Easy WP SMTP has patched a vulnerability that allows attackers to capture the password reset link from the plugin’s debug log file and gain unauthorized access to the site. The plugin is used by more than 500,000 WordPress sites to configure and send all outgoing emails via a SMTP server so they are less likely to end up in recipients’ junk/spam folders.
WPScan categorized the vulnerability as a “sensitive data disclosure:”
The plugin has an optional debug log file generated with a random name, located in the plugin folder and which contains all email messages sent. However, this folder does not have any index page, allowing access to log file on servers with the directory listing enabled or misconfigured. This could allow attackers to gain unauthorised access to the blog by reseting the admin password by getting the reset link from the log.
Easy WP SMTP version 1.4.3 contains the fix, adding an empty “index.html” file to the plugin’s folder to prevent anyone from browsing the files (even if the Option -Indexes is missing on that server). Users are advised to update immediately, as the vulnerability has already been exploited in the wild. Several users took to the plugin’s support forums to report attempts on their sites.
Jerome Bruandet, a security researcher from NinTechNet, reported the vulnerability and published a post explaining how an attacker might access the debug log where the plugin writes all the email messages sent by the site. Using author archive scans, the hacker can find a username and then send a password reset email that gets intercepted via the Easy WP SMTP debug log file:
At the time of publishing, approximately 51.8% of users are on 1.4.x versions of the plugin. Without a more specific breakdown, it’s not clear how many users have updated to the patched 1.4.3 version. Approximately 59,000 sites have downloaded the plugin today, leaving many installations still vulnerable.
This is another case where automatic background updates on plugins can quietly save the day. Users who have auto-updates enabled for plugins have already received the fix. Administrators for older installations of WordPress or sites where auto-updates have been disabled will need to update manually as soon as possible.
Gutenberg 9.4.0 was released this week with many small improvements to existing features, while work on full site editing continues. This release will not be included in the upcoming WordPress 5.6 release but those who are using the Gutenberg plugin will have access to the improvements right away.
The button block now has a width selector, which allows the user to set the button to 25%, 50%, 75%, or 100% of the parent container. By default, a button’s width is determined by the size of its content. If you like bigger buttons, this update will give you more flexibility. Button margins are also included in the width calculations, so users can create multiple buttons in a row, or a grid of buttons, and have them properly fit together and aligned.
Making a button is easier than it has ever been before. Gone are the days of using shortcodes or hunting for the correct CSS class to apply in order to match the theme. Button creation used to be so needlessly difficult with a fragmented, unfriendly workflow, but the block editor continues to chip away at the complexity with each new release.
Social icons can also be resized now. Users can select from several preset sizes, including small, normal, large, and huge.
The 9.4 update adds support for <kbd> tags with a new button in the overflow rich text menu. These tags are useful for displaying content in the browser’s default monospace font, which helps when writing documentation or articles with inline code.
This release lays the groundwork for handling block variation transformations. Block variations are essentially the same block with registered variations that appear as a separate block in the block inserter. For example, the navigation block has horizontal and vertical variations. The editor now introduces a transform option for the scope field in block variations, so developers can control how to handle these transformations.
Enhancements in this release add polish to many Aspects of the UI, including the inserter search, custom select menu styles, the link interface, Search block styling, shortcode block styling, and reduces the UI on hover (an optional setting in preferences).
One handy new feature for writing is that users can now add a header by typing /h1 to /h6 followed by enter/return. While I like the idea of this, it seems unintuitive to have to use enter/return to change the block to a header. This feature would be easier to remember if it mimicked the existing feature that allows users to add a header by typing ### followed by a space. Changing the trigger action to a space instead of a return would make more sense here.
Version 9.4 also includes a great deal of progress behind the scenes on experiments, including the full site editing framework, FSE blocks, the site editor, and global styles. Check out the changelog for a full list of bug fixes and enhancements.
The Conservative Treehouse, a political publication hosted on WordPress.com for the past 10 years, is moving to a new host after receiving a notice from Automattic regarding violations of its Terms of Service. The site’s owner, previously identified as Florida resident Mark Bradman, claims to have a 500,000 – 1,000,000 unique readers per day. He has been ordered to find a new hosting provider and migrate the site away from WordPress.com by December 2, 2020.
Bradman followed up with Automattic to inquire about the specific infractions that put the site in violation of Automattic Ads Terms of Service. A representative from WordPress.com referred him to Section 5’s guidelines on “Prohibited Content,” and the prohibition against calls to violence in WordPress.com’s User Guidelines.
The Conservative Treehouse was characterized by The Daily Beast as “Patient Zero for a number of hoaxes that have percolated through [the] right-wing media ecosystem” after President Trump tweeted a conspiracy theory that originated on the site. Trump referenced an incident in Buffalo where police officers shoved an elderly protestor during the anti-police brutality protests that happened in June. The notion that the protester was an “ANTIFA provacateur” was originally seeded by an article on The Conservative Treehouse.
