Tag: wordpress

Posted on

WordPress 5.7 Lets Administrators Send Password Reset Links

Category Image 006

It’s that time in the release cycle when all the dev notes are rolling out ahead of the next major update. These notes include technical summaries of all the goodies coming in the next release. If you haven’t been paying close attention, there are always a few happy surprises in there that pop up as conclusions to tickets that contributors have been working on for years.

The new password reset feature coming in WordPress 5.7 allows administrators to manually send a password reset link to users, resolving a five-year old ticket. Instead of having to instruct a user about where to go to click on the lost password link and follow the steps, this new feature lets administrators push a button in the admin to send the link. If you have ever had to support clients or a community of users who may not be very technically inclined, this new password reset feature will save lots of time in helping users regain access to their accounts.

The “Send password reset” link is available in several places. Administrators can find the link on the Users screen, as well as in the bulk actions dropdown menu.

It is also available on the individual user screen with a button and a note clarifying that this action will not change the user’s password or force the user to change it.

The password reset email notification includes the site name, username, a password reset link, and the IP address where the request originated:

This password reset request originated from the IP address [IPADDRESS].

There is an open discussion on the original ticket regarding whether this email notification should include the administrator’s IP address.

“The IP address (while fraught with privacy concerns) is the only thing validating that this email came from the website and is not a phishing email,” contributor Gabriel Mariani said. “Unless there is a better way to validate the authenticity of the email I’d say it would be worthwhile to keep it.”

Others see the IP address as useful only if a user is attempting to verify that it is their own IP address or collecting the information to prevent a phishing attack. Giving out the administrator’s IP address doesn’t seem pertinent to either of those concerns.

“I could use my phone to send a reset, and I would have no idea what my IP was,” Mika Epstein said. “And that can easily be faked. Omitting the IP actually reduces the data being sent out that could be used by bad-actors.

“I think it’s more likely we’d have a savvy bad actor than end users who would need to ask for a password reset but also know what a valid IP is and how to ask about it.”

This part of the email text may be iterated on in subsequent patches or future releases of WordPress. Check out the dev note for more discussion on this feature, along with information about further customizing the notification email.

Posted on

Native Lazy Loading Support for iframes Coming To WordPress 5.7

Featured Imgs 23

Felix Arntz, a WordPress core committer and developer programs engineer at Google, announced upcoming support for lazy loading iframes. The feature is included in the latest WordPress 5.7 beta and will officially ship next month to the larger community.

WordPress has supported lazy loading for images since version 5.5. However, support for iframes was not included in the initial feature set. Browser support for iframes was widespread at the time. However, it had not yet been formalized as part of the HTML Living Standard. Soon thereafter, it was added to the HTML spec, and discussion began anew for adding support into WordPress.

Unlike images, many users are likely unaware that they are using iframes. The primary use case for iframes is with embed blocks or the auto-embed system for users who are on the classic editor. For example, whenever a user adds a YouTube video to their blog post, the underlying code outputs an iframe.

Viewing the source code for an embedded YouTube video in the block editor.
Source code of YouTube embed shows iframe.

These iframes add weight to the page size and hamper loading time.

The opposite of lazy loading is eager loading. This is the default on the web, which loads all resources in bulk. This also often leads to slow-loading webpages when they contain many images or iframes. Lazy loading only loads the image and iframe sources when they appear in a site visitor’s viewport. This speeds up the initial load time of pages.

WordPress will only add the loading="lazy" attribute if an explicit width and height are set for the iframe. This is to avoid the page-shifting effect that happens when the iframe comes into view. Arntz wrote about this effect extensively when he announced support for image lazy loading. The same issue applies to iframes.

“A common user experience problem in modern websites is so-called layout shifting, often caused by slow-loading media resources like images,” he wrote. “By default, only after an image is loaded, the browser can layout the page correctly, which results in the content e.g. below the image to shift. This issue can be easily resolved by providing width and height attributes on img tags, as the browser will use them to determine the Aspect ratio of the image so that it can infer the page layout ahead of actually loading the image.”

There are cases where WordPress will not add the loading attribute, even for oEmbed providers that it supports. The iframe content is not supplied by WordPress. The third-party providers create the HTML and send it back to the individual WordPress site. It is up to those third parties to follow best practices for adding width and height attributes.

“Since WordPress cannot guess the dimensions of the embedded resource, the loading="lazy" attribute will only be added if the oEmbed iframe tag comes with both dimension attributes present,” wrote Arntz.

Currently, the filter applies to the post content, excerpt, and text widgets. Perhaps WordPress will extend this to comment text one day.

Potential Problems With Ads

MaAnna Stephenson, the owner of BlogAid, brought up a concern for users who display ads on their site. There may be scenarios where lazy loading is banned in advertising terms or has a technical conflict.

