in, making it easy for users to properly attribute the works.

As Creative Commons is a small organization and fairly lean on resources, the new search was built by a single contractor over seven months. Software engineer Liza Daly was selected to research and build a proof-of-concept for CC Search, a project which she understood to be “a front door to the universe of openly licensed content.”

“CC Search is meant to make material more discoverable regardless of where it is hosted,” Daly said. “For this reason (and for obvious cost-saving objectives), we decided to host only image metadata — title, creator name, any known tags or descriptions — and link directly to the provider for image display and download. A consequence of this is that CC Search only includes images which are currently available on the web; CC is not collecting or archive any images itself.”

Daly built the search feature on AWS cloud infrastructure using Python, Django, Postgres, and Elasticsearch. The beta has estimated hosting costs of $1,400/month. She opted for Python, because she was most familiar with it.

“As the prototype evolved, we decided the opportunity for an engaging front door to the Commons lay in curation and personalization,” Daly said. “Because of its dedicated maintenance team and frequent patch management, I chose Django as the web framework.” She chose Elasticsearch over Solr (and other options) primarily because of the AWS’s Elasticsearch-as-a-service.

“CC Search is not, at this time, a particularly sophisticated search application; image metadata is relatively simple and when dealing with a heterogeneous content set from a diversity of providers, one tends towards a lowest-common-denominator approach — our search can only be as rich as our weakest data source,” Daly said. “There is much to be improved here.”

Daly also described an interesting idea for adding a blockchain-type architecture that would record licensing transactions, sharing, and gratitude in a distributed way. This idea falls outside of the scope of the MVP but may be something the project’s future developers will consider when implementing the final version.

“A long-term goal of this project is to facilitate not only search and discovery, but also reuse and ‘gratitude,'” Daly said. “A frequent complaint about open licenses in general — both for creative works and software code — is that contributing to the commons can be a thankless task. There are always more consumers than contributors, and there’s no open web equivalent to a Facebook ‘like.'”

Other future improvements that the team will consider based on user feedback include adding more content partners, more tools for customizing lists, allowing users to search from their own curated material, and giving trusted users the ability to push metadata back into the collection. Search filters may also be expanded to allow for searching by color, drilling down into tags, and searching public lists.

Check out the beta for the new CC Search at ccsearch.creativecommons.org.

by Sarah Gooding at February 10, 2017 05:42 AM under creative commons

February 09, 2017

WPTavern: Google Webmaster Tools Fixes Confusing Messages About Updating WordPress

In 2009, Google announced it would send notifications via Webmaster Tools to site owners that new versions of software are available E.g. Joomla, Drupal, or WordPress.

WordPress 4.7.2 was released at the end of January. It patched a critical security vulnerability with the REST API that is being actively exploited in the wild. Site owners who updated to 4.7.2 are receiving Google Alerts that their sites are out of date.

Recommended WordPress update available forhttp://www.example.com/

To: Webmaster of http://www.example.com/,

Google has detected that your site is currently running WordPress 4.7.0 or 4.7.1, an older version of WordPress. Outdated or unpatched software can be vulnerable to hacking and malware exploits that harm potential visitors to your site. Therefore, we suggest you update the software on your site as soon as possible.

Following are one or more example URLs where we found pages that have outdated software. The list is not exhaustive.




Some of the people who received notices thought the email was a phishing attempt as WordPress is misspelled using a lower-case p. Others expressed confusion and anxiety receiving notices despite having already updated their sites.

WordPress powered sites contain a meta generator that Google uses to detect which version is running.

< meta name=”generator” content=”WordPress 4.7.1″ />

However, Google does not monitor pages in real-time. If a site owner updates to WordPress 4.7.2 but the page indexed by Google is running 4.7.1, they’ll receive a notice.

Juan Felipe Rincón, Webmaster Outreach at Google, responded to the forum thread and confirmed the issues reported by users, “Definitely a problem on our end,” Rincón said.

“We’re sorry for causing confusion in the messaging and for the swirl this created for many of you and your users or client base.”