Buffalo protester shoved by Police could be an ANTIFA provocateur. 75 year old Martin Gugino was pushed away after appearing to scan police communications in order to black out the equipment. @OANN I watched, he fell harder than was pushed. Was aiming scanner. Could be a set up?
A cursory review of the past several months of posts on the anonymous blog shows it is home to a steady stream of misinformation. NewsGuard, an organization that assigns trust ratings based on transparent criteria, recommends readers proceed with caution because the website “severely violates basic journalistic standards.” The Conservative Treehouse gets a rating of 30/100 due to publishing false information and unsubstantiated conspiracy theories on numerous topics:
Because The Conservative Treehouse has published false and misleading claims, including about the COVID-19 pandemic, NewsGuard has determined that the website repeatedly publishes false content and does not gather and present information responsibly.
Bradman said he received the notification about the website being removed after publishing his post on what he calls “the COVID-19 agenda.” The conclusion of the article includes an image of a knife with the word “resist” written on it, followed by the words “whatever it takes.” The site’s comments are home to a “Rag Tag Bunch of Conservative Misfits,” as the tagline suggests, and there are more than 1,800 comments on the post announcing its upcoming move to a new host.
Despite the publication’s poor reputation, the site ranks #3,294 in the US, according to Alexa, with a largely American audience. Its owner claims to have more than 200,000 subscribers.
“We will take this challenge head-on and we will use this attack against our freedom as fuel to launch CTH 2.0, a new version of The Conservative Treehouse,” Bradman said.
Twenty years ago, every Aspect of developing a website and putting it online was more complex than it is today – an enchantment of Merlin’s wand to most common folks. The term “webmaster” hasn’t aged well, but it was commonly used in a different era when tech wizards were the only people creating and managing websites. The term has become outmoded as online publishing and website building has become more user-friendly.
Google recently ran a study that showed usage of the term webmaster is in sharp decline, as web professionals now prefer more specialized terms, such as blogger, developer, SEO, or online marketer. In recognition of this change, the company is rebranding “Google Webmasters Central” to “Google Search Central.” The change will be rolled out to Google’s websites and social media within the next couple days.
In addition to the rebranding, Google is also centralizing its help information on one site and consolidating its blogs:
Moving forward, the Search Console Help Center will contain only documentation related to using Search Console. It’s also still the home of our help forum, newly renamed from “Webmasters Help Community” to “Google Search Central Community“. The information related to how Google Search works, crawling and indexing, Search guidelines, and other Search-related topics are moving to our new site, which previously focused only on web developer documentation.
The Google Webmasters blog and 13 other localized blogs are being moved to the new site for better discovery and easier language switching. Google is going to redirect current RSS and email subscribers to the new blog URL, so readers only need to update their bookmarks.
Google is also introducing a new jumping spider bot to accompany its Googlebot mascot in crawling the internet. The creature doesn’t yet have a nickname, but the company is soliciting suggestions.
WooCommerce 4.6.2 was released yesterday with a fix for a vulnerability that allowed account creation at checkout, even when the “Allow customers to create an account during checkout” setting is disabled. The WooCommerce team discovered it after several dozen users reported their sites were receiving spam orders, or “failed orders” where the payment details were fake.
WooCommerce developer Rodrigo Primo described how the bot is attacking stores:
The gist of it is that the bot is able to create a user when placing an order exploiting the bug fixed by 4.6.2. After creating the user, the bot tries to find vulnerabilities in other plugins installed on the site that require an unprivileged authenticated account.
WooCommerce recommends users update to 4.6.2 to stop bots from creating users at checkout and then remove any accounts the bot previously created. This will not stop the bots from creating fake orders so store owners are advised to install additional spam protection from the WooCommerce Marketplace. Some users in the support forum are trying free plugins like Advanced noCaptcha & Invisible Captcha and Fraud Prevention Plugin for WooCommerce.
The first logged instance happened nine days before WooCommerce was able to issue a fix. In the meantime, some users reported having their site’s URL changed and other hacking attempts. Dave Green, WordPress engineer at Make Do, used log files to determine that the script relies on exploiting other vulnerabilities in order to gain access to the database.
“That script is creating the order, and is also likely to be exploiting whatever vulnerability is available to bypass customer account settings and create a new user; it may or may not be relying upon other exploits for this,” Green said.
“Assuming it has successfully gained access to the system, it then tries to update the DB. It either fails and leaves you with nuisance orders, or succeeds and points your site to the scam URL.”
The WooCommerce team has also fixed this same bug in WooCommerce Blocks 3.7.1, preventing checkout from creating accounts when the related setting is disabled.
WooCommerce did not publish the names of any of extensions that have vulnerabilities being exploited by this script. However, some one user reported an attack that coincided with the fake orders:
I had a failed order yesterday with similar info to the OP as well.