“Has this been tested with folks who run ads on their site using an ad agency like Mediavine and AdThrive?” she asked. “They cannot have iframes lazy loaded, as the ads use iframes and they have their own lazy load mechanism for delivery.”

The problem is that there is no ideal way to exclude every advertising service and to distinguish them from other types of iframes. From a technical standpoint, it needs to be an all-or-nothing feature.

Handling ads falls squarely into plugin territory. Arntz covered such use cases in the post. Developers can disable lazy loading for iframes wholesale or target specific iframes with basic PHP. It would only take a few lines of code to build a plugin for specific ad services.

Jeff Starr also has a plugin for disabling lazy loading altogether named Disable Lazy Load. That could serve as a stopgap solution until something more specific to users’ needs comes along.

Posted on

WordPress 5.7 Will Make It Easier to Migrate From HTTP to HTTPS

Featured Imgs 23

The next major release of WordPress will make it much easier for users to migrate their sites from HTTP to HTTPS. It introduces new capabilities to detect if the user’s hosting environment has support for HTTPS and provides a one-click update process, handling mixed content rewrites where possible.

“A major pain point in WordPress has been the migration of a WordPress site from HTTP to HTTPS: While changing the Site Address and WordPress Address to use HTTPS is trivial, updating references to the old URLs in existing content is not,” WordPress Core Committer Felix Arntz said in the ticket proposing the feature. “It cannot be accomplished within core UI and requires use of more advanced tools, such as WP-CLI or plugins like Better Search Replace, which is a no-go for most users.”

In WordPress 5.6, there is no clear guidance in the Site Health screen about how to migrate to HTTPS, even though it shows as an issue. The user would need to learn more about how to update it manually, starting with changing the site URLs.

In WordPress 5.7, if HTTPS is supported, the Site Health Status screen will notify users and guide them with a new button that updates the site with a single click. It also migrates the site content on the fly to use HTTPS for URLs. Arntz recorded a video demo of the update:

This change also comes with new environment variables and filters that allow hosting providers to change the URLs linked in the HTTPS status check in Site Health, so they can more effectively manage it for their customers’ hosting options. This is similar to how hosts can modify URLs for updating the PHP version, which has had a positive impact on getting sites running on supported versions of PHP.

It’s important to note that the streamlined HTTP to HTTPS migration in 5.7 does not handle updating content in the database. Also, if a site’s URLs are controlled by constants, the update is not possible to complete automatically. In these instances, the HTTPS status check on the Site Health screen will inform the user why the site would need to be manually updated.

More technical details are available in the ticket and commit message, and a dev note should be forthcoming.

Posted on

How to Work With WordPress Block Patterns

Category Image 052

Just a little post I wrote up over at The Events Calendar blog. The idea is that a set of blocks can be grouped together in WordPress, then registered in a register_block_pattern() function that makes the group available to use as a “block pattern” in any page or post.

Block patterns are becoming upper-class citizens in the WordPress block editor. They were announced without much fanfare in WordPress 5.5 back in August, but have been given prominent real estate in the block inserter with its own tab next to blocks, including 10 or so default ones right out of the box.

Block patterns are sandwiched between Blocks and Reusable Blocks in the block inserter, which is a perfect metaphor for where it fits in the bigger picture of WordPress editing.

If the 5.6 Beta 3 release notes are any indication, then it looks like more patterns are on the way for default WordPress themes. And, of course, the block registration function has an unregister_block_pattern() companion should you need to opt out of any patterns.

What I find interesting is how the blocks ecosystem is evolving. We started with a set of default blocks that can be inserted into a post. We got reusable blocks that provide a way to assemble a group of blocks with consistent content across all pages of posts. Now we have a way to do the same, but in a much more flexible and editable way. The differences are subtle, but the use cases couldn’t be more different. We’ve actually been using reusable blocks here at CSS-Tricks for post explanations, like this:

We drop some text in here when we think there’s something worth calling out or that warrants a little extra explanation.

Any reusable block can be converted to a “regular” block. The styles are maintained but the content is not. That’s been our hack-y approach for speeding up our process around here, but now that block patterns are a thing, previous reusable blocks we’ve been using now make more sense as patterns.

Direct Link to ArticlePermalink

The post How to Work With WordPress Block Patterns appeared first on CSS-Tricks.

You can support CSS-Tricks by being an MVP Supporter.

Posted on

Gutenberg 9.0 Brings Major Improvements to Navigation Screen and Query Block

Category Image 091

If you haven’t played around with Gutenberg’s experiments lately, the Navigation block is getting some exciting updates. Version 9.0 was released today with drag-and-drop support added to the list view of navigation items.