Google was aware that notices would be sent to site owners who already updated but chose to send them anyway due to the seriousness of the vulnerability.

“However, we underestimated the number of sites that had already patched, and our messaging gave no room for interpretation or letting website owners know that if they had already upgraded they could ignore the message safely,” Rincón said.

Google has implemented the following changes to improve its update notification system:

  • Messages have stopped being delivered for now but will resume shortly.
  • The messages have been reworded to be clearer.
  • Additional checks have been added to reduce the number of notifications sent to owners who already updated.

If you’ve updated WordPress to 4.7.2, you can safely disregard the notices.

by Jeff Chandler at February 09, 2017 11:55 PM under wordpress 4.7.2

WPTavern: WordCamp Miami 2017 to Host JavaScript Track, AMA Spots, and 2-Day Kids’ Camp

WordCamp Miami is sporting an 80’s theme this year for its 9th year running. The team of 12 organizers is expecting more than 800 attendees and will host 60+ local and global speakers, including new speakers from India, Australia, Poland, Canada, and other international locations.

As in previous years, WordCamp Miami is a multi-day smorgasbord of WordPress networking and educational opportunities with workshops for all ages. The event is bringing back the two-day Kids’ Camp and Kids’ Panel it hosted last year. David Bisset, one of the organizers, is expecting approximately 50 attendees and said the team is seeing an even greater increase of parents and kids than previous years, based on more kids’ tickets being purchased earlier.

This year the Kids’ Camp will focus on blogging and coding and children will even get their own attendee bags. Kids will also receive free hosting and a free domain name, thanks to a donation from a sponsor. The call for speakers for kids aged 7-18 is now open.

WordCamp Miami will be hosting three workshops on the Friday leading up to the main event: a Beginner’s workshop, a Freelance workshop, and the WP REST API / BuddyCamp workshop. This is the fifth consecutive year for BuddyCamp and attendees will have the opportunity to learn more about building mobile applications with BuddyPress and the WordPress REST API.

The “Learn JavaScript Deeply” track is returning in 2017, featuring local and international JS developers. So far WordCamp Miami is the only camp to have an entire track devoted to JavaScript. Organizers have designed the format of the track to be duplicated by other camps that want to include more JS content.

The event’s organizers usually attempt to get “outside the WordPress bubble” by inviting speakers with experience in other platforms to share with attendees. This year’s lineup includes two sessions from members of the Drupal and Joomla communities. Mike Herchel, a front-end web developer at Lullabot, will present a session titled “WordPress & Drupal: Community and Contribution Differences and Lessons.” Aleksander Kuczek, CEO of Perfect Dashboard and a Joomla Extension Directory team member, will be speaking about how Joomla handles plugin contributions.

Other focus topics during the main event include customizing/extending WordPress, e-commerce, mental health, content marketing, and building a better business (from freelancers to agencies). Organizers have also reduced the time for speakers a little in order to introduce some “AMA” spots. The new format will feature prominent people in the community who will be available to simply answer questions from attendees. The guests for the AMA spots are still being finalized, but Bisset said one example is a representative from Sucuri and will be available to answer any questions regarding security.

WordCamp Miami will also debut the “Rate My Talk With Emoji” app that Bisset developed for attendees to give “live speaker feedback” while sessions are happening. He said the team is hoping to have the speakers decide on which emoji should be available, but if there are problems with pre-event testing they will pre-select emoji. At this time they are not planning on including any negative ones. Speakers will have access to their results after the conference.

WordCamp Miami would not be possible without the event’s army of volunteers. Bisset said organizers are still looking for volunteers to help out before and during the event.

by Sarah Gooding at February 09, 2017 08:22 PM under wordcamp miami

Follow our RSS feed: 

WordPress Planet

This is an aggregation of blogs talking about WordPress from around the world. If you think your blog should be part of this site, send an email to Matt.

Official Blog

For official WordPress development news, check out the WordPress Core Blog.


Last updated:

February 24, 2017 09:30 PM
All times are UTC.