At the exact same time that failed order came in, my WAF blocked two attempted attacks from the same user/IP (bbbb bbbb) for “TI WooCommerce Wishlist < 1.21.12 – Authenticated WP Options Change”
The script may have been probing for a vulnerability in the TI WooCommerce Wishlist plugin, which was patched approximately two weeks ago. The plugin is active on more than 70,000 WordPress sites.
The WooCommerce team is still researching the origin and impact of this vulnerability and will publish more information as it becomes available.
WooCommerce 4.6 was released today. The minor release dropped during WooSesh, a global, virtual conference dedicated to WooCommerce and e-commerce topics. It features the new home screen as the default for all stores. Previously, the screen was only the default on new stores. Existing store owners had to turn the feature on in the settings.
The updated home screen, originally introduced in version 4.3, helps store admins see activity across the site at a glance and includes an inbox, quick access to store management links, and an overview of stats on sales, orders, and visitors. This redesigned virtual command center arrives not a moment too soon, as anything that makes order management more efficient is a welcome improvement, due to the sheer volume of sales increases that store owners have seen over the past eight months.
In stark contrast to industries like hospitality and entertainment that have proven to be more vulnerable during the pandemic, e-commerce has seen explosive growth. During the State of the Woo address at WooSesh 2020, the WooCommerce team shared that e-commerce is currently estimated to be a $4 trillion market that will grow to $4.5 trillion by 2021. WooCommerce accounts for a sizable chunk of that market with an estimated total payment volume for 2020 projected to reach $20.6 billion, a 74% increase compared to 2019.
The WooCommerce community is on the forefront of that growth and is deeply invested in the products that are driving stores’ success. The WooCommerce team shared that 75% of people who build extensions also build and maintain stores for merchants, and 70% of those who build stores for merchants also build and maintain extensions or plugins. In 2021, they plan to invest heavily in unlocking more features in more countries and will make WooCommerce Payments the native payment method for the global platform.
A new report from eMarketer shows that US e-commerce growth has jumped 32.4%, accelerating the online shopping shift by nearly two years. Experts also predict the top 10 e-commerce players will swallow up more of US retail spending to account for 63.2% of all online sales this year, up from 57.9% in 2019.
The increase in e-commerce spending may not be entirely tied to the pandemic, as some experts believe this historic time will mark permanent changes in consumer spending habits. This is where independent stores, powered by WooCommerce and other technologies, have the opportunity to establish a strong reputation for themselves by providing quality products and reliable service, as well as by being more nimble in the face of pandemic-driven increases in volume.
If you haven’t played around with Gutenberg’s experiments lately, the Navigation block is getting some exciting updates. Version 9.0 was released today with drag-and-drop support added to the list view of navigation items.
Manage Locations has been rewritten and is now a popover.
Add New form has been rewritten and now appears inline in the toolbar.
Automatically Add Pages checkbox and Delete menu button has been rewritten and now appears in the block inspector.
The screen is starting to take shape but is still very much a work in progress. If you want to test it, you can enable it under Gutenberg > Experiments.
The Query block was another main focus fr the 9.0 release. It is taking a giant leap forward with new features like search, filtering by author, support for order/order by (date + title), and tags. This block should be tested locally and is still behind the __experimentalEnableFullSiteEditing flag since it requires full site editing blocks to display queried content.
Other notable UI enhancements include a new drag handle added to block toolbar for drag-and-drop capability. (It is not visible on the top toolbar). Blocks can be dragged to other areas of a post as an alternative to using the up/down arrows.
In August, following the suspension of the popular Astra theme, WordPress Meta contributors opened a ticket to add a new “delisting” status for non-compliant themes. Astra’s infraction, breaking the directory’s ban on affiliate links, put more than a million users at risk of not getting theme updates just as WordPress 5.5 was on deck for release. This week the team committed a patch for a delist status that will temporarily hide a theme from search, while still making it available directly. Alex Shiels outlined how the new status will work:
Delist is only available from a published state.
Relist will set the status back to publish.
Delisted themes are excluded from site search.
While a full suspension may seem like the best retributive action when theme authors violate directory guidelines, the necessity for users to be able to continue to get updates outweighs throwing the book at the author, especially for a first-time offense. A delisting policy is more restorative in that it seeks to maintain the connection that users have with the theme’s author instead of merely imposing a penalty that might ultimately have a negative impact on everyone involved.
In the past, the Themes Team has been limited on available actions for responding to violations. Ionut Neagu, CEO of ThemeIsle, had his company’s popular Zerif Lite theme suspended from the directory in 2016 for a five-month period that left 300,000+ users without maintenance and security updates. It also resulted in a 63% decline in the company’s revenue for that theme, since ThemeIsle was using WordPress.org as the primary channel for distribution.
Neagu remarked on how the new “delist” status provides a less severe transition back into the directory for popular themes:
The practice of delisting is something that’s already been done by other companies in similar situations. For instance, delisting is what Google does all the time when they find a website that doesn’t comply. Then, the website is allowed to come back and appear on the ranking pages again when the issues are fixed.
In the end, I think this is a move in the right direction and an improvement to the process of what happens with a problematic theme.