Contributors have been working through several different prototypes aimed at unifying the controls and simplifying the menu building process. The Navigation screen included in version 9.0 has been redesigned to improve the “Create Menu” flow and includes the following changes:

  • New Header and Toolbar components.
  • Manage Locations has been rewritten and is now a popover.
  • Add New form has been rewritten and now appears inline in the toolbar.
  • Automatically Add Pages checkbox and Delete menu button has been rewritten and now appears in the block inspector.

The screen is starting to take shape but is still very much a work in progress. If you want to test it, you can enable it under Gutenberg > Experiments.

The Query block was another main focus fr the 9.0 release. It is taking a giant leap forward with new features like search, filtering by author, support for order/order by (date + title), and tags. This block should be tested locally and is still behind the __experimentalEnableFullSiteEditing flag since it requires full site editing blocks to display queried content.

Other notable UI enhancements include a new drag handle added to block toolbar for drag-and-drop capability. (It is not visible on the top toolbar). Blocks can be dragged to other areas of a post as an alternative to using the up/down arrows.

This release also removes the Facebook and Instagram blocks from the inserter, as Facebook will be dropping unauthenticated oEmbed support on October 24. WordPress core is also set to remove Facebook and Instagram as an oEmbed provider in an upcoming release.

For a full list of all the enhancements, bug fixes, experiments, and documentation updates, check out the 9.0 release post on WordPress.org.

Posted on

WordPress Should Bump PHP Support on a Transparent and Predictable Schedule

Featured Imgs 08

Juliette Reinders Folmer released a proposal for WordPress to drop old PHP version support on a fixed schedule. She wrote the proposal after Matt Mullenweg, WordPress co-founder and project lead, reached out to discuss solutions. This was after he closed a Trac ticket last week that sought to drop support for PHP 5.6 and bump the minimum version to 7.1 for the next major WordPress release this year.

The proposal lays out a position that many in the WordPress community could get behind. It is a clear-cut, transparent path for the platform’s future PHP support.

Folmer essentially put forward two roadmaps in the proposal. The first roadmap decides at what stage WordPress would drop support for a particular PHP version. The platform would remove support for a PHP minor release that is more than five years old each December. This would coincide with whatever major release of WordPress is upcoming. The following schedule lays out the minimum-supported PHP version each year:

  • December 2020 – PHP 7.1
  • December 2021 – PHP 7.2
  • December 2022 – PHP 7.3
  • December 2023 – PHP 7.4
  • December 2024 – PHP 8.0

The second part of the proposal creates a rolling schedule for backporting security updates to WordPress. Currently, WordPress releases security updates all the way back to the version 3.7 branch. If adopted, Folmer’s recommendation would support only the previous four years of WordPress releases.

Such a change would mean that when WordPress 5.6 is released in December 2020, the WordPress project would be committed to backporting security fixes as far back as WordPress 4.7, released in December 2016.

Folmer also proposes backporting PHP upgrade notices from the site health project to the currently-supported older versions of WordPress. This measure would inform users of PHP version issues before they make the jump to a newer version of WordPress.

The overlap of bumping the minimum PHP support into the future and backporting security fixes gives users a potentially huge window of nine years in which they could stay on whatever version of PHP they are currently on. Nine years may seem like a lifetime on the web with its constantly-changing technology, and it was a point of contention from some people in the comments of the post. However, it is a plan of action, something the WordPress community has not had the pleasure of experiencing with regards to PHP support. Developers will undoubtedly argue over the dates and versions, but that is secondary to actually having a predictable timeline.

A fixed version bump schedule is welcome. It puts everyone from developers to end-users to web hosts on the same page. This level of transparency is necessary if we ever intend to move forward without rehashing the same arguments.

The system of waiting around to see when a specific PHP version’s usage stats drop below a certain percentage just muddies things. The result is typically a long-winded argument that does not move the needle. Each side picks its stats. Each side digs its heels in. And each side has plenty of good points to make. Ultimately, everyone wants the same thing — to move the entire project forward and use up-to-date tools. However, they always disagree on how we get there. Eventually, the minimum PHP version gets bumped and the community gears up for the next round. It leaves us in a constant state of tug of war between those who want quicker advancement and those who do not want to leave users behind.

The truth is that no one is ever completely right in these arguments. There is no roadmap to follow. We have no guiding principle other than “this has what’s been done before.”

WordPress needs to set clear expectations.

This is not just a problem with the minimum PHP version — many want a more-detailed roadmap for the entire project. However, minimum PHP support is one problematic area that we could have a solution for, and Folmer has carved out a path. We need only follow it.

Posted on

4 Tips on Building an Effective Intranet Website Using WordPress

Featured Imgs 13

Communication is the glue that keeps teams and organizations together. When communication is done correctly, team members can work seamlessly with each other, and the organization as a whole can grow exponentially. More and more businesses are now setting up their own intranet website to allow team members to share information and documents, communicate with […]

The post 4 Tips on Building an Effective Intranet Website Using WordPress appeared first on WPArena.