Despite the controversial decision that slashed ThemeIsle’s revenue from $120k/month to $45k/month in 2017, the company continued to support the theme, as well as new products, with WordPress.org as the main place to find them. Neagu reported that when the theme was reinstated, its revenue continued to be hard hit. It lost momentum and was unable to ride the wave of its initial success. Astra faired much better in the aftermath of its violation, given its short-lived suspension.
WordPress Themes Team member Alexandru Cosmin requested the ticket for adding the delisting status receive prompt attention, as the team is set to introduce some new policies and requirements that are tied to it. The patch was committed and then reverted temporarily to review how it impacted theme trac tickets, but the bugs appear to be unrelated to the patch.
The volunteer Themes Team has essentially been the de facto guardians of the WordPress.org marketplace that sends millions of dollars to theme authors, and they perform a great service to the community. But in the interest of supporting and accelerating the growth of the WordPress ecosystem, the team needs to adopt policies that create a more restorative path for violators, instead of obstructing the growth of products where issues have been quickly resolved.
One of the most significant updates in this release is the expansion of the Reader Mode. The plugin has a lot of AMP-specific terminology associated with it and unless you are working with it every day, it’s easy to get confused by the different modes. Standard Mode is an AMP-first site where all URLs are presented as AMP pages. Transitional Mode uses one theme but canonical non-AMP URLs may offer a separate AMP version. Reader Mode uses two themes with the active one for canonical non-AMP URLs and a separate “Reader” theme for AMP URLs.
Version 2.0 introduces a new AMP Customizer for customizing the Reader theme. It loads with a mobile view and does not support widgets or homepage settings, as they are not applicable for the AMP version. The AMP Customizer makes it easy for site owners to make tweaks and changes that will only apply to the AMP version of URLs.
The Reader Mode is especially useful for sites that are not using AMP-compatible themes. Google engineer Weston Ruter described the expanded Reader Mode as follows:
Reader mode now allows for any AMP-compatible theme to be used to serve AMP pages, rather than just the legacy post templates. This allows for long-requested features including nav menus, logos, commenting, and template design variations. It also makes it possible to serve all URLs of a Reader-mode site in AMP, as opposed to just singular posts.
One major usability update in version 2.0 is the addition of an onboarding wizard and revamped Settings screen that guides users through the different templating modes when configuring the plugin. Users who are routed to Reader Mode will be presented with a selection of themes for serving AMP pages and the wizard will handle installation. The final step of the configuration process allows users to review their choices in a preview screen.
Given the complexity of the AMP plugin and its many configuration options, the onboarding wizard was a critical addition if the plugin is going to grow past 500,000 active installs to reach a larger number of non-technical users.
Another notable update in this release includes a feature called “Plugin Suppression” that allows administrators to turn certain plugins off for AMP pages if they are causing validation errors. It also introduces mobile redirection for Transitional/Reader mode sites where AMP is intended to be the mobile version.
AMP is still far from a plug-and-play experience for WordPress users but the plugin does a lot of the heavy lifting and is evolving towards becoming more approachable for non-technical users. To that end, the AMP plugin team just announced a new video series that will focus on success with WordPress as a content creator, as well as performance and usability.
“We are crafting it with an audience in mind that covers both technical and non-technical users,” Google Developer Advocate Alberto Medina said. “The 2.0 version of the plugin makes an emphasis on providing options for users that are non technical but still want to take advantage of AMP to bring great page experiences to their users.”
The series will launch next week on Google’s AMP YouTube channel. Medina is also working on another series geared towards content creators that will cover topics like Web Stories in the first episodes.
WordPress’ Support Team contributors are discussing how they can curb support requests for commercial products on the official WordPress.org forums. Users sometimes seek help for commercial product upgrades on the forums of the free version, not knowing that the moderators’ official policy is to refer them to the extension’s commercial support channel. In other instances, it is not immediately clear whether the issue is with the free version or a paid upgrade that the user has installed.
“This has come up a few times the past weeks, mostly in relation to plugins that have a free base product on WordPress.org, but sell addons on their own site, and where the line is drawn on who can get supported where,” WordPress contributor Marius Jensen said during the team’s most recent meeting. “Authors are not allowed to support their paid products on WordPress.org as is, but where do you draw the line, for example, when a base plugin causes issues with a paid addon, should then support be allowed for the base product on WordPress.org, since that’s the root issue, or should it be shipped off to the author’s own site, since it affects a paying user?”
This type of issue is common among products where WordPress.org is the main distribution channel for a popular free theme or plugin. The support relationship between the free and commercial products often intersects in an ambiguous way.
“The goal is to ensure that paying customers and free users get the best support they can, from the ones that can give it,” Jensen said. Volunteers do not have access to the commercial products, nor is it their job to support them. This is the crux of the matter.
“It’s an unacceptable misuse of volunteers time to support a product someone else has been paid to support,” Jensen said.
Contributors discussed how they can handle different scenarios where it’s unclear where the root of the problem is, in order to move the burden away from the support moderators, allowing the extension’s author to discern if the problem is with the free version or commercial add-on. Volunteers should not have to familiarize themselves with the minute distinctions between the features that are offered for free or as an upgrade.
On the other side of these support scenarios, where it isn’t clear where the problem originates, plugin and theme authors can be inconvenienced when support topics are hastily closed.
“It’s just that the closing of topics seems counter productive for those (users and devs alike) that get it wrong,” plugin developer Arnan de Gans said. “Since plugin/theme makers do not have any control over these forums we can’t do a thing after topics get closed. Which works against the user experience by creating confusion.” He suggested the team consider a grace period where the developer has a day or two to respond.
Ben Meredith, head of support for a freemium plugin, chimed in on the discussion, urging the support team to consider how closing issues can sometimes create a bad user experience:
An issue related to premium products is raised, and summarily closed by forum mods for being about a premium product. This creates a “googleable” record of the error message/problem that then attracts other visitors. Once the issue has been closed, we get copy-cat issues “I am having the same problem (link to closed post)” We get those replies in both followup forum posts and internal tickets. To the layperson who has no idea the distinction between “WordPress core volunteer” and “Company I just paid money to,” this creates a bad experience all around.
Premium users are treated like second-class citizens on the forums. They don’t know the guidelines, and reached out for help. This may be their first interaction with the WordPress community, and sometimes a well-meaning forum moderator can come across as wrist-slapping the exact people we want to give white-glove service to (they just paid us!).
Michelle Frechette, Head of Customer Success at GiveWP, also shared this sentiment regarding the user experience.
“Something I’m not seeing addressed much here is how alienating it can feel to be corrected by the mods (or even the plugin authors) to be directed from the forums back to the paid support page,” she said.
Ben Meredith said that despite sticky posts telling users not to post questions about commercial products, notes in the readme file, website notices, and canned replies, users will inevitably end up posting in the forums anyway. Steering them away to commercial support channels should be done in a way that does not make seeking help on WordPress.org an unwelcoming experience.
“I want for the forums to feel as welcoming as a WordCamp,” Meredith said.
“The current enforcement of the ‘premium plugins can’t get support here’ is not in line with that overarching goal: users using and enjoying WordPress. Currently, premium users (who are potential community members and community leaders!) are getting a first impression of the community that is ‘You’re doing it wrong!’
“I’d rather their first impression be ‘Happy to help! heads up, for questions like this in the future, we need you to go here.'”
In trying to ease the burden placed on volunteer support forum moderators, it’s important to consider how any new policy might also negatively impact developers hosting their plugins and themes on WordPress.org, and what kind of vibe the response gives to users in search of help. There are more suggestions for solutions in the comments on the post, and the discussion is open until Saturday, September 12, 2020, 07:00 PM CDT. The Support Team is seeking to get a wider range of viewpoints from plugin and theme authors before making a final decision on new guidelines for addressing requests for support on commercial products. Make sure to jump in on the comments within the next week if you have something to add to the discussion.
Now that WordPress 5.5 has shipped, block patterns are available in core for all users. If you have previously been relying on reusable blocks but prefer the flexibility of block patterns, you may want to convert these.
WordPress core developer Jean-Baptiste Audras has made this possible in the latest update of his Reusable Blocks Extended plugin. He posted a video demo of how the plugin converts reusable blocks to block patterns with one click.
Update! 💥 My Reusable Blocks Extended #WordPress plugin now allows users to convert reusable blocks to block patterns in one click ✨ Just hit the conversion button and your reusable blocks will be automagically converted 😎 See the 1min-demo below 👇#WP55#Gutenbergpic.twitter.com/YDBaxnA8Nw
What’s the difference between reusable blocks and block patterns?
Why might you want to convert your reusable blocks to block patterns? For users who are new to the concept, there are a few distinctions between these similar features.
Reusable blocks were designed to be a time-saving feature that allows users to save a block or group of blocks for use on other posts or pages. They can be edited but they have a certain distinction in that they are intended to look the same in all places they are used. Any changes made to a reusable block will apply to all instances of the block wherever it is used.
If a user wanted to make changes to a reusable block specific to one page, the process would involve clicking on the block’s properties and selecting “convert to regular block,” which would ensure that all edits would appear only on that specific instance of the block. It’s unlikely that most users would know how to do this without help, so this is one of the drawbacks of reusable blocks.
Block patterns are predefined block layouts that are designed to be changed. Once a pattern is inserted into the content, users can customize with their own text, images, alignments, colors, additional blocks, etc. The options are limitless and any changes made are not saved back to the original pattern. Block patterns provide a flexible starting point that gives users an idea of how blocks can be combined to make attractive layouts.
User-Created Patterns Are Coming Soon to the Block Pattern Builder Plugin
At the moment, users can create their own reusable blocks but not their own block patterns. Patterns have to be registered with code in order to appear in the pattern library. This is another reason that Audras’ one-click conversion is quite useful for users who are limited to capabilities offered in the editor’s current UI.
The ability to create block patterns inside the editor should be a feature in core. It would enable non-technical users to share their designs and creations in a more flexible format than reusable blocks provide. Until this feature is added to core – and it isn’t a guarantee- there is a plugin for that.
Justin Tadlock’s Block Pattern Builder plugin, which is available on WordPress.org, will soon be merging a pull request that adds the option to create block patterns inside the editor. It will work in a similar way to the process of adding reusable blocks. Now that block patterns are available in WordPress 5.5, this feature will be more useful to a wide range of users.
Audras’ Reusable Blocks Extended plugin, like many other amazing utilities for the editor, might be difficult to find unless you already know exactly what to search. Many times users are not even aware of the possibility of converting reusable blocks to patterns. This might also make a useful core feature but doesn’t seem likely to be a high priority at the moment. In the meantime, watch for more plugins to start extending block patterns to do interesting things now that they are available in core WordPress.
All in One SEO Pack patched an XSS vulnerability this week that was discovered by the security researchers at Wordfence on July 10. The popular plugin has more than 2 million active installs, according to WordPress.org.
Wordfence researchers categorized it as “a medium severity security issue” that could result in “a complete site takeover and other severe consequences:”
This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.
Version 3.6.2, released on July 15, 2020, includes the following update in the changelog: “Improved the output of SEO meta fields + added additional sanitization for security hardening.”
All in One SEO Pack users are strongly recommended to update to the latest version. At the time of publishing, just 12% of the plugin’s user base is running versions 3.6.x, which includes the three most recent versions. This leaves more than 1.7 million installations (88% of the plugin’s users) vulnerable.
Many users don’t log into their WordPress sites often enough to learn about security updates in a timely fashion. Plugin authors often don’t advertise the importance of the update on their websites or social media. This is the type of situation that WordPress 5.5 should help to mitigate, as it introduces admin controls in the dashboard that allow users to enable automatic updates for themes and plugins.
WordCamp Denver begins Friday this week and tickets are free for anyone who wants to join June 26-27. The event has been running since 2012, but like many other conferences, it is going virtual in 2020, as the pandemic continues to worsen around the globe. Attendees will have to forego the city’s extraordinary landscapes, friendly summer climate, and legendary beer scene this year, but organizers are adapting to make it a memorable event.
In previous years WordCamp Denver has attracted roughly 300 in-person attendees. Sponsor Wrangler and co-organizer Maddy Osman reports that this year the event has 1,696 people signed up and could reach 2,000 by the weekend.
“There were so many challenges that came with flipping to a virtual event — the biggest one being that the WordPress community loves to be physically together and COVID-19 shutdowns have obviously prevented that in a big way, starting with WordCamp Asia,” Osman said.
“Another big challenge for us was preserving a Colorado feel while opening the event up to people across the world. But we have quite a few surprises planned that feature local individuals and brands that I’m excited to share with attendees.”
Osman said that although the team didn’t sell as many sponsorships as last year, they had no problem attracting the necessary sponsors to make the event happen. WordCamp Central covers the livestreaming costs, which was the most expensive ticket item for hosting the event virtually.
Sponsors will still have the opportunity to connect with attendees and offer their own unique digital swag. Organizers are planning on doing a password-protected swag bag with exclusive offers for WordCamp Denver attendees.
“Even though we can’t hand out fun swag, this is the next best way to make win-win connections between attendees and sponsors,” Osman said. “Attendees who have signed up for a free ticket will be emailed access instructions prior to the event.”
The WordCamp will kick off on Friday with a yoga session hosted by Denver yogi Lauren Moon of Yogiful who will help participants leave behind the stress of the work week. The schedule features three tracks that will run simultaneously: Beginner, Marketing/Content, and Power User/Developer. Topics span the whole range of WordPress user experiences, from client relationships to creating blocks and understanding React.js.
“We have speakers from all over the US (and some international) but we prioritized speakers with diverse backgrounds and speakers who represent the local community,” Osman said.
“We tried to prioritize sessions that were super actionable and relevant to the current situation that so many businesses are facing – adapting to the COVID-19 economy. In general, when going through speaker selection, we always try to dig deeper than the surface to provide topics that people wouldn’t necessarily find elsewhere.”
The schedule for Saturday morning includes a unique session called “Brew the Perfect Cup of Coffee,” hosted by Fort Collins-based WordPress community members, David Hayes and Ann Pohl. They will discuss bean selection, grind methods, and alternatives to brewing, with a live demonstration. They will also be sharing a surprise offer from local sponsors, where attendees can redeem a free cup of coffee from one of three coffee shops in Boulder, Denver, and Fort Collins. Those attending from further away can redeem a coupon code for $10 off a bag of beans from Harbinger Coffee.
Registration for tickets to WordCamp Denver is still open. The event runs Friday (3-7pm) and Saturday (9am-1pm), June 26-27. It will be hosted on Zoom with live captioning managed by White Coat Captioning.
BuddyPress broke into the world of blocks last month with its 6.0 release. Group and Member blocks were the first blocks to make it into the core plugin and next up are block versions of the existing widgets. Contributors are also working on block requests based on community feedback.
Today, BuddyPress core developer Mathieu Viet shared a prototype of his early work on adding a block based Activity post form to BuddyPress. This is one of the most highly-requested features from the plugin’s community of developers, according to a recent poll.
Viet submitted a PR for a playground inside the WP Admin that allows posting to the activity stream via a custom bp/text block. It is an adaptation of the basic core/paragraph block with a modified block toolbar that removes unnecessary controls, such as alignments, text color, and strikethrough formatting.
The custom activity posting block adds a new emoji picker control to the block toolbar, with a popover that includes categories of all the emoji WordPress supports. This is far more convenient for users than launching their operating system’s emoji picker.
Viet’s PR highlighted several major benefits to bringing the block editor to activity posting: formatting text and adding links is more intuitive, inserting emoji is easier, and users can easily schedule activities using the block editor’s DateTimePicker component.
One of the biggest benefits Viet identified is the opportunity to standardize the UI. In the same way the block editor is helping WordPress unify the UI for publishing and site design, a block-based activity form will help standardize the UI for BuddyPress plugin developers.
“Today, when BuddyPress Plugin developers extend this post form, they do not have a structured way to process, they simply use a hook: it can be a very different one from plugin to plugin,” Viet said. “Plugins are mostly using jQuery (some can tidy this a bit using Backbone), UI controls can look very different. This is really not ideal for BuddyPress users. By extending the WordPress Blocks API to make available a BP Activity Blocks API we will improve all this and we’ll benefit from the ‘WordPress Blocks’ developers interest to give our users great new BP Activity Blocks to share richer content like media, or more interactive content like Polls.”
BuddyPress’ activity component is a frontend feature, so the idea is to test the block-based activity posting form in the admin and then work through the hurdles for bringing it to the frontend.
“Bringing this block based Activity post form in this area is the goal and a huge challenge mainly due to the fact we have less control over the layout,” Viet said. “There’s one WordPress administration layout, but there are thousands of different front-end layouts.”
Viet proposed BuddyPress tackle this in small steps:
Making the block based Activity Post form only available from a WP admin screen
Making the block based Activity Post form only available into a new complete “BP Default” theme
Making the block based Activity Post form available from a modal
Making the block based Activity Post form available from a new template pack
BuddyPress only supports WordPress 4.8+. If a block-based activity form is ready for inclusion in version 7.0 of the plugin, BuddyPress will need to raise the required WordPress version to 4.9. Sites running on older versions would be able to fall back to the legacy activity posting form.
Late last week WordPress made major progress towards the goal of getting users to adopt newer versions of PHP. The ServeHappy API has been updated to set the minimum acceptable PHP version to 7.2, while the WordPress downloads page recommends 7.3 or newer.
Sergey Biryukov committed this change on the meta trac after Marius Jensen opened a ticket for it nine days ago. Previously, the ServeHappy dashboard widget was showing the upgrade notice to users of PHP 5.6 or lower.
“After discussing with the core Site Health team and the Hosting Team, it has come up that the most sensible next move is to show the upgrade notice to users of PHP <=7.1 (this means setting ACCEPTABLE_PHP to 7.2),” Jensen said.
“Looking at the numbers, we’re seeing roughly 25% of sites running a WordPress version that includes ServeHappy [that] would then get an upgrade notice.”
This change means that the majority of WordPress sites are using an acceptable version of PHP. Approximately 47% are running WordPress on older versions. Those who are on WordPress 5.2+ (when Site Health was introduced) will see the upgrade notices generated by the ServeHappy API.
WordPress.org stats: PHP versions in use as of June 14, 2020
This update also bumps the lowest branch of PHP which is actively supported to 7.3 and bumps the lowest branch of PHP that is receiving security updates to 7.2.
The Site Health team scheduled the change for last Friday, but Jensen noted that the API call is cached for a week in core. It should start popping up for users throughout this week.
In December 2018, PHP 5.6 and 7.0 reached End of Life (EOL) and stopped receiving security updates. This left approximately 83% of users on unsupported versions of PHP at the end of 2018. Today, with the progress encouraged by the Site Health project, 47% are on unsupported PHP versions. The update put in place last week should help significantly decrease this number before PHP 7.2 reaches EOL in November 2020.
Jenny Wong, who helped coordinate the project as part of the Site Health team, described how they got started and worked successfully across teams with design, Polyglots, and Hosting contributors to make this update possible.
“I remember going to WordCamp San Francisco and sitting down with Andrew Nacin and Mark Jaquith at lunch and asking them why WordPress supported such old versions and what the project was doing about it,” Wong said. “They told me the work that had been going on.
“They told me the issues, they took the time took explain it all to me and answer all my questions.”
Wong said she was grateful to be part of that initial discussion in 2014 and to have shared in the journey with dozens of contributors.
“To the polyglots who translated everything we threw at them, to everyone else who gave feedback, argued, fought, discussed and debated, to everyone who has shared ideas and patches, to every person who has listened to me complain, took my wild ideas and made them an reality – Thank you!” Wong said.
Given WordPress’ large share of the market, encouraging adoption of newer versions of PHP will help make the web more secure. Please note that this update means that 7.2 is now the lowest branch of PHP that is considered acceptable for use with WordPress, according to the ServeHappy API. Sites that are running on older versions may continue to work but WordPress will continue strongly urging users to upgrade.
WordPress’ Executive Director, Josepha Haden, announced the names of the leaders who will be coordinating releases for the remainder of 2020. Version 5.5, expected to be released in August, will be led by Matt Mullenweg, with Jake Spurlock as the coordinator and David Baumwald on Triage. Haden also named tech and design leads for the editor, media, accessibility, and documentation. This release is set to introduce automatic updates for plugins and themes in core. It will also add the Navigation block and block directory to core.
In November 2019, Haden tweeted that one of her goals was to put together an all-women release squad by the end of 2020, an idea that was well-received by the community. Although WordPress has already had women lead releases, the realization of this idea would be the first time in the project’s 17-year history that the entire squad is composed of women leaders. Haden began recruiting for the team in March.
I have a stretch goal of an all women release squad by the end of 2020.
“My hope is that with a release squad comprised entirely of people who identify as women, we’ll be able to increase the number women who have that experience and (hopefully) become returning contributors to Core and elsewhere,” Haden said in her initial proposal. “This doesn’t mean the release will only contain contributions from women. And if our current squad training process is any indication, it also doesn’t mean that we’re asking a squad to show up and do this without support.”
Last Friday, Haden named 50 women to the upcoming 5.6 all-women release squad, set to land in December 2020. This group includes women who have volunteered to participate, first by joining a “ride along” process for the 5.5 release cycle. Participants will join triage sessions and meetings, as well as collaborate on a 5.5.x point release in preparation for steering 5.6.
The proposed scope for WordPress 5.6 includes opt-in automatic updates for major core releases, full-site editing in core, a new default theme, and more. Squad leaders will be named in a separate kickoff post.
The 8th annual WordCamp Europe is only 9 days away and organizers have just announced the schedule. Friday and Saturday sessions are split into two tracks that will run 30-minute talks simultaneously. Each talk is followed by a 10-minute Q&A. The schedule also mixes in a few 10-minute lightning talks, with 15-minute breaks every hour.
The WordCamp will feature a variety of topics of interest to WordPress professionals and enthusiasts, including freelancing, code review, art direction with Gutenberg, website security, growing communities, and the challenges of headless WordPress. The online schedule allows users to save their favorite sessions and then email them, share a link, or print the customized schedule.
In converting the event to be fully online, WCEU PR Team co-organizer Evangelia Pappa said they had to re-work some of their original plans for speakers. Not all previously scheduled speakers were available for an online session. The organizers also had to start from scratch in planning the event, determining the platforms and tools to use, as well as figuring out a new routine for working together from home.
For the first time in WCEU history, both the networking activities and sponsor booths are going virtual using Zoom. Organizers are planning to have two networking rooms, which can also be used for speakers who want to continue Q&A times with attendees following their sessions. Sponsors will have their own schedule of activities and webinars, expanding the event to 3-4 total tracks.
Pappa said the organizing team was inspired by WordCamp Spain, which has so far been the largest online WordPress event. The camp used Zoom to support 5,515 online attendees.
More than 5,650 people have already registered for WCEU 2020. Tickets continue to be released in batches, and organizers say they have an unlimited number available. Tickets for the virtual Contributor Day, which precedes thecamp on June 4, are also still available. Attendees can indicate interest by checking the box for Contributor Day during the regular ticket signup process.
In a 2017 speech titled “Stop trying to fix disability,” YouTube and motivational speaker Molly Burke says, “I live in a world that wasn’t built for me, but what if it was?” Burke was born with a rare, genetic eye disease that caused her to go blind. In this short but moving 8 minute video, she contends that making the world accessible helps everyone. She introduces the concept of universal design to her audience in simple terms:
“Universal design [is] designing and building everything to be accessed, enjoyed, and understood to its fullest extent by everyone, regardless of their size, their age, their ability, or their perceived disability.”
“Every product they release, I could buy at a store, open up, and use on my own independently, with no extra cost and no assistance needed,” she said. “I ask you to imagine how liberating, how empowering it is to be shown by a company that they view you as belonging to their customers, when so many others tell you the exact opposite.”
In honor of Global Accessibility Awareness Day, I wanted to highlight this video that tells just one person’s story on the powerful impact of technology that is built with everyone in mind. Burke’s speech is a poignant reminder of how designers and builders can extend a sense of belonging to their customers by making their products accessible.
